Building the precomputed table for RSA signing is less efficient than before, for non-x86_64

[briansmith]

In this code in the non-x86_64 elem_exp_consttime_inner:

for i in 2..TABLE_ENTRIES {
        let (src1, src2) = if i % 2 == 0 {
            (i / 2, i / 2)
        } else {
            (i - 1, 1)
        };
        let (previous, rest) = table.split_at_mut(num_limbs * i);
        let src1 = entry(previous, src1, num_limbs);
        let src2 = entry(previous, src2, num_limbs);
        let dst = entry_mut(rest, 0, num_limbs);
        limbs_mul_mont((dst, src1, src2), m.limbs(), m.n0(), m.cpu_features())?;
    }

we are relying on limbs_mul_mont doing a squaring if src1 aliases src2. This is how it used to work, but now we only do the squaring optimization when we using the squaring function. We should rewrite this code to do the squaring optimization. See how the x86_64 implementation does it.