`rem_wide_vartime()` issues

[fjarri]

Two problems discovered trying to run crypto-primes test suite with the newest crypto-bigint. Introduced in #608. Still investigating, but maybe @andrewwhitehead will know better since he's more familiar with the algorithm.

    #[test]
    fn div_limb_regression() {
        let x =  crate::U128::from_be_hex("00000000000000010000000000000001");
        let hi = crate::U128::from_be_hex("00000000000000000000000000000001");
        let lo = crate::U128::from_be_hex("00000000000000000000000000000001");

        // Triggers a debug assertion in div_limb.rs
        let _actual = Uint::rem_wide_vartime((lo, hi), &NonZero::new(x).unwrap());
    }

    #[test]
    fn monty_regression() {
        let x = U256::from_be_hex("0000000000000000000000010000000000000000000000000000000000000001");
        let hi = U256::from_be_hex("0000000000000000000000000000000000000000000000000000000000000001");
        let lo = U256::from_be_hex("0000000000000000000000000000000000000000000000000000000000000001");

        let expected = Uint::from_be_hex("000000000000000000000000FFFFFFFFFFFFFFFF000000000000000000000002");
        let actual = Uint::rem_wide_vartime((lo, hi), &NonZero::new(x).unwrap());
        // `actual` is 0x7FFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF000000000000000000000002

        assert_eq!(actual, expected);
    }

[andrewwhitehead]

Ah, I'll look at that tonight or tomorrow. I imagine it's the high word of the dividend not being smaller than the divisor word, which I hadn't been able to reproduce.

[tarcieri]

That could probably use a proptest as well