2 # Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
19 # "Teaser" Montgomery multiplication module for PowerPC. It's possible
20 # to gain a bit more by modulo-scheduling outer loop, then dedicated
21 # squaring procedure should give further 20% and code can be adapted
22 # for 32-bit application running on 64-bit CPU. As for the latter.
23 # It won't be able to achieve "native" 64-bit performance, because in
24 # 32-bit application context every addc instruction will have to be
25 # expanded as addc, twice right shift by 32 and finally adde, etc.
26 # So far RSA *sign* performance improvement over pre-bn_mul_mont asm
27 # for 64-bit application running on PPC970/G5 is:
36 # Add multiplication procedure operating on lengths divisible by 4
37 # and squaring procedure operating on lengths divisible by 8. Length
38 # is expressed in number of limbs. RSA private key operations are
39 # ~35-50% faster (more for longer keys) on contemporary high-end POWER
40 # processors in 64-bit builds, [mysteriously enough] more in 32-bit
41 # builds. On low-end 32-bit processors performance improvement turned
46 if ($flavour =~ /32/) {
53 $LDU= "lwzu"; # load and update
54 $LDX= "lwzx"; # load indexed
56 $STU= "stwu"; # store and update
57 $STX= "stwx"; # store indexed
58 $STUX= "stwux"; # store indexed and update
59 $UMULL= "mullw"; # unsigned multiply low
60 $UMULH= "mulhwu"; # unsigned multiply high
61 $UCMP= "cmplw"; # unsigned compare
62 $SHRI= "srwi"; # unsigned shift right by immediate
63 $SHLI= "slwi"; # unsigned shift left by immediate
66 } elsif ($flavour =~ /64/) {
72 # same as above, but 64-bit mnemonics...
74 $LDU= "ldu"; # load and update
75 $LDX= "ldx"; # load indexed
77 $STU= "stdu"; # store and update
78 $STX= "stdx"; # store indexed
79 $STUX= "stdux"; # store indexed and update
80 $UMULL= "mulld"; # unsigned multiply low
81 $UMULH= "mulhdu"; # unsigned multiply high
82 $UCMP= "cmpld"; # unsigned compare
83 $SHRI= "srdi"; # unsigned shift right by immediate
84 $SHLI= "sldi"; # unsigned shift left by immediate
87 } else { die "nonsense $flavour"; }
89 $FRAME=8*$SIZE_T+$RZONE;
92 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
93 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
94 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
95 die "can't locate ppc-xlate.pl";
97 open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
110 my $rp="r9"; # $rp is reassigned
114 # non-volatile registers
134 .globl .bn_mul_mont_int
137 mr $rp,r3 ; $rp is reassigned
140 $code.=<<___ if ($BNSZ==4);
141 cmpwi $num,32 ; longer key performance is not better
145 slwi $num,$num,`log($BNSZ)/log(2)`
147 addi $ovf,$num,$FRAME
148 subf $ovf,$ovf,$sp ; $sp-$ovf
149 and $ovf,$ovf,$tj ; minimize TLB usage
150 subf $ovf,$sp,$ovf ; $ovf-$sp
152 srwi $num,$num,`log($BNSZ)/log(2)`
155 $PUSH r20,`-12*$SIZE_T`($tj)
156 $PUSH r21,`-11*$SIZE_T`($tj)
157 $PUSH r22,`-10*$SIZE_T`($tj)
158 $PUSH r23,`-9*$SIZE_T`($tj)
159 $PUSH r24,`-8*$SIZE_T`($tj)
160 $PUSH r25,`-7*$SIZE_T`($tj)
161 $PUSH r26,`-6*$SIZE_T`($tj)
162 $PUSH r27,`-5*$SIZE_T`($tj)
163 $PUSH r28,`-4*$SIZE_T`($tj)
164 $PUSH r29,`-3*$SIZE_T`($tj)
165 $PUSH r30,`-2*$SIZE_T`($tj)
166 $PUSH r31,`-1*$SIZE_T`($tj)
168 $LD $n0,0($n0) ; pull n0[0] value
169 addi $num,$num,-2 ; adjust $num for counter register
171 $LD $m0,0($bp) ; m0=bp[0]
172 $LD $aj,0($ap) ; ap[0]
174 $UMULL $lo0,$aj,$m0 ; ap[0]*bp[0]
177 $LD $aj,$BNSZ($ap) ; ap[1]
178 $LD $nj,0($np) ; np[0]
180 $UMULL $m1,$lo0,$n0 ; "tp[0]"*n0
182 $UMULL $alo,$aj,$m0 ; ap[1]*bp[0]
185 $UMULL $lo1,$nj,$m1 ; np[0]*m1
187 $LD $nj,$BNSZ($np) ; np[1]
191 $UMULL $nlo,$nj,$m1 ; np[1]*m1
198 $LDX $aj,$ap,$j ; ap[j]
200 $LDX $nj,$np,$j ; np[j]
202 $UMULL $alo,$aj,$m0 ; ap[j]*bp[0]
206 $UMULL $nlo,$nj,$m1 ; np[j]*m1
207 addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[0]
210 $ST $lo1,0($tp) ; tp[j-1]
212 addi $j,$j,$BNSZ ; j++
213 addi $tp,$tp,$BNSZ ; tp++
221 addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[0]
223 $ST $lo1,0($tp) ; tp[j-1]
227 addze $ovf,$ovf ; upmost overflow bit
233 $LDX $m0,$bp,$i ; m0=bp[i]
234 $LD $aj,0($ap) ; ap[0]
236 $LD $tj,$LOCALS($sp); tp[0]
237 $UMULL $lo0,$aj,$m0 ; ap[0]*bp[i]
239 $LD $aj,$BNSZ($ap) ; ap[1]
240 $LD $nj,0($np) ; np[0]
241 addc $lo0,$lo0,$tj ; ap[0]*bp[i]+tp[0]
242 $UMULL $alo,$aj,$m0 ; ap[j]*bp[i]
244 $UMULL $m1,$lo0,$n0 ; tp[0]*n0
246 $UMULL $lo1,$nj,$m1 ; np[0]*m1
248 $LD $nj,$BNSZ($np) ; np[1]
250 $UMULL $nlo,$nj,$m1 ; np[1]*m1
258 $LDX $aj,$ap,$j ; ap[j]
260 $LD $tj,$BNSZ($tp) ; tp[j]
262 $LDX $nj,$np,$j ; np[j]
264 $UMULL $alo,$aj,$m0 ; ap[j]*bp[i]
267 addc $lo0,$lo0,$tj ; ap[j]*bp[i]+tp[j]
268 $UMULL $nlo,$nj,$m1 ; np[j]*m1
271 addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[i]+tp[j]
272 addi $j,$j,$BNSZ ; j++
274 $ST $lo1,0($tp) ; tp[j-1]
275 addi $tp,$tp,$BNSZ ; tp++
278 $LD $tj,$BNSZ($tp) ; tp[j]
281 addc $lo0,$lo0,$tj ; ap[j]*bp[i]+tp[j]
286 addc $lo1,$lo1,$lo0 ; np[j]*m1+ap[j]*bp[i]+tp[j]
288 $ST $lo1,0($tp) ; tp[j-1]
290 addic $ovf,$ovf,-1 ; move upmost overflow to XER[CA]
296 slwi $tj,$num,`log($BNSZ)/log(2)`
301 addi $num,$num,2 ; restore $num
302 subfc $j,$j,$j ; j=0 and "clear" XER[CA]
307 Lsub: $LDX $tj,$tp,$j
309 subfe $aj,$nj,$tj ; tp[j]-np[j]
316 subfe $ovf,$j,$ovf ; handle upmost overflow bit
319 Lcopy: ; conditional copy
324 $STX $j,$tp,$j ; zap at once
332 $POP r20,`-12*$SIZE_T`($tj)
333 $POP r21,`-11*$SIZE_T`($tj)
334 $POP r22,`-10*$SIZE_T`($tj)
335 $POP r23,`-9*$SIZE_T`($tj)
336 $POP r24,`-8*$SIZE_T`($tj)
337 $POP r25,`-7*$SIZE_T`($tj)
338 $POP r26,`-6*$SIZE_T`($tj)
339 $POP r27,`-5*$SIZE_T`($tj)
340 $POP r28,`-4*$SIZE_T`($tj)
341 $POP r29,`-3*$SIZE_T`($tj)
342 $POP r30,`-2*$SIZE_T`($tj)
343 $POP r31,`-1*$SIZE_T`($tj)
347 .byte 0,12,4,0,0x80,12,6,0
349 .size .bn_mul_mont_int,.-.bn_mul_mont_int
356 $acc0,$acc1,$acc2,$acc3,$acc4,
357 $bi,$mi,$tp,$ap_end,$cnt) = map("r$_",(9..12,14..31));
358 my ($carry,$zero) = ($rp,"r0");
360 # sp----------->+-------------------------------+
362 # +-------------------------------+
364 # +8*size_t +-------------------------------+
368 # +12*size_t +-------------------------------+
369 # | size_t tmp[num] |
373 # +-------------------------------+
376 # -18*size_t +-------------------------------+
377 # | 18 saved gpr, r14-r31 |
380 # +-------------------------------+
382 .globl .bn_mul4x_mont_int
391 slwi $num,$num,`log($SIZE_T)/log(2)`
395 $STUX $sp,$sp,$a1 # alloca
397 $PUSH r14,-$SIZE_T*18($a0)
398 $PUSH r15,-$SIZE_T*17($a0)
399 $PUSH r16,-$SIZE_T*16($a0)
400 $PUSH r17,-$SIZE_T*15($a0)
401 $PUSH r18,-$SIZE_T*14($a0)
402 $PUSH r19,-$SIZE_T*13($a0)
403 $PUSH r20,-$SIZE_T*12($a0)
404 $PUSH r21,-$SIZE_T*11($a0)
405 $PUSH r22,-$SIZE_T*10($a0)
406 $PUSH r23,-$SIZE_T*9($a0)
407 $PUSH r24,-$SIZE_T*8($a0)
408 $PUSH r25,-$SIZE_T*7($a0)
409 $PUSH r26,-$SIZE_T*6($a0)
410 $PUSH r27,-$SIZE_T*5($a0)
411 $PUSH r28,-$SIZE_T*4($a0)
412 $PUSH r29,-$SIZE_T*3($a0)
413 $PUSH r30,-$SIZE_T*2($a0)
414 $PUSH r31,-$SIZE_T*1($a0)
416 subi $ap,$ap,$SIZE_T # bias by -1
417 subi $np,$np,$SIZE_T # bias by -1
418 subi $rp,$rp,$SIZE_T # bias by -1
423 subi $t0,$t0,$SIZE_T*4 # &b[num-4]
425 $LD $bi,$SIZE_T*0($bp) # b[0]
427 $LD $a0,$SIZE_T*1($ap) # a[0..3]
429 $LD $a1,$SIZE_T*2($ap)
431 $LD $a2,$SIZE_T*3($ap)
433 $LDU $a3,$SIZE_T*4($ap)
434 $LD $m0,$SIZE_T*1($np) # n[0..3]
435 $LD $m1,$SIZE_T*2($np)
436 $LD $m2,$SIZE_T*3($np)
437 $LDU $m3,$SIZE_T*4($np)
439 $PUSH $rp,$SIZE_T*6($sp) # offload rp and &b[num-4]
440 $PUSH $t0,$SIZE_T*7($sp)
442 addic $tp,$sp,$SIZE_T*7 # &t[-1], clear carry bit
445 b .Loop_mul4x_1st_reduction
448 .Loop_mul4x_1st_reduction:
449 $UMULL $t0,$a0,$bi # lo(a[0..3]*b[0])
450 addze $carry,$carry # modulo-scheduled
452 addi $cnt,$cnt,$SIZE_T
454 andi. $cnt,$cnt,$SIZE_T*4-1
457 $UMULH $t0,$a0,$bi # hi(a[0..3]*b[0])
461 $UMULL $mi,$acc0,$n0 # t[0]*n0
466 $LDX $bi,$bp,$cnt # next b[i] (or b[0])
468 # (*) mul $t0,$m0,$mi # lo(n[0..3]*t[0]*n0)
469 $STU $mi,$SIZE_T($tp) # put aside t[0]*n0 for tail processing
474 adde $acc4,$acc4,$t3 # can't overflow
476 # (*) addc $acc0,$acc0,$t0
477 # (*) As for removal of first multiplication and addition
478 # instructions. The outcome of first addition is
479 # guaranteed to be zero, which leaves two computationally
480 # significant outcomes: it either carries or not. Then
481 # question is when does it carry? Is there alternative
482 # way to deduce it? If you follow operations, you can
483 # observe that condition for carry is quite simple:
484 # $acc0 being non-zero. So that carry can be calculated
485 # by adding -1 to $acc0. That's what next instruction does.
486 addic $acc0,$acc0,-1 # (*), discarded
487 $UMULH $t0,$m0,$mi # hi(n[0..3]*t[0]*n0)
494 adde $acc3,$acc4,$carry
501 bne .Loop_mul4x_1st_reduction
504 beq .Lmul4x4_post_condition
506 $LD $a0,$SIZE_T*1($ap) # a[4..7]
507 $LD $a1,$SIZE_T*2($ap)
508 $LD $a2,$SIZE_T*3($ap)
509 $LDU $a3,$SIZE_T*4($ap)
510 $LD $mi,$SIZE_T*8($sp) # a[0]*n0
511 $LD $m0,$SIZE_T*1($np) # n[4..7]
512 $LD $m1,$SIZE_T*2($np)
513 $LD $m2,$SIZE_T*3($np)
514 $LDU $m3,$SIZE_T*4($np)
515 b .Loop_mul4x_1st_tail
518 .Loop_mul4x_1st_tail:
519 $UMULL $t0,$a0,$bi # lo(a[4..7]*b[i])
520 addze $carry,$carry # modulo-scheduled
522 addi $cnt,$cnt,$SIZE_T
524 andi. $cnt,$cnt,$SIZE_T*4-1
527 $UMULH $t0,$a0,$bi # hi(a[4..7]*b[i])
535 $LDX $bi,$bp,$cnt # next b[i] (or b[0])
537 $UMULL $t0,$m0,$mi # lo(n[4..7]*a[0]*n0)
542 adde $acc4,$acc4,$t3 # can't overflow
545 $UMULH $t0,$m0,$mi # hi(n[4..7]*a[0]*n0)
551 adde $acc4,$acc4,$carry
554 addi $mi,$sp,$SIZE_T*8
555 $LDX $mi,$mi,$cnt # next t[0]*n0
556 $STU $acc0,$SIZE_T($tp) # word of result
562 bne .Loop_mul4x_1st_tail
564 sub $t1,$ap_end,$num # rewinded $ap
565 $UCMP $ap_end,$ap # done yet?
568 $LD $a0,$SIZE_T*1($ap)
569 $LD $a1,$SIZE_T*2($ap)
570 $LD $a2,$SIZE_T*3($ap)
571 $LDU $a3,$SIZE_T*4($ap)
572 $LD $m0,$SIZE_T*1($np)
573 $LD $m1,$SIZE_T*2($np)
574 $LD $m2,$SIZE_T*3($np)
575 $LDU $m3,$SIZE_T*4($np)
576 b .Loop_mul4x_1st_tail
580 $LDU $bi,$SIZE_T*4($bp) # *++b
581 addze $carry,$carry # topmost carry
582 $LD $a0,$SIZE_T*1($t1)
583 $LD $a1,$SIZE_T*2($t1)
584 $LD $a2,$SIZE_T*3($t1)
585 $LD $a3,$SIZE_T*4($t1)
586 addi $ap,$t1,$SIZE_T*4
587 sub $np,$np,$num # rewind np
589 $ST $acc0,$SIZE_T*1($tp) # result
590 $ST $acc1,$SIZE_T*2($tp)
591 $ST $acc2,$SIZE_T*3($tp)
592 $ST $acc3,$SIZE_T*4($tp)
593 $ST $carry,$SIZE_T*5($tp) # save topmost carry
594 $LD $acc0,$SIZE_T*12($sp) # t[0..3]
595 $LD $acc1,$SIZE_T*13($sp)
596 $LD $acc2,$SIZE_T*14($sp)
597 $LD $acc3,$SIZE_T*15($sp)
599 $LD $m0,$SIZE_T*1($np) # n[0..3]
600 $LD $m1,$SIZE_T*2($np)
601 $LD $m2,$SIZE_T*3($np)
602 $LDU $m3,$SIZE_T*4($np)
603 addic $tp,$sp,$SIZE_T*7 # &t[-1], clear carry bit
605 b .Loop_mul4x_reduction
608 .Loop_mul4x_reduction:
609 $UMULL $t0,$a0,$bi # lo(a[0..3]*b[4])
610 addze $carry,$carry # modulo-scheduled
612 addi $cnt,$cnt,$SIZE_T
614 andi. $cnt,$cnt,$SIZE_T*4-1
617 $UMULH $t0,$a0,$bi # hi(a[0..3]*b[4])
621 $UMULL $mi,$acc0,$n0 # t[0]*n0
626 $LDX $bi,$bp,$cnt # next b[i]
628 # (*) mul $t0,$m0,$mi
629 $STU $mi,$SIZE_T($tp) # put aside t[0]*n0 for tail processing
631 $UMULL $t1,$m1,$mi # lo(n[0..3]*t[0]*n0
634 adde $acc4,$acc4,$t3 # can't overflow
636 # (*) addc $acc0,$acc0,$t0
637 addic $acc0,$acc0,-1 # (*), discarded
638 $UMULH $t0,$m0,$mi # hi(n[0..3]*t[0]*n0
645 adde $acc3,$acc4,$carry
652 bne .Loop_mul4x_reduction
654 $LD $t0,$SIZE_T*5($tp) # t[4..7]
656 $LD $t1,$SIZE_T*6($tp)
657 $LD $t2,$SIZE_T*7($tp)
658 $LD $t3,$SIZE_T*8($tp)
659 $LD $a0,$SIZE_T*1($ap) # a[4..7]
660 $LD $a1,$SIZE_T*2($ap)
661 $LD $a2,$SIZE_T*3($ap)
662 $LDU $a3,$SIZE_T*4($ap)
669 $LD $mi,$SIZE_T*8($sp) # t[0]*n0
670 $LD $m0,$SIZE_T*1($np) # n[4..7]
671 $LD $m1,$SIZE_T*2($np)
672 $LD $m2,$SIZE_T*3($np)
673 $LDU $m3,$SIZE_T*4($np)
678 $UMULL $t0,$a0,$bi # lo(a[4..7]*b[4])
679 addze $carry,$carry # modulo-scheduled
681 addi $cnt,$cnt,$SIZE_T
683 andi. $cnt,$cnt,$SIZE_T*4-1
686 $UMULH $t0,$a0,$bi # hi(a[4..7]*b[4])
694 $LDX $bi,$bp,$cnt # next b[i]
696 $UMULL $t0,$m0,$mi # lo(n[4..7]*t[0]*n0)
701 adde $acc4,$acc4,$t3 # can't overflow
704 $UMULH $t0,$m0,$mi # hi(n[4..7]*t[0]*n0)
711 adde $acc4,$acc4,$carry
712 addi $mi,$sp,$SIZE_T*8
713 $LDX $mi,$mi,$cnt # next a[0]*n0
715 $STU $acc0,$SIZE_T($tp) # word of result
723 $LD $t0,$SIZE_T*5($tp) # next t[i] or topmost carry
724 sub $t1,$np,$num # rewinded np?
726 $UCMP $ap_end,$ap # done yet?
727 beq .Loop_mul4x_break
729 $LD $t1,$SIZE_T*6($tp)
730 $LD $t2,$SIZE_T*7($tp)
731 $LD $t3,$SIZE_T*8($tp)
732 $LD $a0,$SIZE_T*1($ap)
733 $LD $a1,$SIZE_T*2($ap)
734 $LD $a2,$SIZE_T*3($ap)
735 $LDU $a3,$SIZE_T*4($ap)
742 $LD $m0,$SIZE_T*1($np) # n[4..7]
743 $LD $m1,$SIZE_T*2($np)
744 $LD $m2,$SIZE_T*3($np)
745 $LDU $m3,$SIZE_T*4($np)
750 $POP $t2,$SIZE_T*6($sp) # pull rp and &b[num-4]
751 $POP $t3,$SIZE_T*7($sp)
752 addc $a0,$acc0,$t0 # accumulate topmost carry
753 $LD $acc0,$SIZE_T*12($sp) # t[0..3]
755 $LD $acc1,$SIZE_T*13($sp)
757 $LD $acc2,$SIZE_T*14($sp)
759 $LD $acc3,$SIZE_T*15($sp)
760 addze $carry,$carry # topmost carry
761 $ST $a0,$SIZE_T*1($tp) # result
762 sub $ap,$ap_end,$num # rewind ap
763 $ST $a1,$SIZE_T*2($tp)
764 $ST $a2,$SIZE_T*3($tp)
765 $ST $a3,$SIZE_T*4($tp)
766 $ST $carry,$SIZE_T*5($tp) # store topmost carry
768 $LD $m0,$SIZE_T*1($t1) # n[0..3]
769 $LD $m1,$SIZE_T*2($t1)
770 $LD $m2,$SIZE_T*3($t1)
771 $LD $m3,$SIZE_T*4($t1)
772 addi $np,$t1,$SIZE_T*4
773 $UCMP $bp,$t3 # done yet?
776 $LDU $bi,$SIZE_T*4($bp)
777 $LD $a0,$SIZE_T*1($ap) # a[0..3]
778 $LD $a1,$SIZE_T*2($ap)
779 $LD $a2,$SIZE_T*3($ap)
780 $LDU $a3,$SIZE_T*4($ap)
782 addic $tp,$sp,$SIZE_T*7 # &t[-1], clear carry bit
783 b .Loop_mul4x_reduction
787 # Final step. We see if result is larger than modulus, and
788 # if it is, subtract the modulus. But comparison implies
789 # subtraction. So we subtract modulus, see if it borrowed,
790 # and conditionally copy original value.
791 srwi $cnt,$num,`log($SIZE_T)/log(2)+2`
794 mr $ap_end,$t2 # &rp[-1] copy
796 addi $tp,$sp,$SIZE_T*15
801 $LD $m0,$SIZE_T*1($np)
802 $LD $acc0,$SIZE_T*1($tp)
804 $LD $m1,$SIZE_T*2($np)
805 $LD $acc1,$SIZE_T*2($tp)
807 $LD $m2,$SIZE_T*3($np)
808 $LD $acc2,$SIZE_T*3($tp)
809 $LDU $m3,$SIZE_T*4($np)
810 $LDU $acc3,$SIZE_T*4($tp)
811 $ST $t0,$SIZE_T*1($bp)
812 $ST $t1,$SIZE_T*2($bp)
814 $ST $t2,$SIZE_T*3($bp)
815 $STU $t3,$SIZE_T*4($bp)
819 $LD $a0,$SIZE_T*1($ap_end)
820 $ST $t0,$SIZE_T*1($bp)
821 $LD $t0,$SIZE_T*12($sp)
823 $LD $a1,$SIZE_T*2($ap_end)
824 $ST $t1,$SIZE_T*2($bp)
825 $LD $t1,$SIZE_T*13($sp)
827 subfe $carry,$zero,$carry # did it borrow?
828 addi $tp,$sp,$SIZE_T*12
829 $LD $a2,$SIZE_T*3($ap_end)
830 $ST $t2,$SIZE_T*3($bp)
831 $LD $t2,$SIZE_T*14($sp)
832 $LD $a3,$SIZE_T*4($ap_end)
833 $ST $t3,$SIZE_T*4($bp)
834 $LD $t3,$SIZE_T*15($sp)
840 $ST $zero,$SIZE_T*0($tp) # wipe stack clean
843 $ST $zero,$SIZE_T*1($tp)
846 $ST $zero,$SIZE_T*2($tp)
849 $ST $zero,$SIZE_T*3($tp)
851 $LD $a0,$SIZE_T*5($ap_end)
852 $LD $t0,$SIZE_T*4($tp)
854 $LD $a1,$SIZE_T*6($ap_end)
855 $LD $t1,$SIZE_T*5($tp)
857 $LD $a2,$SIZE_T*7($ap_end)
858 $LD $t2,$SIZE_T*6($tp)
860 $LD $a3,$SIZE_T*8($ap_end)
861 $LD $t3,$SIZE_T*7($tp)
862 addi $tp,$tp,$SIZE_T*4
863 $ST $acc0,$SIZE_T*1($ap_end)
864 $ST $acc1,$SIZE_T*2($ap_end)
865 $ST $acc2,$SIZE_T*3($ap_end)
866 $STU $acc3,$SIZE_T*4($ap_end)
867 bdnz .Lmul4x_cond_copy
869 $POP $bp,0($sp) # pull saved sp
872 $ST $zero,$SIZE_T*0($tp)
875 $ST $zero,$SIZE_T*1($tp)
878 $ST $zero,$SIZE_T*2($tp)
881 $ST $zero,$SIZE_T*3($tp)
884 $ST $zero,$SIZE_T*4($tp)
887 $ST $acc0,$SIZE_T*1($ap_end)
888 $ST $acc1,$SIZE_T*2($ap_end)
889 $ST $acc2,$SIZE_T*3($ap_end)
890 $ST $acc3,$SIZE_T*4($ap_end)
895 .Lmul4x4_post_condition:
896 $POP $ap,$SIZE_T*6($sp) # pull &rp[-1]
897 $POP $bp,0($sp) # pull saved sp
898 addze $carry,$carry # modulo-scheduled
899 # $acc0-3,$carry hold result, $m0-3 hold modulus
904 subfe $carry,$zero,$carry # did it borrow?
915 $ST $a0,$SIZE_T*1($ap) # write result
916 $ST $a1,$SIZE_T*2($ap)
917 $ST $a2,$SIZE_T*3($ap)
918 $ST $a3,$SIZE_T*4($ap)
921 $ST $zero,$SIZE_T*8($sp) # wipe stack clean
922 $ST $zero,$SIZE_T*9($sp)
923 $ST $zero,$SIZE_T*10($sp)
924 $ST $zero,$SIZE_T*11($sp)
925 li r3,1 # signal "done"
926 $POP r14,-$SIZE_T*18($bp)
927 $POP r15,-$SIZE_T*17($bp)
928 $POP r16,-$SIZE_T*16($bp)
929 $POP r17,-$SIZE_T*15($bp)
930 $POP r18,-$SIZE_T*14($bp)
931 $POP r19,-$SIZE_T*13($bp)
932 $POP r20,-$SIZE_T*12($bp)
933 $POP r21,-$SIZE_T*11($bp)
934 $POP r22,-$SIZE_T*10($bp)
935 $POP r23,-$SIZE_T*9($bp)
936 $POP r24,-$SIZE_T*8($bp)
937 $POP r25,-$SIZE_T*7($bp)
938 $POP r26,-$SIZE_T*6($bp)
939 $POP r27,-$SIZE_T*5($bp)
940 $POP r28,-$SIZE_T*4($bp)
941 $POP r29,-$SIZE_T*3($bp)
942 $POP r30,-$SIZE_T*2($bp)
943 $POP r31,-$SIZE_T*1($bp)
947 .byte 0,12,4,0x20,0x80,18,6,0
949 .size .bn_mul4x_mont_int,.-.bn_mul4x_mont_int
954 ########################################################################
955 # Following is PPC adaptation of sqrx8x_mont from x86_64-mont5 module.
957 my ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("r$_",(9..12,14..17));
958 my ($t0,$t1,$t2,$t3)=map("r$_",(18..21));
959 my ($acc0,$acc1,$acc2,$acc3,$acc4,$acc5,$acc6,$acc7)=map("r$_",(22..29));
960 my ($cnt,$carry,$zero)=("r30","r31","r0");
961 my ($tp,$ap_end,$na0)=($bp,$np,$carry);
963 # sp----------->+-------------------------------+
965 # +-------------------------------+
967 # +12*size_t +-------------------------------+
968 # | size_t tmp[2*num] |
972 # +-------------------------------+
974 # -18*size_t +-------------------------------+
975 # | 18 saved gpr, r14-r31 |
978 # +-------------------------------+
984 slwi $a1,$num,`log($SIZE_T)/log(2)+1`
987 slwi $num,$num,`log($SIZE_T)/log(2)`
988 $STUX $sp,$sp,$a1 # alloca
990 $PUSH r14,-$SIZE_T*18($a0)
991 $PUSH r15,-$SIZE_T*17($a0)
992 $PUSH r16,-$SIZE_T*16($a0)
993 $PUSH r17,-$SIZE_T*15($a0)
994 $PUSH r18,-$SIZE_T*14($a0)
995 $PUSH r19,-$SIZE_T*13($a0)
996 $PUSH r20,-$SIZE_T*12($a0)
997 $PUSH r21,-$SIZE_T*11($a0)
998 $PUSH r22,-$SIZE_T*10($a0)
999 $PUSH r23,-$SIZE_T*9($a0)
1000 $PUSH r24,-$SIZE_T*8($a0)
1001 $PUSH r25,-$SIZE_T*7($a0)
1002 $PUSH r26,-$SIZE_T*6($a0)
1003 $PUSH r27,-$SIZE_T*5($a0)
1004 $PUSH r28,-$SIZE_T*4($a0)
1005 $PUSH r29,-$SIZE_T*3($a0)
1006 $PUSH r30,-$SIZE_T*2($a0)
1007 $PUSH r31,-$SIZE_T*1($a0)
1009 subi $ap,$ap,$SIZE_T # bias by -1
1010 subi $t0,$np,$SIZE_T # bias by -1
1011 subi $rp,$rp,$SIZE_T # bias by -1
1012 $LD $n0,0($n0) # *n0
1015 add $ap_end,$ap,$num
1016 $LD $a0,$SIZE_T*1($ap)
1018 $LD $a1,$SIZE_T*2($ap)
1020 $LD $a2,$SIZE_T*3($ap)
1022 $LD $a3,$SIZE_T*4($ap)
1024 $LD $a4,$SIZE_T*5($ap)
1026 $LD $a5,$SIZE_T*6($ap)
1028 $LD $a6,$SIZE_T*7($ap)
1030 $LDU $a7,$SIZE_T*8($ap)
1033 addi $tp,$sp,$SIZE_T*11 # &tp[-1]
1034 subic. $cnt,$num,$SIZE_T*8
1035 b .Lsqr8x_zero_start
1039 subic. $cnt,$cnt,$SIZE_T*8
1040 $ST $zero,$SIZE_T*1($tp)
1041 $ST $zero,$SIZE_T*2($tp)
1042 $ST $zero,$SIZE_T*3($tp)
1043 $ST $zero,$SIZE_T*4($tp)
1044 $ST $zero,$SIZE_T*5($tp)
1045 $ST $zero,$SIZE_T*6($tp)
1046 $ST $zero,$SIZE_T*7($tp)
1047 $ST $zero,$SIZE_T*8($tp)
1049 $ST $zero,$SIZE_T*9($tp)
1050 $ST $zero,$SIZE_T*10($tp)
1051 $ST $zero,$SIZE_T*11($tp)
1052 $ST $zero,$SIZE_T*12($tp)
1053 $ST $zero,$SIZE_T*13($tp)
1054 $ST $zero,$SIZE_T*14($tp)
1055 $ST $zero,$SIZE_T*15($tp)
1056 $STU $zero,$SIZE_T*16($tp)
1059 $PUSH $rp,$SIZE_T*6($sp) # offload &rp[-1]
1060 $PUSH $t0,$SIZE_T*7($sp) # offload &np[-1]
1061 $PUSH $n0,$SIZE_T*8($sp) # offload n0
1062 $PUSH $tp,$SIZE_T*9($sp) # &tp[2*num-1]
1063 $PUSH $zero,$SIZE_T*10($sp) # initial top-most carry
1064 addi $tp,$sp,$SIZE_T*11 # &tp[-1]
1066 # Multiply everything but a[i]*a[i]
1098 $UMULL $t0,$a1,$a0 # lo(a[1..7]*a[0]) (i)
1102 addc $acc1,$acc1,$t0 # t[1]+lo(a[1]*a[0])
1104 adde $acc2,$acc2,$t1
1106 adde $acc3,$acc3,$t2
1108 adde $acc4,$acc4,$t3
1109 $UMULH $t3,$a1,$a0 # hi(a[1..7]*a[0])
1110 adde $acc5,$acc5,$t0
1112 adde $acc6,$acc6,$t1
1114 adde $acc7,$acc7,$t2
1116 $ST $acc0,$SIZE_T*1($tp) # t[0]
1117 addze $acc0,$zero # t[8]
1118 $ST $acc1,$SIZE_T*2($tp) # t[1]
1119 addc $acc2,$acc2,$t3 # t[2]+lo(a[1]*a[0])
1121 adde $acc3,$acc3,$t0
1123 adde $acc4,$acc4,$t1
1125 adde $acc5,$acc5,$t2
1126 $UMULL $t2,$a2,$a1 # lo(a[2..7]*a[1]) (ii)
1127 adde $acc6,$acc6,$t3
1129 adde $acc7,$acc7,$t0
1131 adde $acc0,$acc0,$t1
1134 addc $acc3,$acc3,$t2
1136 adde $acc4,$acc4,$t3
1138 adde $acc5,$acc5,$t0
1139 $UMULH $t0,$a2,$a1 # hi(a[2..7]*a[1])
1140 adde $acc6,$acc6,$t1
1142 adde $acc7,$acc7,$t2
1144 adde $acc0,$acc0,$t3
1146 $ST $acc2,$SIZE_T*3($tp) # t[2]
1147 addze $acc1,$zero # t[9]
1148 $ST $acc3,$SIZE_T*4($tp) # t[3]
1149 addc $acc4,$acc4,$t0
1151 adde $acc5,$acc5,$t1
1153 adde $acc6,$acc6,$t2
1154 $UMULL $t2,$a3,$a2 # lo(a[3..7]*a[2]) (iii)
1155 adde $acc7,$acc7,$t3
1157 adde $acc0,$acc0,$t0
1159 adde $acc1,$acc1,$t1
1162 addc $acc5,$acc5,$t2
1164 adde $acc6,$acc6,$t3
1165 $UMULH $t3,$a3,$a2 # hi(a[3..7]*a[2])
1166 adde $acc7,$acc7,$t0
1168 adde $acc0,$acc0,$t1
1170 adde $acc1,$acc1,$t2
1172 $ST $acc4,$SIZE_T*5($tp) # t[4]
1173 addze $acc2,$zero # t[10]
1174 $ST $acc5,$SIZE_T*6($tp) # t[5]
1175 addc $acc6,$acc6,$t3
1177 adde $acc7,$acc7,$t0
1178 $UMULL $t0,$a4,$a3 # lo(a[4..7]*a[3]) (iv)
1179 adde $acc0,$acc0,$t1
1181 adde $acc1,$acc1,$t2
1183 adde $acc2,$acc2,$t3
1186 addc $acc7,$acc7,$t0
1187 $UMULH $t0,$a4,$a3 # hi(a[4..7]*a[3])
1188 adde $acc0,$acc0,$t1
1190 adde $acc1,$acc1,$t2
1192 adde $acc2,$acc2,$t3
1194 $ST $acc6,$SIZE_T*7($tp) # t[6]
1195 addze $acc3,$zero # t[11]
1196 $STU $acc7,$SIZE_T*8($tp) # t[7]
1197 addc $acc0,$acc0,$t0
1198 $UMULL $t0,$a5,$a4 # lo(a[5..7]*a[4]) (v)
1199 adde $acc1,$acc1,$t1
1201 adde $acc2,$acc2,$t2
1203 adde $acc3,$acc3,$t3
1205 $UMULH $t3,$a5,$a4 # hi(a[5..7]*a[4])
1206 addc $acc1,$acc1,$t0
1208 adde $acc2,$acc2,$t1
1210 adde $acc3,$acc3,$t2
1211 $UMULL $t2,$a6,$a5 # lo(a[6..7]*a[5]) (vi)
1212 addze $acc4,$zero # t[12]
1213 addc $acc2,$acc2,$t3
1215 adde $acc3,$acc3,$t0
1216 $UMULH $t0,$a6,$a5 # hi(a[6..7]*a[5])
1217 adde $acc4,$acc4,$t1
1220 addc $acc3,$acc3,$t2
1221 $UMULL $t2,$a7,$a6 # lo(a[7]*a[6]) (vii)
1222 adde $acc4,$acc4,$t3
1223 $UMULH $t3,$a7,$a6 # hi(a[7]*a[6])
1224 addze $acc5,$zero # t[13]
1225 addc $acc4,$acc4,$t0
1226 $UCMP $ap_end,$ap # done yet?
1227 adde $acc5,$acc5,$t1
1229 addc $acc5,$acc5,$t2
1230 sub $t0,$ap_end,$num # rewinded ap
1231 addze $acc6,$zero # t[14]
1234 beq .Lsqr8x_outer_break
1237 $LD $a0,$SIZE_T*1($tp)
1238 $LD $a1,$SIZE_T*2($tp)
1239 $LD $a2,$SIZE_T*3($tp)
1240 $LD $a3,$SIZE_T*4($tp)
1241 $LD $a4,$SIZE_T*5($tp)
1242 $LD $a5,$SIZE_T*6($tp)
1243 $LD $a6,$SIZE_T*7($tp)
1244 $LD $a7,$SIZE_T*8($tp)
1245 addc $acc0,$acc0,$a0
1246 $LD $a0,$SIZE_T*1($ap)
1247 adde $acc1,$acc1,$a1
1248 $LD $a1,$SIZE_T*2($ap)
1249 adde $acc2,$acc2,$a2
1250 $LD $a2,$SIZE_T*3($ap)
1251 adde $acc3,$acc3,$a3
1252 $LD $a3,$SIZE_T*4($ap)
1253 adde $acc4,$acc4,$a4
1254 $LD $a4,$SIZE_T*5($ap)
1255 adde $acc5,$acc5,$a5
1256 $LD $a5,$SIZE_T*6($ap)
1257 adde $acc6,$acc6,$a6
1258 $LD $a6,$SIZE_T*7($ap)
1259 subi $rp,$ap,$SIZE_T*7
1261 $LDU $a7,$SIZE_T*8($ap)
1262 #addze $carry,$zero # moved below
1275 # a[f]a[1]........................
1277 # a[f]a[2]........................
1279 # a[f]a[3]........................
1281 # a[f]a[4]........................
1283 # a[f]a[5]........................
1285 # a[f]a[6]........................
1287 # a[f]a[7]........................
1291 addze $carry,$zero # carry bit, modulo-scheduled
1293 addi $cnt,$cnt,$SIZE_T
1295 andi. $cnt,$cnt,$SIZE_T*8-1
1297 addc $acc0,$acc0,$t0
1299 adde $acc1,$acc1,$t1
1301 adde $acc2,$acc2,$t2
1303 adde $acc3,$acc3,$t3
1305 adde $acc4,$acc4,$t0
1307 adde $acc5,$acc5,$t1
1309 adde $acc6,$acc6,$t2
1311 adde $acc7,$acc7,$t3
1314 $STU $acc0,$SIZE_T($tp)
1315 addc $acc0,$acc1,$t0
1317 adde $acc1,$acc2,$t1
1319 adde $acc2,$acc3,$t2
1321 adde $acc3,$acc4,$t3
1324 adde $acc4,$acc5,$t0
1325 adde $acc5,$acc6,$t1
1326 adde $acc6,$acc7,$t2
1327 adde $acc7,$carry,$t3
1328 #addze $carry,$zero # moved above
1330 # note that carry flag is guaranteed
1331 # to be zero at this point
1332 $UCMP $ap,$ap_end # done yet?
1335 $LD $a0,$SIZE_T*1($tp)
1336 $LD $a1,$SIZE_T*2($tp)
1337 $LD $a2,$SIZE_T*3($tp)
1338 $LD $a3,$SIZE_T*4($tp)
1339 $LD $a4,$SIZE_T*5($tp)
1340 $LD $a5,$SIZE_T*6($tp)
1341 $LD $a6,$SIZE_T*7($tp)
1342 $LD $a7,$SIZE_T*8($tp)
1343 addc $acc0,$acc0,$a0
1344 $LD $a0,$SIZE_T*1($ap)
1345 adde $acc1,$acc1,$a1
1346 $LD $a1,$SIZE_T*2($ap)
1347 adde $acc2,$acc2,$a2
1348 $LD $a2,$SIZE_T*3($ap)
1349 adde $acc3,$acc3,$a3
1350 $LD $a3,$SIZE_T*4($ap)
1351 adde $acc4,$acc4,$a4
1352 $LD $a4,$SIZE_T*5($ap)
1353 adde $acc5,$acc5,$a5
1354 $LD $a5,$SIZE_T*6($ap)
1355 adde $acc6,$acc6,$a6
1356 $LD $a6,$SIZE_T*7($ap)
1357 adde $acc7,$acc7,$a7
1358 $LDU $a7,$SIZE_T*8($ap)
1359 #addze $carry,$zero # moved above
1364 $LD $a0,$SIZE_T*8($rp)
1365 addi $ap,$rp,$SIZE_T*15
1366 $LD $a1,$SIZE_T*9($rp)
1367 sub. $t0,$ap_end,$ap # is it last iteration?
1368 $LD $a2,$SIZE_T*10($rp)
1370 $LD $a3,$SIZE_T*11($rp)
1371 $LD $a4,$SIZE_T*12($rp)
1372 $LD $a5,$SIZE_T*13($rp)
1373 $LD $a6,$SIZE_T*14($rp)
1374 $LD $a7,$SIZE_T*15($rp)
1375 beq .Lsqr8x_outer_loop
1377 $ST $acc0,$SIZE_T*1($tp)
1378 $LD $acc0,$SIZE_T*1($t1)
1379 $ST $acc1,$SIZE_T*2($tp)
1380 $LD $acc1,$SIZE_T*2($t1)
1381 $ST $acc2,$SIZE_T*3($tp)
1382 $LD $acc2,$SIZE_T*3($t1)
1383 $ST $acc3,$SIZE_T*4($tp)
1384 $LD $acc3,$SIZE_T*4($t1)
1385 $ST $acc4,$SIZE_T*5($tp)
1386 $LD $acc4,$SIZE_T*5($t1)
1387 $ST $acc5,$SIZE_T*6($tp)
1388 $LD $acc5,$SIZE_T*6($t1)
1389 $ST $acc6,$SIZE_T*7($tp)
1390 $LD $acc6,$SIZE_T*7($t1)
1391 $ST $acc7,$SIZE_T*8($tp)
1392 $LD $acc7,$SIZE_T*8($t1)
1394 b .Lsqr8x_outer_loop
1397 .Lsqr8x_outer_break:
1398 ####################################################################
1399 # Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0]
1400 $LD $a1,$SIZE_T*1($t0) # recall that $t0 is &a[-1]
1401 $LD $a3,$SIZE_T*2($t0)
1402 $LD $a5,$SIZE_T*3($t0)
1403 $LD $a7,$SIZE_T*4($t0)
1404 addi $ap,$t0,$SIZE_T*4
1405 # "tp[x]" comments are for num==8 case
1406 $LD $t1,$SIZE_T*13($sp) # =tp[1], t[0] is not interesting
1407 $LD $t2,$SIZE_T*14($sp)
1408 $LD $t3,$SIZE_T*15($sp)
1409 $LD $t0,$SIZE_T*16($sp)
1411 $ST $acc0,$SIZE_T*1($tp) # tp[8]=
1412 srwi $cnt,$num,`log($SIZE_T)/log(2)+2`
1413 $ST $acc1,$SIZE_T*2($tp)
1415 $ST $acc2,$SIZE_T*3($tp)
1416 $ST $acc3,$SIZE_T*4($tp)
1417 $ST $acc4,$SIZE_T*5($tp)
1418 $ST $acc5,$SIZE_T*6($tp)
1419 $ST $acc6,$SIZE_T*7($tp)
1420 #$ST $acc7,$SIZE_T*8($tp) # tp[15] is not interesting
1421 addi $tp,$sp,$SIZE_T*11 # &tp[-1]
1422 $UMULL $acc0,$a1,$a1
1424 add $acc1,$t1,$t1 # <<1
1425 $SHRI $t1,$t1,$BITS-1
1428 addc $acc1,$acc1,$a1
1430 $SHRI $t2,$t2,$BITS-1
1432 $SHRI $t3,$t3,$BITS-1
1436 .Lsqr4x_shift_n_add:
1439 $LD $t1,$SIZE_T*6($tp) # =tp[5]
1440 $LD $a1,$SIZE_T*1($ap)
1441 adde $acc2,$acc2,$a2
1443 $SHRI $t0,$t0,$BITS-1
1445 $LD $t2,$SIZE_T*7($tp) # =tp[6]
1446 adde $acc3,$acc3,$a3
1447 $LD $a3,$SIZE_T*2($ap)
1449 $SHRI $t1,$t1,$BITS-1
1451 $LD $t3,$SIZE_T*8($tp) # =tp[7]
1454 adde $acc4,$acc4,$a4
1456 $SHRI $t2,$t2,$BITS-1
1458 $LD $t0,$SIZE_T*9($tp) # =tp[8]
1459 adde $acc5,$acc5,$a5
1460 $LD $a5,$SIZE_T*3($ap)
1462 $SHRI $t3,$t3,$BITS-1
1464 $LD $t1,$SIZE_T*10($tp) # =tp[9]
1467 adde $acc6,$acc6,$a6
1468 $ST $acc0,$SIZE_T*1($tp) # tp[0]=
1470 $SHRI $t0,$t0,$BITS-1
1472 $LD $t2,$SIZE_T*11($tp) # =tp[10]
1473 adde $acc7,$acc7,$a7
1474 $LDU $a7,$SIZE_T*4($ap)
1475 $ST $acc1,$SIZE_T*2($tp) # tp[1]=
1477 $SHRI $t1,$t1,$BITS-1
1479 $LD $t3,$SIZE_T*12($tp) # =tp[11]
1482 adde $acc0,$acc0,$a0
1483 $ST $acc2,$SIZE_T*3($tp) # tp[2]=
1485 $SHRI $t2,$t2,$BITS-1
1487 $LD $t0,$SIZE_T*13($tp) # =tp[12]
1488 adde $acc1,$acc1,$a1
1489 $ST $acc3,$SIZE_T*4($tp) # tp[3]=
1490 $ST $acc4,$SIZE_T*5($tp) # tp[4]=
1491 $ST $acc5,$SIZE_T*6($tp) # tp[5]=
1492 $ST $acc6,$SIZE_T*7($tp) # tp[6]=
1493 $STU $acc7,$SIZE_T*8($tp) # tp[7]=
1495 $SHRI $t3,$t3,$BITS-1
1497 bdnz .Lsqr4x_shift_n_add
1499 my ($np,$np_end)=($ap,$ap_end);
1501 $POP $np,$SIZE_T*7($sp) # pull &np[-1] and n0
1502 $POP $n0,$SIZE_T*8($sp)
1506 $ST $acc0,$SIZE_T*1($tp) # tp[8]=
1507 $LD $acc0,$SIZE_T*12($sp) # =tp[0]
1508 $LD $t1,$SIZE_T*6($tp) # =tp[13]
1509 adde $acc2,$acc2,$a2
1511 $SHRI $t0,$t0,$BITS-1
1513 $LD $t2,$SIZE_T*7($tp) # =tp[14]
1514 adde $acc3,$acc3,$a3
1516 $SHRI $t1,$t1,$BITS-1
1520 adde $acc4,$acc4,$a4
1522 $SHRI $t2,$t2,$BITS-1
1524 $ST $acc1,$SIZE_T*2($tp) # tp[9]=
1525 $LD $acc1,$SIZE_T*13($sp) # =tp[1]
1526 adde $acc5,$acc5,$a5
1528 $LD $a0,$SIZE_T*1($np)
1529 $LD $a1,$SIZE_T*2($np)
1530 adde $acc6,$acc6,$a6
1531 $LD $a2,$SIZE_T*3($np)
1532 $LD $a3,$SIZE_T*4($np)
1534 $LD $a4,$SIZE_T*5($np)
1535 $LD $a5,$SIZE_T*6($np)
1537 ################################################################
1538 # Reduce by 8 limbs per iteration
1539 $UMULL $na0,$n0,$acc0 # t[0]*n0
1541 $LD $a6,$SIZE_T*7($np)
1542 add $np_end,$np,$num
1543 $LDU $a7,$SIZE_T*8($np)
1544 $ST $acc2,$SIZE_T*3($tp) # tp[10]=
1545 $LD $acc2,$SIZE_T*14($sp)
1546 $ST $acc3,$SIZE_T*4($tp) # tp[11]=
1547 $LD $acc3,$SIZE_T*15($sp)
1548 $ST $acc4,$SIZE_T*5($tp) # tp[12]=
1549 $LD $acc4,$SIZE_T*16($sp)
1550 $ST $acc5,$SIZE_T*6($tp) # tp[13]=
1551 $LD $acc5,$SIZE_T*17($sp)
1552 $ST $acc6,$SIZE_T*7($tp) # tp[14]=
1553 $LD $acc6,$SIZE_T*18($sp)
1554 $ST $acc7,$SIZE_T*8($tp) # tp[15]=
1555 $LD $acc7,$SIZE_T*19($sp)
1556 addi $tp,$sp,$SIZE_T*11 # &tp[-1]
1562 # (*) $UMULL $t0,$a0,$na0 # lo(n[0-7])*lo(t[0]*n0)
1565 $STU $na0,$SIZE_T($tp) # put aside t[0]*n0 for tail processing
1567 # (*) addc $acc0,$acc0,$t0
1568 addic $acc0,$acc0,-1 # (*)
1570 adde $acc0,$acc1,$t1
1572 adde $acc1,$acc2,$t2
1574 adde $acc2,$acc3,$t3
1576 adde $acc3,$acc4,$t0
1577 $UMULH $t0,$a0,$na0 # hi(n[0-7])*lo(t[0]*n0)
1578 adde $acc4,$acc5,$t1
1580 adde $acc5,$acc6,$t2
1582 adde $acc6,$acc7,$t3
1585 addc $acc0,$acc0,$t0
1587 adde $acc1,$acc1,$t1
1589 adde $acc2,$acc2,$t2
1591 adde $acc3,$acc3,$t3
1593 $UMULL $na0,$n0,$acc0 # next t[0]*n0
1594 adde $acc4,$acc4,$t0
1595 adde $acc5,$acc5,$t1
1596 adde $acc6,$acc6,$t2
1597 adde $acc7,$acc7,$t3
1598 bdnz .Lsqr8x_reduction
1600 $LD $t0,$SIZE_T*1($tp)
1601 $LD $t1,$SIZE_T*2($tp)
1602 $LD $t2,$SIZE_T*3($tp)
1603 $LD $t3,$SIZE_T*4($tp)
1604 subi $rp,$tp,$SIZE_T*7
1605 $UCMP $np_end,$np # done yet?
1606 addc $acc0,$acc0,$t0
1607 $LD $t0,$SIZE_T*5($tp)
1608 adde $acc1,$acc1,$t1
1609 $LD $t1,$SIZE_T*6($tp)
1610 adde $acc2,$acc2,$t2
1611 $LD $t2,$SIZE_T*7($tp)
1612 adde $acc3,$acc3,$t3
1613 $LD $t3,$SIZE_T*8($tp)
1614 adde $acc4,$acc4,$t0
1615 adde $acc5,$acc5,$t1
1616 adde $acc6,$acc6,$t2
1617 adde $acc7,$acc7,$t3
1618 #addze $carry,$zero # moved below
1619 beq .Lsqr8x8_post_condition
1621 $LD $n0,$SIZE_T*0($rp)
1622 $LD $a0,$SIZE_T*1($np)
1623 $LD $a1,$SIZE_T*2($np)
1624 $LD $a2,$SIZE_T*3($np)
1625 $LD $a3,$SIZE_T*4($np)
1626 $LD $a4,$SIZE_T*5($np)
1627 $LD $a5,$SIZE_T*6($np)
1628 $LD $a6,$SIZE_T*7($np)
1629 $LDU $a7,$SIZE_T*8($np)
1635 addze $carry,$zero # carry bit, modulo-scheduled
1637 addi $cnt,$cnt,$SIZE_T
1639 andi. $cnt,$cnt,$SIZE_T*8-1
1641 addc $acc0,$acc0,$t0
1643 adde $acc1,$acc1,$t1
1645 adde $acc2,$acc2,$t2
1647 adde $acc3,$acc3,$t3
1649 adde $acc4,$acc4,$t0
1651 adde $acc5,$acc5,$t1
1653 adde $acc6,$acc6,$t2
1655 adde $acc7,$acc7,$t3
1658 $STU $acc0,$SIZE_T($tp)
1659 addc $acc0,$acc1,$t0
1661 adde $acc1,$acc2,$t1
1663 adde $acc2,$acc3,$t2
1665 adde $acc3,$acc4,$t3
1668 adde $acc4,$acc5,$t0
1669 adde $acc5,$acc6,$t1
1670 adde $acc6,$acc7,$t2
1671 adde $acc7,$carry,$t3
1672 #addze $carry,$zero # moved above
1674 # note that carry flag is guaranteed
1675 # to be zero at this point
1676 $LD $a0,$SIZE_T*1($tp)
1677 $POP $carry,$SIZE_T*10($sp) # pull top-most carry in case we break
1678 $UCMP $np_end,$np # done yet?
1679 $LD $a1,$SIZE_T*2($tp)
1680 sub $t2,$np_end,$num # rewinded np
1681 $LD $a2,$SIZE_T*3($tp)
1682 $LD $a3,$SIZE_T*4($tp)
1683 $LD $a4,$SIZE_T*5($tp)
1684 $LD $a5,$SIZE_T*6($tp)
1685 $LD $a6,$SIZE_T*7($tp)
1686 $LD $a7,$SIZE_T*8($tp)
1687 beq .Lsqr8x_tail_break
1689 addc $acc0,$acc0,$a0
1690 $LD $a0,$SIZE_T*1($np)
1691 adde $acc1,$acc1,$a1
1692 $LD $a1,$SIZE_T*2($np)
1693 adde $acc2,$acc2,$a2
1694 $LD $a2,$SIZE_T*3($np)
1695 adde $acc3,$acc3,$a3
1696 $LD $a3,$SIZE_T*4($np)
1697 adde $acc4,$acc4,$a4
1698 $LD $a4,$SIZE_T*5($np)
1699 adde $acc5,$acc5,$a5
1700 $LD $a5,$SIZE_T*6($np)
1701 adde $acc6,$acc6,$a6
1702 $LD $a6,$SIZE_T*7($np)
1703 adde $acc7,$acc7,$a7
1704 $LDU $a7,$SIZE_T*8($np)
1705 #addze $carry,$zero # moved above
1710 $POP $n0,$SIZE_T*8($sp) # pull n0
1711 $POP $t3,$SIZE_T*9($sp) # &tp[2*num-1]
1712 addi $cnt,$tp,$SIZE_T*8 # end of current t[num] window
1714 addic $carry,$carry,-1 # "move" top-most carry to carry bit
1716 $LD $acc0,$SIZE_T*8($rp)
1717 $LD $a0,$SIZE_T*1($t2) # recall that $t2 is &n[-1]
1719 $LD $acc1,$SIZE_T*9($rp)
1720 $LD $a1,$SIZE_T*2($t2)
1721 adde $acc2,$acc2,$a2
1722 $LD $a2,$SIZE_T*3($t2)
1723 adde $acc3,$acc3,$a3
1724 $LD $a3,$SIZE_T*4($t2)
1725 adde $acc4,$acc4,$a4
1726 $LD $a4,$SIZE_T*5($t2)
1727 adde $acc5,$acc5,$a5
1728 $LD $a5,$SIZE_T*6($t2)
1729 adde $acc6,$acc6,$a6
1730 $LD $a6,$SIZE_T*7($t2)
1731 adde $acc7,$acc7,$a7
1732 $LD $a7,$SIZE_T*8($t2)
1733 addi $np,$t2,$SIZE_T*8
1734 addze $t2,$zero # top-most carry
1735 $UMULL $na0,$n0,$acc0
1736 $ST $t0,$SIZE_T*1($tp)
1737 $UCMP $cnt,$t3 # did we hit the bottom?
1738 $ST $t1,$SIZE_T*2($tp)
1740 $ST $acc2,$SIZE_T*3($tp)
1741 $LD $acc2,$SIZE_T*10($rp)
1742 $ST $acc3,$SIZE_T*4($tp)
1743 $LD $acc3,$SIZE_T*11($rp)
1744 $ST $acc4,$SIZE_T*5($tp)
1745 $LD $acc4,$SIZE_T*12($rp)
1746 $ST $acc5,$SIZE_T*6($tp)
1747 $LD $acc5,$SIZE_T*13($rp)
1748 $ST $acc6,$SIZE_T*7($tp)
1749 $LD $acc6,$SIZE_T*14($rp)
1750 $ST $acc7,$SIZE_T*8($tp)
1751 $LD $acc7,$SIZE_T*15($rp)
1752 $PUSH $t2,$SIZE_T*10($sp) # off-load top-most carry
1753 addi $tp,$rp,$SIZE_T*7 # slide the window
1755 bne .Lsqr8x_reduction
1757 ################################################################
1758 # Final step. We see if result is larger than modulus, and
1759 # if it is, subtract the modulus. But comparison implies
1760 # subtraction. So we subtract modulus, see if it borrowed,
1761 # and conditionally copy original value.
1762 $POP $rp,$SIZE_T*6($sp) # pull &rp[-1]
1763 srwi $cnt,$num,`log($SIZE_T)/log(2)+3`
1764 mr $n0,$tp # put tp aside
1765 addi $tp,$tp,$SIZE_T*8
1770 mr $ap_end,$rp # $rp copy
1777 $LD $a0,$SIZE_T*1($np)
1778 $LD $acc0,$SIZE_T*1($tp)
1779 $LD $a1,$SIZE_T*2($np)
1780 $LD $acc1,$SIZE_T*2($tp)
1782 $LD $a2,$SIZE_T*3($np)
1783 $LD $acc2,$SIZE_T*3($tp)
1785 $LD $a3,$SIZE_T*4($np)
1786 $LD $acc3,$SIZE_T*4($tp)
1787 $ST $t0,$SIZE_T*1($rp)
1789 $LD $a4,$SIZE_T*5($np)
1790 $LD $acc4,$SIZE_T*5($tp)
1791 $ST $t1,$SIZE_T*2($rp)
1793 $LD $a5,$SIZE_T*6($np)
1794 $LD $acc5,$SIZE_T*6($tp)
1795 $ST $t2,$SIZE_T*3($rp)
1797 $LD $a6,$SIZE_T*7($np)
1798 $LD $acc6,$SIZE_T*7($tp)
1799 $ST $t3,$SIZE_T*4($rp)
1801 $LDU $a7,$SIZE_T*8($np)
1802 $LDU $acc7,$SIZE_T*8($tp)
1803 $ST $t0,$SIZE_T*5($rp)
1805 $ST $t1,$SIZE_T*6($rp)
1807 $ST $t2,$SIZE_T*7($rp)
1808 $STU $t3,$SIZE_T*8($rp)
1811 srwi $cnt,$num,`log($SIZE_T)/log(2)+2`
1812 $LD $a0,$SIZE_T*1($ap_end) # original $rp
1813 $LD $acc0,$SIZE_T*1($n0) # original $tp
1815 $LD $a1,$SIZE_T*2($ap_end)
1816 $LD $acc1,$SIZE_T*2($n0)
1818 $LD $a2,$SIZE_T*3($ap_end)
1819 $LD $acc2,$SIZE_T*3($n0)
1821 $LD $a3,$SIZE_T*4($ap_end)
1822 $LDU $acc3,$SIZE_T*4($n0)
1823 $ST $t0,$SIZE_T*1($rp)
1825 $ST $t1,$SIZE_T*2($rp)
1827 $ST $t2,$SIZE_T*3($rp)
1829 $ST $t3,$SIZE_T*4($rp)
1831 $ST $t0,$SIZE_T*5($rp)
1832 subfe $carry,$zero,$carry # did it borrow?
1833 $ST $t1,$SIZE_T*6($rp)
1834 $ST $t2,$SIZE_T*7($rp)
1835 $ST $t3,$SIZE_T*8($rp)
1837 addi $tp,$sp,$SIZE_T*11
1842 $ST $zero,-$SIZE_T*3($n0) # wipe stack clean
1843 and $acc0,$acc0,$carry
1844 $ST $zero,-$SIZE_T*2($n0)
1846 $ST $zero,-$SIZE_T*1($n0)
1847 and $acc1,$acc1,$carry
1848 $ST $zero,-$SIZE_T*0($n0)
1850 $ST $zero,$SIZE_T*1($tp)
1851 and $acc2,$acc2,$carry
1852 $ST $zero,$SIZE_T*2($tp)
1854 $ST $zero,$SIZE_T*3($tp)
1855 and $acc3,$acc3,$carry
1856 $STU $zero,$SIZE_T*4($tp)
1858 $LD $a0,$SIZE_T*5($ap_end)
1859 $LD $acc0,$SIZE_T*1($n0)
1861 $LD $a1,$SIZE_T*6($ap_end)
1862 $LD $acc1,$SIZE_T*2($n0)
1864 $LD $a2,$SIZE_T*7($ap_end)
1865 $LD $acc2,$SIZE_T*3($n0)
1867 $LD $a3,$SIZE_T*8($ap_end)
1868 $LDU $acc3,$SIZE_T*4($n0)
1869 $ST $t0,$SIZE_T*1($ap_end)
1870 $ST $t1,$SIZE_T*2($ap_end)
1871 $ST $t2,$SIZE_T*3($ap_end)
1872 $STU $t3,$SIZE_T*4($ap_end)
1873 bdnz .Lsqr4x_cond_copy
1875 $POP $ap,0($sp) # pull saved sp
1877 and $acc0,$acc0,$carry
1879 and $acc1,$acc1,$carry
1881 and $acc2,$acc2,$carry
1883 and $acc3,$acc3,$carry
1888 $ST $t0,$SIZE_T*1($ap_end)
1889 $ST $t1,$SIZE_T*2($ap_end)
1890 $ST $t2,$SIZE_T*3($ap_end)
1891 $ST $t3,$SIZE_T*4($ap_end)
1896 .Lsqr8x8_post_condition:
1897 $POP $rp,$SIZE_T*6($sp) # pull rp
1898 $POP $ap,0($sp) # pull saved sp
1901 # $acc0-7,$carry hold result, $a0-7 hold modulus
1902 subfc $acc0,$a0,$acc0
1903 subfe $acc1,$a1,$acc1
1904 $ST $zero,$SIZE_T*12($sp) # wipe stack clean
1905 $ST $zero,$SIZE_T*13($sp)
1906 subfe $acc2,$a2,$acc2
1907 $ST $zero,$SIZE_T*14($sp)
1908 $ST $zero,$SIZE_T*15($sp)
1909 subfe $acc3,$a3,$acc3
1910 $ST $zero,$SIZE_T*16($sp)
1911 $ST $zero,$SIZE_T*17($sp)
1912 subfe $acc4,$a4,$acc4
1913 $ST $zero,$SIZE_T*18($sp)
1914 $ST $zero,$SIZE_T*19($sp)
1915 subfe $acc5,$a5,$acc5
1916 $ST $zero,$SIZE_T*20($sp)
1917 $ST $zero,$SIZE_T*21($sp)
1918 subfe $acc6,$a6,$acc6
1919 $ST $zero,$SIZE_T*22($sp)
1920 $ST $zero,$SIZE_T*23($sp)
1921 subfe $acc7,$a7,$acc7
1922 $ST $zero,$SIZE_T*24($sp)
1923 $ST $zero,$SIZE_T*25($sp)
1924 subfe $carry,$zero,$carry # did it borrow?
1925 $ST $zero,$SIZE_T*26($sp)
1926 $ST $zero,$SIZE_T*27($sp)
1930 addc $acc0,$acc0,$a0 # add modulus back if borrowed
1932 adde $acc1,$acc1,$a1
1934 adde $acc2,$acc2,$a2
1936 adde $acc3,$acc3,$a3
1938 adde $acc4,$acc4,$a4
1940 adde $acc5,$acc5,$a5
1942 adde $acc6,$acc6,$a6
1943 adde $acc7,$acc7,$a7
1944 $ST $acc0,$SIZE_T*1($rp)
1945 $ST $acc1,$SIZE_T*2($rp)
1946 $ST $acc2,$SIZE_T*3($rp)
1947 $ST $acc3,$SIZE_T*4($rp)
1948 $ST $acc4,$SIZE_T*5($rp)
1949 $ST $acc5,$SIZE_T*6($rp)
1950 $ST $acc6,$SIZE_T*7($rp)
1951 $ST $acc7,$SIZE_T*8($rp)
1954 $PUSH $zero,$SIZE_T*8($sp)
1955 $PUSH $zero,$SIZE_T*10($sp)
1957 $POP r14,-$SIZE_T*18($ap)
1958 li r3,1 # signal "done"
1959 $POP r15,-$SIZE_T*17($ap)
1960 $POP r16,-$SIZE_T*16($ap)
1961 $POP r17,-$SIZE_T*15($ap)
1962 $POP r18,-$SIZE_T*14($ap)
1963 $POP r19,-$SIZE_T*13($ap)
1964 $POP r20,-$SIZE_T*12($ap)
1965 $POP r21,-$SIZE_T*11($ap)
1966 $POP r22,-$SIZE_T*10($ap)
1967 $POP r23,-$SIZE_T*9($ap)
1968 $POP r24,-$SIZE_T*8($ap)
1969 $POP r25,-$SIZE_T*7($ap)
1970 $POP r26,-$SIZE_T*6($ap)
1971 $POP r27,-$SIZE_T*5($ap)
1972 $POP r28,-$SIZE_T*4($ap)
1973 $POP r29,-$SIZE_T*3($ap)
1974 $POP r30,-$SIZE_T*2($ap)
1975 $POP r31,-$SIZE_T*1($ap)
1979 .byte 0,12,4,0x20,0x80,18,6,0
1981 .size __bn_sqr8x_mont,.-__bn_sqr8x_mont
1985 .asciz "Montgomery Multiplication for PPC, CRYPTOGAMS by <appro\@openssl.org>"
1988 $code =~ s/\`([^\`]*)\`/eval $1/gem;
projects / openssl.git / blob