3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
12 # Montgomery multiplication routine for x86_64. While it gives modest
13 # 9% improvement of rsa4096 sign on Opteron, rsa512 sign runs more
14 # than twice, >2x, as fast. Most common rsa1024 sign is improved by
15 # respectful 50%. It remains to be seen if loop unrolling and
16 # dedicated squaring routine can provide further improvement...
20 # Add dedicated squaring procedure. Performance improvement varies
21 # from platform to platform, but in average it's ~5%/15%/25%/33%
22 # for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively.
26 # Unroll and modulo-schedule inner loops in such manner that they
27 # are "fallen through" for input lengths of 8, which is critical for
28 # 1024-bit RSA *sign*. Average performance improvement in comparison
29 # to *initial* version of this module from 2005 is ~0%/30%/40%/45%
30 # for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively.
34 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
36 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
38 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
39 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
40 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
41 die "can't locate x86_64-xlate.pl";
43 open STDOUT,"| $^X $xlate $flavour $output";
46 $rp="%rdi"; # BN_ULONG *rp,
47 $ap="%rsi"; # const BN_ULONG *ap,
48 $bp="%rdx"; # const BN_ULONG *bp,
49 $np="%rcx"; # const BN_ULONG *np,
50 $n0="%r8"; # const BN_ULONG *n0,
51 $num="%r9"; # int num);
64 .type bn_mul_mont,\@function,6
88 lea (%rsp,%r10,8),%rsp # tp=alloca(8*(num+2))
89 and \$-1024,%rsp # minimize TLB usage
91 mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp
93 mov $bp,%r12 # reassign $bp
97 mov ($n0),$n0 # pull n0[0] value
98 mov ($bp),$m0 # m0=bp[0]
105 mulq $m0 # ap[0]*bp[0]
109 imulq $lo0,$m1 # "tp[0]"*n0
113 add %rax,$lo0 # discarded
126 add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0]
129 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
133 mulq $m0 # ap[j]*bp[0]
145 mov ($ap),%rax # ap[0]
147 add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0]
149 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
156 mov $hi1,-8(%rsp,$num,8)
157 mov %rdx,(%rsp,$num,8) # store upmost overflow bit
163 mov ($bp,$i,8),$m0 # m0=bp[i]
167 mulq $m0 # ap[0]*bp[i]
168 add %rax,$lo0 # ap[0]*bp[i]+tp[0]
172 imulq $lo0,$m1 # tp[0]*n0
176 add %rax,$lo0 # discarded
179 mov 8(%rsp),$lo0 # tp[1]
190 add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j]
193 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
197 mulq $m0 # ap[j]*bp[i]
201 add $hi0,$lo0 # ap[j]*bp[i]+tp[j]
211 mov ($ap),%rax # ap[0]
213 add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j]
216 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
222 add $lo0,$hi1 # pull upmost overflow bit
224 mov $hi1,-8(%rsp,$num,8)
225 mov %rdx,(%rsp,$num,8) # store upmost overflow bit
231 xor $i,$i # i=0 and clear CF!
232 mov (%rsp),%rax # tp[0]
233 lea (%rsp),$ap # borrow ap for tp
237 .Lsub: sbb ($np,$i,8),%rax
238 mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i]
239 mov 8($ap,$i,8),%rax # tp[i+1]
241 dec $j # doesnn't affect CF!
244 sbb \$0,%rax # handle upmost overflow bit
251 or $np,$ap # ap=borrow?tp:rp
253 .Lcopy: # copy or in-place refresh
255 mov $i,(%rsp,$i,8) # zap temporary vector
256 mov %rax,($rp,$i,8) # rp[i]=tp[i]
261 mov 8(%rsp,$num,8),%rsi # restore %rsp
272 .size bn_mul_mont,.-bn_mul_mont
275 my @A=("%r10","%r11");
276 my @N=("%r13","%rdi");
278 .type bn_mul4x_mont,\@function,6
293 lea (%rsp,%r10,8),%rsp # tp=alloca(8*(num+4))
294 and \$-1024,%rsp # minimize TLB usage
296 mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp
298 mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp
299 mov %rdx,%r12 # reassign $bp
303 mov ($n0),$n0 # pull n0[0] value
304 mov ($bp),$m0 # m0=bp[0]
311 mulq $m0 # ap[0]*bp[0]
315 imulq $A[0],$m1 # "tp[0]"*n0
319 add %rax,$A[0] # discarded
342 mulq $m0 # ap[j]*bp[0]
344 mov -16($np,$j,8),%rax
350 mov -8($ap,$j,8),%rax
352 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
354 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
357 mulq $m0 # ap[j]*bp[0]
359 mov -8($np,$j,8),%rax
367 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
369 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
372 mulq $m0 # ap[j]*bp[0]
382 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
384 mov $N[0],-8(%rsp,$j,8) # tp[j-1]
387 mulq $m0 # ap[j]*bp[0]
396 mov -16($ap,$j,8),%rax
398 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
400 mov $N[1],-32(%rsp,$j,8) # tp[j-1]
405 mulq $m0 # ap[j]*bp[0]
407 mov -16($np,$j,8),%rax
413 mov -8($ap,$j,8),%rax
415 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
417 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
420 mulq $m0 # ap[j]*bp[0]
422 mov -8($np,$j,8),%rax
428 mov ($ap),%rax # ap[0]
430 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
432 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
438 mov $N[0],-8(%rsp,$j,8)
439 mov $N[1],(%rsp,$j,8) # store upmost overflow bit
444 mov ($bp,$i,8),$m0 # m0=bp[i]
448 mulq $m0 # ap[0]*bp[i]
449 add %rax,$A[0] # ap[0]*bp[i]+tp[0]
453 imulq $A[0],$m1 # tp[0]*n0
457 add %rax,$A[0] # "$N[0]", discarded
462 mulq $m0 # ap[j]*bp[i]
466 add 8(%rsp),$A[1] # +tp[1]
474 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[i]+tp[j]
477 mov $N[1],(%rsp) # tp[j-1]
482 mulq $m0 # ap[j]*bp[i]
484 mov -16($np,$j,8),%rax
486 add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
492 mov -8($ap,$j,8),%rax
496 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
499 mulq $m0 # ap[j]*bp[i]
501 mov -8($np,$j,8),%rax
503 add -8(%rsp,$j,8),$A[1]
513 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
516 mulq $m0 # ap[j]*bp[i]
520 add (%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
530 mov $N[0],-8(%rsp,$j,8) # tp[j-1]
533 mulq $m0 # ap[j]*bp[i]
537 add 8(%rsp,$j,8),$A[1]
544 mov -16($ap,$j,8),%rax
548 mov $N[1],-32(%rsp,$j,8) # tp[j-1]
553 mulq $m0 # ap[j]*bp[i]
555 mov -16($np,$j,8),%rax
557 add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
563 mov -8($ap,$j,8),%rax
567 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
570 mulq $m0 # ap[j]*bp[i]
572 mov -8($np,$j,8),%rax
574 add -8(%rsp,$j,8),$A[1]
581 mov ($ap),%rax # ap[0]
585 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
591 add (%rsp,$num,8),$N[0] # pull upmost overflow bit
593 mov $N[0],-8(%rsp,$j,8)
594 mov $N[1],(%rsp,$j,8) # store upmost overflow bit
600 my @ri=("%rax","%rdx",$m0,$m1);
602 mov 16(%rsp,$num,8),$rp # restore $rp
603 mov 0(%rsp),@ri[0] # tp[0]
605 mov 8(%rsp),@ri[1] # tp[1]
606 shr \$2,$num # num/=4
607 lea (%rsp),$ap # borrow ap for tp
608 xor $i,$i # i=0 and clear CF!
611 mov 16($ap),@ri[2] # tp[2]
612 mov 24($ap),@ri[3] # tp[3]
614 lea -1($num),$j # j=num/4-1
618 mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
619 mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
620 sbb 16($np,$i,8),@ri[2]
621 mov 32($ap,$i,8),@ri[0] # tp[i+1]
622 mov 40($ap,$i,8),@ri[1]
623 sbb 24($np,$i,8),@ri[3]
624 mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i]
625 mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
626 sbb 32($np,$i,8),@ri[0]
627 mov 48($ap,$i,8),@ri[2]
628 mov 56($ap,$i,8),@ri[3]
629 sbb 40($np,$i,8),@ri[1]
631 dec $j # doesnn't affect CF!
634 mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
635 mov 32($ap,$i,8),@ri[0] # load overflow bit
636 sbb 16($np,$i,8),@ri[2]
637 mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
638 sbb 24($np,$i,8),@ri[3]
639 mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i]
641 sbb \$0,@ri[0] # handle upmost overflow bit
642 mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
649 or $np,$ap # ap=borrow?tp:rp
656 .Lcopy4x: # copy or in-place refresh
657 movdqu 16($ap,$i),%xmm2
658 movdqu 32($ap,$i),%xmm1
659 movdqa %xmm0,16(%rsp,$i)
660 movdqu %xmm2,16($rp,$i)
661 movdqa %xmm0,32(%rsp,$i)
662 movdqu %xmm1,32($rp,$i)
668 movdqu 16($ap,$i),%xmm2
669 movdqa %xmm0,16(%rsp,$i)
670 movdqu %xmm2,16($rp,$i)
674 mov 8(%rsp,$num,8),%rsi # restore %rsp
685 .size bn_mul4x_mont,.-bn_mul4x_mont
689 ######################################################################
690 # void bn_sqr4x_mont(
691 my $rptr="%rdi"; # const BN_ULONG *rptr,
692 my $aptr="%rsi"; # const BN_ULONG *aptr,
693 my $bptr="%rdx"; # not used
694 my $nptr="%rcx"; # const BN_ULONG *nptr,
695 my $n0 ="%r8"; # const BN_ULONG *n0);
696 my $num ="%r9"; # int num, has to be divisible by 4 and
699 my ($i,$j,$tptr)=("%rbp","%rcx",$rptr);
700 my @A0=("%r10","%r11");
701 my @A1=("%r12","%r13");
702 my ($a0,$a1,$ai)=("%r14","%r15","%rbx");
705 .type bn_sqr4x_mont,\@function,6
716 shl \$3,${num}d # convert $num to bytes
718 mov %rsp,%r11 # put aside %rsp
719 sub $num,%r10 # -$num
721 lea -72(%rsp,%r10,2),%rsp # alloca(frame+2*$num)
722 and \$-1024,%rsp # minimize TLB usage
723 ##############################################################
726 # +0 saved $num, used in reduction section
727 # +8 &t[2*$num], used in reduction section
734 mov $rptr,32(%rsp) # save $rptr
737 mov %r11, 56(%rsp) # save original %rsp
739 ##############################################################
742 # a) multiply-n-add everything but a[i]*a[i];
743 # b) shift result of a) by 1 to the left and accumulate
744 # a[i]*a[i] products;
746 lea 32(%r10),$i # $i=-($num-32)
747 lea ($aptr,$num),$aptr # end of a[] buffer, ($aptr,$i)=&ap[2]
749 mov $num,$j # $j=$num
751 # comments apply to $num==8 case
752 mov -32($aptr,$i),$a0 # a[0]
753 lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num]
754 mov -24($aptr,$i),%rax # a[1]
755 lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"]
756 mov -16($aptr,$i),$ai # a[2]
760 mov %rax,$A0[0] # a[1]*a[0]
763 mov $A0[0],-24($tptr,$i) # t[1]
770 mov $A0[1],-16($tptr,$i) # t[2]
772 lea -16($i),$j # j=-16
775 mov 8($aptr,$j),$ai # a[3]
777 mov %rax,$A1[0] # a[2]*a[1]+t[3]
786 add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3]
789 mov $A0[0],-8($tptr,$j) # t[3]
794 mov ($aptr,$j),$ai # a[4]
797 add %rax,$A1[1] # a[3]*a[1]+t[4]
805 add %rax,$A0[1] # a[4]*a[0]+a[3]*a[1]+t[4]
808 mov $A0[1],($tptr,$j) # t[4]
811 mov 8($aptr,$j),$ai # a[5]
814 add %rax,$A1[0] # a[4]*a[3]+t[5]
822 add %rax,$A0[0] # a[5]*a[2]+a[4]*a[3]+t[5]
825 mov $A0[0],8($tptr,$j) # t[5]
827 mov 16($aptr,$j),$ai # a[6]
830 add %rax,$A1[1] # a[5]*a[3]+t[6]
838 add %rax,$A0[1] # a[6]*a[2]+a[5]*a[3]+t[6]
841 mov $A0[1],16($tptr,$j) # t[6]
844 mov 24($aptr,$j),$ai # a[7]
847 add %rax,$A1[0] # a[6]*a[5]+t[7]
856 add %rax,$A0[0] # a[7]*a[4]+a[6]*a[5]+t[6]
859 mov $A0[0],-8($tptr,$j) # t[7]
871 mov $A1[1],($tptr) # t[8]
873 mov $A1[0],8($tptr) # t[9]
877 .Lsqr4x_outer: # comments apply to $num==6 case
878 mov -32($aptr,$i),$a0 # a[0]
879 lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num]
880 mov -24($aptr,$i),%rax # a[1]
881 lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"]
882 mov -16($aptr,$i),$ai # a[2]
885 mov -24($tptr,$i),$A0[0] # t[1]
888 add %rax,$A0[0] # a[1]*a[0]+t[1]
891 mov $A0[0],-24($tptr,$i) # t[1]
894 add -16($tptr,$i),$A0[1] # a[2]*a[0]+t[2]
900 mov $A0[1],-16($tptr,$i) # t[2]
902 lea -16($i),$j # j=-16
906 mov 8($aptr,$j),$ai # a[3]
908 add 8($tptr,$j),$A1[0]
911 add %rax,$A1[0] # a[2]*a[1]+t[3]
919 add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3]
922 mov $A0[0],8($tptr,$j) # t[3]
929 mov ($aptr,$j),$ai # a[4]
931 add ($tptr,$j),$A1[1]
934 add %rax,$A1[1] # a[3]*a[1]+t[4]
942 add %rax,$A0[1] # a[4]*a[0]+a[3]*a[1]+t[4]
945 mov $A0[1],($tptr,$j) # t[4]
947 mov 8($aptr,$j),$ai # a[5]
949 add 8($tptr,$j),$A1[0]
952 add %rax,$A1[0] # a[4]*a[3]+t[5]
961 add %rax,$A0[0] # a[5]*a[2]+a[4]*a[3]+t[5]
964 mov $A0[0],-8($tptr,$j) # t[5], "preloaded t[1]" below
976 mov $A1[1],($tptr) # t[6], "preloaded t[2]" below
977 mov $A1[0],8($tptr) # t[7], "preloaded t[3]" below
982 # comments apply to $num==4 case
983 mov -32($aptr),$a0 # a[0]
984 lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num]
985 mov -24($aptr),%rax # a[1]
986 lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"]
987 mov -16($aptr),$ai # a[2]
992 add %rax,$A0[0] # a[1]*a[0]+t[1], preloaded t[1]
995 mov $A0[0],-24($tptr) # t[1]
998 add $A1[1],$A0[1] # a[2]*a[0]+t[2], preloaded t[2]
1004 mov $A0[1],-16($tptr) # t[2]
1006 mov -8($aptr),$ai # a[3]
1008 add %rax,$A1[0] # a[2]*a[1]+t[3], preloaded t[3]
1017 add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3]
1020 mov $A0[0],-8($tptr) # t[3]
1027 mov -16($aptr),%rax # a[2]
1030 mov $A1[1],($tptr) # t[4]
1031 mov $A1[0],8($tptr) # t[5]
1036 my ($shift,$carry)=($a0,$a1);
1037 my @S=(@A1,$ai,$n0);
1041 sub $num,$i # $i=16-$num
1044 add $A1[0],%rax # t[5]
1046 mov %rax,8($tptr) # t[5]
1047 mov %rdx,16($tptr) # t[6]
1048 mov $carry,24($tptr) # t[7]
1050 mov -16($aptr,$i),%rax # a[0]
1051 lea 64(%rsp,$num,2),$tptr
1052 xor $A0[0],$A0[0] # t[0]
1053 mov -24($tptr,$i,2),$A0[1] # t[1]
1055 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1057 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1059 or $A0[0],$S[1] # | t[2*i]>>63
1060 mov -16($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch
1061 mov $A0[1],$shift # shift=t[2*i+1]>>63
1062 mul %rax # a[i]*a[i]
1063 neg $carry # mov $carry,cf
1064 mov -8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch
1066 mov -8($aptr,$i),%rax # a[i+1] # prefetch
1067 mov $S[0],-32($tptr,$i,2)
1070 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift
1071 mov $S[1],-24($tptr,$i,2)
1072 sbb $carry,$carry # mov cf,$carry
1074 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1076 or $A0[0],$S[3] # | t[2*i]>>63
1077 mov 0($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch
1078 mov $A0[1],$shift # shift=t[2*i+1]>>63
1079 mul %rax # a[i]*a[i]
1080 neg $carry # mov $carry,cf
1081 mov 8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch
1083 mov 0($aptr,$i),%rax # a[i+1] # prefetch
1084 mov $S[2],-16($tptr,$i,2)
1087 mov $S[3],-40($tptr,$i,2)
1088 sbb $carry,$carry # mov cf,$carry
1089 jmp .Lsqr4x_shift_n_add
1092 .Lsqr4x_shift_n_add:
1093 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1095 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1097 or $A0[0],$S[1] # | t[2*i]>>63
1098 mov -16($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch
1099 mov $A0[1],$shift # shift=t[2*i+1]>>63
1100 mul %rax # a[i]*a[i]
1101 neg $carry # mov $carry,cf
1102 mov -8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch
1104 mov -8($aptr,$i),%rax # a[i+1] # prefetch
1105 mov $S[0],-32($tptr,$i,2)
1108 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift
1109 mov $S[1],-24($tptr,$i,2)
1110 sbb $carry,$carry # mov cf,$carry
1112 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1114 or $A0[0],$S[3] # | t[2*i]>>63
1115 mov 0($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch
1116 mov $A0[1],$shift # shift=t[2*i+1]>>63
1117 mul %rax # a[i]*a[i]
1118 neg $carry # mov $carry,cf
1119 mov 8($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch
1121 mov 0($aptr,$i),%rax # a[i+1] # prefetch
1122 mov $S[2],-16($tptr,$i,2)
1125 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1126 mov $S[3],-8($tptr,$i,2)
1127 sbb $carry,$carry # mov cf,$carry
1129 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1131 or $A0[0],$S[1] # | t[2*i]>>63
1132 mov 16($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch
1133 mov $A0[1],$shift # shift=t[2*i+1]>>63
1134 mul %rax # a[i]*a[i]
1135 neg $carry # mov $carry,cf
1136 mov 24($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch
1138 mov 8($aptr,$i),%rax # a[i+1] # prefetch
1139 mov $S[0],0($tptr,$i,2)
1142 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift
1143 mov $S[1],8($tptr,$i,2)
1144 sbb $carry,$carry # mov cf,$carry
1146 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1148 or $A0[0],$S[3] # | t[2*i]>>63
1149 mov 32($tptr,$i,2),$A0[0] # t[2*i+2] # prefetch
1150 mov $A0[1],$shift # shift=t[2*i+1]>>63
1151 mul %rax # a[i]*a[i]
1152 neg $carry # mov $carry,cf
1153 mov 40($tptr,$i,2),$A0[1] # t[2*i+2+1] # prefetch
1155 mov 16($aptr,$i),%rax # a[i+1] # prefetch
1156 mov $S[2],16($tptr,$i,2)
1158 mov $S[3],24($tptr,$i,2)
1159 sbb $carry,$carry # mov cf,$carry
1161 jnz .Lsqr4x_shift_n_add
1163 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1165 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1167 or $A0[0],$S[1] # | t[2*i]>>63
1168 mov -16($tptr),$A0[0] # t[2*i+2] # prefetch
1169 mov $A0[1],$shift # shift=t[2*i+1]>>63
1170 mul %rax # a[i]*a[i]
1171 neg $carry # mov $carry,cf
1172 mov -8($tptr),$A0[1] # t[2*i+2+1] # prefetch
1174 mov -8($aptr),%rax # a[i+1] # prefetch
1175 mov $S[0],-32($tptr)
1178 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1|shift
1179 mov $S[1],-24($tptr)
1180 sbb $carry,$carry # mov cf,$carry
1182 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1184 or $A0[0],$S[3] # | t[2*i]>>63
1185 mul %rax # a[i]*a[i]
1186 neg $carry # mov $carry,cf
1189 mov $S[2],-16($tptr)
1193 ##############################################################
1194 # Montgomery reduction part, "word-by-word" algorithm.
1197 my ($topbit,$nptr)=("%rbp",$aptr);
1198 my ($m0,$m1)=($a0,$a1);
1199 my @Ni=("%rbx","%r9");
1201 mov 40(%rsp),$nptr # restore $nptr
1202 mov 48(%rsp),$n0 # restore *n0
1204 mov $num,0(%rsp) # save $num
1205 sub $num,$j # $j=-$num
1206 mov 64(%rsp),$A0[0] # t[0] # modsched #
1207 mov $n0,$m0 # # modsched #
1208 lea 64(%rsp,$num,2),%rax # end of t[] buffer
1209 lea 64(%rsp,$num),$tptr # end of t[] window
1210 mov %rax,8(%rsp) # save end of t[] buffer
1211 lea ($nptr,$num),$nptr # end of n[] buffer
1212 xor $topbit,$topbit # $topbit=0
1214 mov 0($nptr,$j),%rax # n[0] # modsched #
1215 mov 8($nptr,$j),$Ni[1] # n[1] # modsched #
1216 imulq $A0[0],$m0 # m0=t[0]*n0 # modsched #
1217 mov %rax,$Ni[0] # # modsched #
1218 jmp .Lsqr4x_mont_outer
1224 add %rax,$A0[0] # n[0]*m0+t[0]
1230 add 8($tptr,$j),$A0[1]
1233 add %rax,$A0[1] # n[1]*m0+t[1]
1239 mov 16($nptr,$j),$Ni[0] # n[2]
1244 add %rax,$A1[0] # n[0]*m1+"t[1]"
1247 mov $A1[0],8($tptr,$j) # "t[1]"
1250 add 16($tptr,$j),$A0[0]
1253 add %rax,$A0[0] # n[2]*m0+t[2]
1257 mov 24($nptr,$j),$Ni[1] # n[3]
1262 add %rax,$A1[1] # n[1]*m1+"t[2]"
1265 mov $A1[1],16($tptr,$j) # "t[2]"
1268 add 24($tptr,$j),$A0[1]
1272 add %rax,$A0[1] # n[3]*m0+t[3]
1275 jmp .Lsqr4x_mont_inner
1279 mov ($nptr,$j),$Ni[0] # n[4]
1284 add %rax,$A1[0] # n[2]*m1+"t[3]"
1287 mov $A1[0],-8($tptr,$j) # "t[3]"
1290 add ($tptr,$j),$A0[0]
1293 add %rax,$A0[0] # n[4]*m0+t[4]
1297 mov 8($nptr,$j),$Ni[1] # n[5]
1302 add %rax,$A1[1] # n[3]*m1+"t[4]"
1305 mov $A1[1],($tptr,$j) # "t[4]"
1308 add 8($tptr,$j),$A0[1]
1311 add %rax,$A0[1] # n[5]*m0+t[5]
1316 mov 16($nptr,$j),$Ni[0] # n[6]
1321 add %rax,$A1[0] # n[4]*m1+"t[5]"
1324 mov $A1[0],8($tptr,$j) # "t[5]"
1327 add 16($tptr,$j),$A0[0]
1330 add %rax,$A0[0] # n[6]*m0+t[6]
1334 mov 24($nptr,$j),$Ni[1] # n[7]
1339 add %rax,$A1[1] # n[5]*m1+"t[6]"
1342 mov $A1[1],16($tptr,$j) # "t[6]"
1345 add 24($tptr,$j),$A0[1]
1349 add %rax,$A0[1] # n[7]*m0+t[7]
1353 jne .Lsqr4x_mont_inner
1355 sub 0(%rsp),$j # $j=-$num # modsched #
1356 mov $n0,$m0 # # modsched #
1362 add %rax,$A1[0] # n[6]*m1+"t[7]"
1365 mov $A1[0],-8($tptr) # "t[7]"
1368 add ($tptr),$A0[0] # +t[8]
1370 mov 0($nptr,$j),$Ni[0] # n[0] # modsched #
1374 imulq 16($tptr,$j),$m0 # m0=t[0]*n0 # modsched #
1376 mov 8($nptr,$j),$Ni[1] # n[1] # modsched #
1378 mov 16($tptr,$j),$A0[0] # t[0] # modsched #
1381 add %rax,$A1[1] # n[7]*m1+"t[8]"
1382 mov $Ni[0],%rax # # modsched #
1384 mov $A1[1],($tptr) # "t[8]"
1387 add 8($tptr),$A1[0] # +t[9]
1390 lea 16($tptr),$tptr # "t[$num]>>128"
1392 mov $A1[0],-8($tptr) # "t[9]"
1393 cmp 8(%rsp),$tptr # are we done?
1394 jb .Lsqr4x_mont_outer
1396 mov 0(%rsp),$num # restore $num
1397 mov $topbit,($tptr) # save $topbit
1400 ##############################################################
1401 # Post-condition, 4x unrolled copy from bn_mul_mont
1404 my ($tptr,$nptr)=("%rbx",$aptr);
1405 my @ri=("%rax","%rdx","%r10","%r11");
1407 mov 64(%rsp,$num),@ri[0] # tp[0]
1408 lea 64(%rsp,$num),$tptr # upper half of t[2*$num] holds result
1409 mov 40(%rsp),$nptr # restore $nptr
1410 shr \$5,$num # num/4
1411 mov 8($tptr),@ri[1] # t[1]
1412 xor $i,$i # i=0 and clear CF!
1414 mov 32(%rsp),$rptr # restore $rptr
1416 mov 16($tptr),@ri[2] # t[2]
1417 mov 24($tptr),@ri[3] # t[3]
1419 lea -1($num),$j # j=num/4-1
1423 mov @ri[0],0($rptr,$i,8) # rp[i]=tp[i]-np[i]
1424 mov @ri[1],8($rptr,$i,8) # rp[i]=tp[i]-np[i]
1425 sbb 16($nptr,$i,8),@ri[2]
1426 mov 32($tptr,$i,8),@ri[0] # tp[i+1]
1427 mov 40($tptr,$i,8),@ri[1]
1428 sbb 24($nptr,$i,8),@ri[3]
1429 mov @ri[2],16($rptr,$i,8) # rp[i]=tp[i]-np[i]
1430 mov @ri[3],24($rptr,$i,8) # rp[i]=tp[i]-np[i]
1431 sbb 32($nptr,$i,8),@ri[0]
1432 mov 48($tptr,$i,8),@ri[2]
1433 mov 56($tptr,$i,8),@ri[3]
1434 sbb 40($nptr,$i,8),@ri[1]
1436 dec $j # doesn't affect CF!
1439 mov @ri[0],0($rptr,$i,8) # rp[i]=tp[i]-np[i]
1440 mov 32($tptr,$i,8),@ri[0] # load overflow bit
1441 sbb 16($nptr,$i,8),@ri[2]
1442 mov @ri[1],8($rptr,$i,8) # rp[i]=tp[i]-np[i]
1443 sbb 24($nptr,$i,8),@ri[3]
1444 mov @ri[2],16($rptr,$i,8) # rp[i]=tp[i]-np[i]
1446 sbb \$0,@ri[0] # handle upmost overflow bit
1447 mov @ri[3],24($rptr,$i,8) # rp[i]=tp[i]-np[i]
1454 or $nptr,$tptr # tp=borrow?tp:rp
1457 lea 64(%rsp,$num,8),$nptr
1458 movdqu ($tptr),%xmm1
1459 lea ($nptr,$num,8),$nptr
1460 movdqa %xmm0,64(%rsp) # zap lower half of temporary vector
1461 movdqa %xmm0,($nptr) # zap upper half of temporary vector
1462 movdqu %xmm1,($rptr)
1465 .Lsqr4x_copy: # copy or in-place refresh
1466 movdqu 16($tptr,$i),%xmm2
1467 movdqu 32($tptr,$i),%xmm1
1468 movdqa %xmm0,80(%rsp,$i) # zap lower half of temporary vector
1469 movdqa %xmm0,96(%rsp,$i) # zap lower half of temporary vector
1470 movdqa %xmm0,16($nptr,$i) # zap upper half of temporary vector
1471 movdqa %xmm0,32($nptr,$i) # zap upper half of temporary vector
1472 movdqu %xmm2,16($rptr,$i)
1473 movdqu %xmm1,32($rptr,$i)
1478 movdqu 16($tptr,$i),%xmm2
1479 movdqa %xmm0,80(%rsp,$i) # zap lower half of temporary vector
1480 movdqa %xmm0,16($nptr,$i) # zap upper half of temporary vector
1481 movdqu %xmm2,16($rptr,$i)
1485 mov 56(%rsp),%rsi # restore %rsp
1496 .size bn_sqr4x_mont,.-bn_sqr4x_mont
1500 .asciz "Montgomery Multiplication for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
1504 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
1505 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
1513 .extern __imp_RtlVirtualUnwind
1514 .type mul_handler,\@abi-omnipotent
1528 mov 120($context),%rax # pull context->Rax
1529 mov 248($context),%rbx # pull context->Rip
1531 mov 8($disp),%rsi # disp->ImageBase
1532 mov 56($disp),%r11 # disp->HandlerData
1534 mov 0(%r11),%r10d # HandlerData[0]
1535 lea (%rsi,%r10),%r10 # end of prologue label
1536 cmp %r10,%rbx # context->Rip<end of prologue label
1537 jb .Lcommon_seh_tail
1539 mov 152($context),%rax # pull context->Rsp
1541 mov 4(%r11),%r10d # HandlerData[1]
1542 lea (%rsi,%r10),%r10 # epilogue label
1543 cmp %r10,%rbx # context->Rip>=epilogue label
1544 jae .Lcommon_seh_tail
1546 mov 192($context),%r10 # pull $num
1547 mov 8(%rax,%r10,8),%rax # pull saved stack pointer
1556 mov %rbx,144($context) # restore context->Rbx
1557 mov %rbp,160($context) # restore context->Rbp
1558 mov %r12,216($context) # restore context->R12
1559 mov %r13,224($context) # restore context->R13
1560 mov %r14,232($context) # restore context->R14
1561 mov %r15,240($context) # restore context->R15
1563 jmp .Lcommon_seh_tail
1564 .size mul_handler,.-mul_handler
1566 .type sqr_handler,\@abi-omnipotent
1580 mov 120($context),%rax # pull context->Rax
1581 mov 248($context),%rbx # pull context->Rip
1583 lea .Lsqr4x_body(%rip),%r10
1584 cmp %r10,%rbx # context->Rip<.Lsqr_body
1585 jb .Lcommon_seh_tail
1587 mov 152($context),%rax # pull context->Rsp
1589 lea .Lsqr4x_epilogue(%rip),%r10
1590 cmp %r10,%rbx # context->Rip>=.Lsqr_epilogue
1591 jae .Lcommon_seh_tail
1593 mov 56(%rax),%rax # pull saved stack pointer
1602 mov %rbx,144($context) # restore context->Rbx
1603 mov %rbp,160($context) # restore context->Rbp
1604 mov %r12,216($context) # restore context->R12
1605 mov %r13,224($context) # restore context->R13
1606 mov %r14,232($context) # restore context->R14
1607 mov %r15,240($context) # restore context->R15
1612 mov %rax,152($context) # restore context->Rsp
1613 mov %rsi,168($context) # restore context->Rsi
1614 mov %rdi,176($context) # restore context->Rdi
1616 mov 40($disp),%rdi # disp->ContextRecord
1617 mov $context,%rsi # context
1618 mov \$154,%ecx # sizeof(CONTEXT)
1619 .long 0xa548f3fc # cld; rep movsq
1622 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
1623 mov 8(%rsi),%rdx # arg2, disp->ImageBase
1624 mov 0(%rsi),%r8 # arg3, disp->ControlPc
1625 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
1626 mov 40(%rsi),%r10 # disp->ContextRecord
1627 lea 56(%rsi),%r11 # &disp->HandlerData
1628 lea 24(%rsi),%r12 # &disp->EstablisherFrame
1629 mov %r10,32(%rsp) # arg5
1630 mov %r11,40(%rsp) # arg6
1631 mov %r12,48(%rsp) # arg7
1632 mov %rcx,56(%rsp) # arg8, (NULL)
1633 call *__imp_RtlVirtualUnwind(%rip)
1635 mov \$1,%eax # ExceptionContinueSearch
1647 .size sqr_handler,.-sqr_handler
1651 .rva .LSEH_begin_bn_mul_mont
1652 .rva .LSEH_end_bn_mul_mont
1653 .rva .LSEH_info_bn_mul_mont
1655 .rva .LSEH_begin_bn_mul4x_mont
1656 .rva .LSEH_end_bn_mul4x_mont
1657 .rva .LSEH_info_bn_mul4x_mont
1659 .rva .LSEH_begin_bn_sqr4x_mont
1660 .rva .LSEH_end_bn_sqr4x_mont
1661 .rva .LSEH_info_bn_sqr4x_mont
1665 .LSEH_info_bn_mul_mont:
1668 .rva .Lmul_body,.Lmul_epilogue # HandlerData[]
1669 .LSEH_info_bn_mul4x_mont:
1672 .rva .Lmul4x_body,.Lmul4x_epilogue # HandlerData[]
1673 .LSEH_info_bn_sqr4x_mont:
projects / openssl.git / blob