2 # Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
21 # Performance in cycles per byte out of large buffer.
23 # IALU/gcc-4.9 3xNEON+1xIALU 6xNEON+2xIALU
25 # Apple A7 5.50/+49% 3.33 1.70
26 # Cortex-A53 8.40/+80% 4.72 4.72(*)
27 # Cortex-A57 8.06/+43% 4.90 4.43(**)
28 # Denver 4.50/+82% 2.63 2.67(*)
29 # X-Gene 9.50/+46% 8.82 8.89(*)
30 # Mongoose 8.00/+44% 3.64 3.25
31 # Kryo 8.17/+50% 4.83 4.65
33 # (*) it's expected that doubling interleave factor doesn't help
34 # all processors, only those with higher NEON latency and
35 # higher instruction issue rate;
36 # (**) expected improvement was actually higher;
41 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
42 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
43 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
44 die "can't locate arm-xlate.pl";
46 open OUT,"| \"$^X\" $xlate $flavour $output";
49 sub AUTOLOAD() # thunk [simplified] x86-style perlasm
50 { my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
52 $arg = "#$arg" if ($arg*1 eq $arg);
53 $code .= "\t$opcode\t".join(',',@_,$arg)."\n";
56 my ($out,$inp,$len,$key,$ctr) = map("x$_",(0..4));
58 my @x=map("x$_",(5..17,19..21));
59 my @d=map("x$_",(22..28,30));
62 my ($a0,$b0,$c0,$d0)=@_;
63 my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
64 my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
65 my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
68 "&add_32 (@x[$a0],@x[$a0],@x[$b0])",
69 "&add_32 (@x[$a1],@x[$a1],@x[$b1])",
70 "&add_32 (@x[$a2],@x[$a2],@x[$b2])",
71 "&add_32 (@x[$a3],@x[$a3],@x[$b3])",
72 "&eor_32 (@x[$d0],@x[$d0],@x[$a0])",
73 "&eor_32 (@x[$d1],@x[$d1],@x[$a1])",
74 "&eor_32 (@x[$d2],@x[$d2],@x[$a2])",
75 "&eor_32 (@x[$d3],@x[$d3],@x[$a3])",
76 "&ror_32 (@x[$d0],@x[$d0],16)",
77 "&ror_32 (@x[$d1],@x[$d1],16)",
78 "&ror_32 (@x[$d2],@x[$d2],16)",
79 "&ror_32 (@x[$d3],@x[$d3],16)",
81 "&add_32 (@x[$c0],@x[$c0],@x[$d0])",
82 "&add_32 (@x[$c1],@x[$c1],@x[$d1])",
83 "&add_32 (@x[$c2],@x[$c2],@x[$d2])",
84 "&add_32 (@x[$c3],@x[$c3],@x[$d3])",
85 "&eor_32 (@x[$b0],@x[$b0],@x[$c0])",
86 "&eor_32 (@x[$b1],@x[$b1],@x[$c1])",
87 "&eor_32 (@x[$b2],@x[$b2],@x[$c2])",
88 "&eor_32 (@x[$b3],@x[$b3],@x[$c3])",
89 "&ror_32 (@x[$b0],@x[$b0],20)",
90 "&ror_32 (@x[$b1],@x[$b1],20)",
91 "&ror_32 (@x[$b2],@x[$b2],20)",
92 "&ror_32 (@x[$b3],@x[$b3],20)",
94 "&add_32 (@x[$a0],@x[$a0],@x[$b0])",
95 "&add_32 (@x[$a1],@x[$a1],@x[$b1])",
96 "&add_32 (@x[$a2],@x[$a2],@x[$b2])",
97 "&add_32 (@x[$a3],@x[$a3],@x[$b3])",
98 "&eor_32 (@x[$d0],@x[$d0],@x[$a0])",
99 "&eor_32 (@x[$d1],@x[$d1],@x[$a1])",
100 "&eor_32 (@x[$d2],@x[$d2],@x[$a2])",
101 "&eor_32 (@x[$d3],@x[$d3],@x[$a3])",
102 "&ror_32 (@x[$d0],@x[$d0],24)",
103 "&ror_32 (@x[$d1],@x[$d1],24)",
104 "&ror_32 (@x[$d2],@x[$d2],24)",
105 "&ror_32 (@x[$d3],@x[$d3],24)",
107 "&add_32 (@x[$c0],@x[$c0],@x[$d0])",
108 "&add_32 (@x[$c1],@x[$c1],@x[$d1])",
109 "&add_32 (@x[$c2],@x[$c2],@x[$d2])",
110 "&add_32 (@x[$c3],@x[$c3],@x[$d3])",
111 "&eor_32 (@x[$b0],@x[$b0],@x[$c0])",
112 "&eor_32 (@x[$b1],@x[$b1],@x[$c1])",
113 "&eor_32 (@x[$b2],@x[$b2],@x[$c2])",
114 "&eor_32 (@x[$b3],@x[$b3],@x[$c3])",
115 "&ror_32 (@x[$b0],@x[$b0],25)",
116 "&ror_32 (@x[$b1],@x[$b1],25)",
117 "&ror_32 (@x[$b2],@x[$b2],25)",
118 "&ror_32 (@x[$b3],@x[$b3],25)"
123 #include "arm_arch.h"
127 .extern OPENSSL_armcap_P
131 .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral
134 .asciz "ChaCha20 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
136 .globl ChaCha20_ctr32
137 .type ChaCha20_ctr32,%function
144 adrp x17,OPENSSL_armcap_P
145 ldr w17,[x17,#:lo12:OPENSSL_armcap_P]
150 .inst 0xd503233f // paciasp
151 stp x29,x30,[sp,#-96]!
162 ldp @d[0],@d[1],[@x[0]] // load sigma
163 ldp @d[2],@d[3],[$key] // load key
164 ldp @d[4],@d[5],[$key,#16]
165 ldp @d[6],@d[7],[$ctr] // load counter
176 mov.32 @x[0],@d[0] // unpack key block
198 foreach (&ROUND(0, 4, 8,12)) { eval; }
199 foreach (&ROUND(0, 5,10,15)) { eval; }
203 add.32 @x[0],@x[0],@d[0] // accumulate key block
204 add @x[1],@x[1],@d[0],lsr#32
205 add.32 @x[2],@x[2],@d[1]
206 add @x[3],@x[3],@d[1],lsr#32
207 add.32 @x[4],@x[4],@d[2]
208 add @x[5],@x[5],@d[2],lsr#32
209 add.32 @x[6],@x[6],@d[3]
210 add @x[7],@x[7],@d[3],lsr#32
211 add.32 @x[8],@x[8],@d[4]
212 add @x[9],@x[9],@d[4],lsr#32
213 add.32 @x[10],@x[10],@d[5]
214 add @x[11],@x[11],@d[5],lsr#32
215 add.32 @x[12],@x[12],@d[6]
216 add @x[13],@x[13],@d[6],lsr#32
217 add.32 @x[14],@x[14],@d[7]
218 add @x[15],@x[15],@d[7],lsr#32
222 add @x[0],@x[0],@x[1],lsl#32 // pack
223 add @x[2],@x[2],@x[3],lsl#32
224 ldp @x[1],@x[3],[$inp,#0] // load input
225 add @x[4],@x[4],@x[5],lsl#32
226 add @x[6],@x[6],@x[7],lsl#32
227 ldp @x[5],@x[7],[$inp,#16]
228 add @x[8],@x[8],@x[9],lsl#32
229 add @x[10],@x[10],@x[11],lsl#32
230 ldp @x[9],@x[11],[$inp,#32]
231 add @x[12],@x[12],@x[13],lsl#32
232 add @x[14],@x[14],@x[15],lsl#32
233 ldp @x[13],@x[15],[$inp,#48]
245 eor @x[0],@x[0],@x[1]
246 eor @x[2],@x[2],@x[3]
247 eor @x[4],@x[4],@x[5]
248 eor @x[6],@x[6],@x[7]
249 eor @x[8],@x[8],@x[9]
250 eor @x[10],@x[10],@x[11]
251 eor @x[12],@x[12],@x[13]
252 eor @x[14],@x[14],@x[15]
254 stp @x[0],@x[2],[$out,#0] // store output
255 add @d[6],@d[6],#1 // increment counter
256 stp @x[4],@x[6],[$out,#16]
257 stp @x[8],@x[10],[$out,#32]
258 stp @x[12],@x[14],[$out,#48]
263 ldp x19,x20,[x29,#16]
265 ldp x21,x22,[x29,#32]
266 ldp x23,x24,[x29,#48]
267 ldp x25,x26,[x29,#64]
268 ldp x27,x28,[x29,#80]
270 .inst 0xd50323bf // autiasp
284 add @x[0],@x[0],@x[1],lsl#32 // pack
285 add @x[2],@x[2],@x[3],lsl#32
286 add @x[4],@x[4],@x[5],lsl#32
287 add @x[6],@x[6],@x[7],lsl#32
288 add @x[8],@x[8],@x[9],lsl#32
289 add @x[10],@x[10],@x[11],lsl#32
290 add @x[12],@x[12],@x[13],lsl#32
291 add @x[14],@x[14],@x[15],lsl#32
302 stp @x[0],@x[2],[sp,#0]
303 stp @x[4],@x[6],[sp,#16]
304 stp @x[8],@x[10],[sp,#32]
305 stp @x[12],@x[14],[sp,#48]
320 ldp x19,x20,[x29,#16]
322 ldp x21,x22,[x29,#32]
323 ldp x23,x24,[x29,#48]
324 ldp x25,x26,[x29,#64]
325 ldp x27,x28,[x29,#80]
327 .inst 0xd50323bf // autiasp
329 .size ChaCha20_ctr32,.-ChaCha20_ctr32
333 my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2,$T0,$T1,$T2,$T3) =
334 map("v$_.4s",(0..7,16..23));
335 my (@K)=map("v$_.4s",(24..30));
340 my ($a,$b,$c,$d,$t)=@_;
343 "&add ('$a','$a','$b')",
344 "&eor ('$d','$d','$a')",
345 "&rev32_16 ('$d','$d')", # vrot ($d,16)
347 "&add ('$c','$c','$d')",
348 "&eor ('$t','$b','$c')",
349 "&ushr ('$b','$t',20)",
350 "&sli ('$b','$t',12)",
352 "&add ('$a','$a','$b')",
353 "&eor ('$t','$d','$a')",
354 "&ushr ('$d','$t',24)",
355 "&sli ('$d','$t',8)",
357 "&add ('$c','$c','$d')",
358 "&eor ('$t','$b','$c')",
359 "&ushr ('$b','$t',25)",
360 "&sli ('$b','$t',7)",
362 "&ext ('$c','$c','$c',8)",
363 "&ext ('$d','$d','$d',$odd?4:12)",
364 "&ext ('$b','$b','$b',$odd?12:4)"
370 .type ChaCha20_neon,%function
374 .inst 0xd503233f // paciasp
375 stp x29,x30,[sp,#-96]!
385 b.hs .L512_or_more_neon
389 ldp @d[0],@d[1],[@x[0]] // load sigma
390 ld1 {@K[0]},[@x[0]],#16
391 ldp @d[2],@d[3],[$key] // load key
392 ldp @d[4],@d[5],[$key,#16]
393 ld1 {@K[1],@K[2]},[$key]
394 ldp @d[6],@d[7],[$ctr] // load counter
406 add @K[3],@K[3],$ONE // += 1
409 shl $ONE,$ONE,#2 // 1 -> 4
412 mov.32 @x[0],@d[0] // unpack key block
446 my @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,0);
447 my @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,0);
448 my @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,0);
449 my @thread3=&ROUND(0,4,8,12);
452 eval; eval(shift(@thread3));
453 eval(shift(@thread1)); eval(shift(@thread3));
454 eval(shift(@thread2)); eval(shift(@thread3));
457 @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,1);
458 @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,1);
459 @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,1);
460 @thread3=&ROUND(0,5,10,15);
463 eval; eval(shift(@thread3));
464 eval(shift(@thread1)); eval(shift(@thread3));
465 eval(shift(@thread2)); eval(shift(@thread3));
470 add.32 @x[0],@x[0],@d[0] // accumulate key block
472 add @x[1],@x[1],@d[0],lsr#32
474 add.32 @x[2],@x[2],@d[1]
476 add @x[3],@x[3],@d[1],lsr#32
478 add.32 @x[4],@x[4],@d[2]
480 add @x[5],@x[5],@d[2],lsr#32
482 add.32 @x[6],@x[6],@d[3]
484 add @x[7],@x[7],@d[3],lsr#32
485 add.32 @x[8],@x[8],@d[4]
487 add @x[9],@x[9],@d[4],lsr#32
488 add.32 @x[10],@x[10],@d[5]
490 add @x[11],@x[11],@d[5],lsr#32
491 add.32 @x[12],@x[12],@d[6]
493 add @x[13],@x[13],@d[6],lsr#32
494 add.32 @x[14],@x[14],@d[7]
496 add @x[15],@x[15],@d[7],lsr#32
501 add @x[0],@x[0],@x[1],lsl#32 // pack
502 add @x[2],@x[2],@x[3],lsl#32
503 ldp @x[1],@x[3],[$inp,#0] // load input
504 add @x[4],@x[4],@x[5],lsl#32
505 add @x[6],@x[6],@x[7],lsl#32
506 ldp @x[5],@x[7],[$inp,#16]
507 add @x[8],@x[8],@x[9],lsl#32
508 add @x[10],@x[10],@x[11],lsl#32
509 ldp @x[9],@x[11],[$inp,#32]
510 add @x[12],@x[12],@x[13],lsl#32
511 add @x[14],@x[14],@x[15],lsl#32
512 ldp @x[13],@x[15],[$inp,#48]
524 ld1.8 {$T0-$T3},[$inp],#64
525 eor @x[0],@x[0],@x[1]
526 eor @x[2],@x[2],@x[3]
527 eor @x[4],@x[4],@x[5]
528 eor @x[6],@x[6],@x[7]
529 eor @x[8],@x[8],@x[9]
531 eor @x[10],@x[10],@x[11]
533 eor @x[12],@x[12],@x[13]
535 eor @x[14],@x[14],@x[15]
537 ld1.8 {$T0-$T3},[$inp],#64
539 stp @x[0],@x[2],[$out,#0] // store output
540 add @d[6],@d[6],#4 // increment counter
541 stp @x[4],@x[6],[$out,#16]
542 add @K[3],@K[3],$ONE // += 4
543 stp @x[8],@x[10],[$out,#32]
545 stp @x[12],@x[14],[$out,#48]
549 st1.8 {$A0-$D0},[$out],#64
550 ld1.8 {$A0-$D0},[$inp],#64
556 st1.8 {$A1-$D1},[$out],#64
562 st1.8 {$A2-$D2},[$out],#64
564 b.hi .Loop_outer_neon
566 ldp x19,x20,[x29,#16]
568 ldp x21,x22,[x29,#32]
569 ldp x23,x24,[x29,#48]
570 ldp x25,x26,[x29,#64]
571 ldp x27,x28,[x29,#80]
573 .inst 0xd50323bf // autiasp
581 add @x[0],@x[0],@x[1],lsl#32 // pack
582 add @x[2],@x[2],@x[3],lsl#32
583 ldp @x[1],@x[3],[$inp,#0] // load input
584 add @x[4],@x[4],@x[5],lsl#32
585 add @x[6],@x[6],@x[7],lsl#32
586 ldp @x[5],@x[7],[$inp,#16]
587 add @x[8],@x[8],@x[9],lsl#32
588 add @x[10],@x[10],@x[11],lsl#32
589 ldp @x[9],@x[11],[$inp,#32]
590 add @x[12],@x[12],@x[13],lsl#32
591 add @x[14],@x[14],@x[15],lsl#32
592 ldp @x[13],@x[15],[$inp,#48]
604 eor @x[0],@x[0],@x[1]
605 eor @x[2],@x[2],@x[3]
606 eor @x[4],@x[4],@x[5]
607 eor @x[6],@x[6],@x[7]
608 eor @x[8],@x[8],@x[9]
609 eor @x[10],@x[10],@x[11]
610 eor @x[12],@x[12],@x[13]
611 eor @x[14],@x[14],@x[15]
613 stp @x[0],@x[2],[$out,#0] // store output
614 add @d[6],@d[6],#4 // increment counter
615 stp @x[4],@x[6],[$out,#16]
616 stp @x[8],@x[10],[$out,#32]
617 stp @x[12],@x[14],[$out,#48]
624 ld1.8 {$T0-$T3},[$inp],#64
629 st1.8 {$A0-$D0},[$out],#64
635 ld1.8 {$T0-$T3},[$inp],#64
640 st1.8 {$A1-$D1},[$out],#64
668 cbnz $len,.Loop_tail_neon
676 ldp x19,x20,[x29,#16]
678 ldp x21,x22,[x29,#32]
679 ldp x23,x24,[x29,#48]
680 ldp x25,x26,[x29,#64]
681 ldp x27,x28,[x29,#80]
683 .inst 0xd50323bf // autiasp
685 .size ChaCha20_neon,.-ChaCha20_neon
688 my ($T0,$T1,$T2,$T3,$T4,$T5)=@K;
689 my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2,
690 $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(0..23));
693 .type ChaCha20_512_neon,%function
696 .inst 0xd503233f // paciasp
697 stp x29,x30,[sp,#-96]!
710 ldp @d[0],@d[1],[@x[0]] // load sigma
711 ld1 {@K[0]},[@x[0]],#16
712 ldp @d[2],@d[3],[$key] // load key
713 ldp @d[4],@d[5],[$key,#16]
714 ld1 {@K[1],@K[2]},[$key]
715 ldp @d[6],@d[7],[$ctr] // load counter
727 add @K[3],@K[3],$ONE // += 1
728 stp @K[0],@K[1],[sp,#0] // off-load key block, invariant part
729 add @K[3],@K[3],$ONE // not typo
734 shl $ONE,$ONE,#2 // 1 -> 4
736 stp d8,d9,[sp,#128+0] // meet ABI requirements
737 stp d10,d11,[sp,#128+16]
738 stp d12,d13,[sp,#128+32]
739 stp d14,d15,[sp,#128+48]
741 sub $len,$len,#512 // not typo
743 .Loop_outer_512_neon:
751 mov.32 @x[0],@d[0] // unpack key block
774 add $D4,$D0,$ONE // +4
776 add $D5,$D1,$ONE // +4
783 stp @K[3],@K[4],[sp,#48] // off-load key block, variable part
792 my @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,0);
793 my @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,0);
794 my @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,0);
795 my @thread3=&NEONROUND($A3,$B3,$C3,$D3,$T3,0);
796 my @thread4=&NEONROUND($A4,$B4,$C4,$D4,$T4,0);
797 my @thread5=&NEONROUND($A5,$B5,$C5,$D5,$T5,0);
798 my @thread67=(&ROUND(0,4,8,12),&ROUND(0,5,10,15));
799 my $diff = ($#thread0+1)*6 - $#thread67 - 1;
803 eval; eval(shift(@thread67));
804 eval(shift(@thread1)); eval(shift(@thread67));
805 eval(shift(@thread2)); eval(shift(@thread67));
806 eval(shift(@thread3)); eval(shift(@thread67));
807 eval(shift(@thread4)); eval(shift(@thread67));
808 eval(shift(@thread5)); eval(shift(@thread67));
811 @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,1);
812 @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,1);
813 @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,1);
814 @thread3=&NEONROUND($A3,$B3,$C3,$D3,$T3,1);
815 @thread4=&NEONROUND($A4,$B4,$C4,$D4,$T4,1);
816 @thread5=&NEONROUND($A5,$B5,$C5,$D5,$T5,1);
817 @thread67=(&ROUND(0,4,8,12),&ROUND(0,5,10,15));
820 eval; eval(shift(@thread67));
821 eval(shift(@thread1)); eval(shift(@thread67));
822 eval(shift(@thread2)); eval(shift(@thread67));
823 eval(shift(@thread3)); eval(shift(@thread67));
824 eval(shift(@thread4)); eval(shift(@thread67));
825 eval(shift(@thread5)); eval(shift(@thread67));
828 cbnz $ctr,.Loop_upper_neon
830 add.32 @x[0],@x[0],@d[0] // accumulate key block
831 add @x[1],@x[1],@d[0],lsr#32
832 add.32 @x[2],@x[2],@d[1]
833 add @x[3],@x[3],@d[1],lsr#32
834 add.32 @x[4],@x[4],@d[2]
835 add @x[5],@x[5],@d[2],lsr#32
836 add.32 @x[6],@x[6],@d[3]
837 add @x[7],@x[7],@d[3],lsr#32
838 add.32 @x[8],@x[8],@d[4]
839 add @x[9],@x[9],@d[4],lsr#32
840 add.32 @x[10],@x[10],@d[5]
841 add @x[11],@x[11],@d[5],lsr#32
842 add.32 @x[12],@x[12],@d[6]
843 add @x[13],@x[13],@d[6],lsr#32
844 add.32 @x[14],@x[14],@d[7]
845 add @x[15],@x[15],@d[7],lsr#32
847 add @x[0],@x[0],@x[1],lsl#32 // pack
848 add @x[2],@x[2],@x[3],lsl#32
849 ldp @x[1],@x[3],[$inp,#0] // load input
850 add @x[4],@x[4],@x[5],lsl#32
851 add @x[6],@x[6],@x[7],lsl#32
852 ldp @x[5],@x[7],[$inp,#16]
853 add @x[8],@x[8],@x[9],lsl#32
854 add @x[10],@x[10],@x[11],lsl#32
855 ldp @x[9],@x[11],[$inp,#32]
856 add @x[12],@x[12],@x[13],lsl#32
857 add @x[14],@x[14],@x[15],lsl#32
858 ldp @x[13],@x[15],[$inp,#48]
870 eor @x[0],@x[0],@x[1]
871 eor @x[2],@x[2],@x[3]
872 eor @x[4],@x[4],@x[5]
873 eor @x[6],@x[6],@x[7]
874 eor @x[8],@x[8],@x[9]
875 eor @x[10],@x[10],@x[11]
876 eor @x[12],@x[12],@x[13]
877 eor @x[14],@x[14],@x[15]
879 stp @x[0],@x[2],[$out,#0] // store output
880 add @d[6],@d[6],#1 // increment counter
881 mov.32 @x[0],@d[0] // unpack key block
883 stp @x[4],@x[6],[$out,#16]
886 stp @x[8],@x[10],[$out,#32]
889 stp @x[12],@x[14],[$out,#48]
906 @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,0);
907 @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,0);
908 @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,0);
909 @thread3=&NEONROUND($A3,$B3,$C3,$D3,$T3,0);
910 @thread4=&NEONROUND($A4,$B4,$C4,$D4,$T4,0);
911 @thread5=&NEONROUND($A5,$B5,$C5,$D5,$T5,0);
912 @thread67=(&ROUND(0,4,8,12),&ROUND(0,5,10,15));
915 eval; eval(shift(@thread67));
916 eval(shift(@thread1)); eval(shift(@thread67));
917 eval(shift(@thread2)); eval(shift(@thread67));
918 eval(shift(@thread3)); eval(shift(@thread67));
919 eval(shift(@thread4)); eval(shift(@thread67));
920 eval(shift(@thread5)); eval(shift(@thread67));
923 @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,1);
924 @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,1);
925 @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,1);
926 @thread3=&NEONROUND($A3,$B3,$C3,$D3,$T3,1);
927 @thread4=&NEONROUND($A4,$B4,$C4,$D4,$T4,1);
928 @thread5=&NEONROUND($A5,$B5,$C5,$D5,$T5,1);
929 @thread67=(&ROUND(0,4,8,12),&ROUND(0,5,10,15));
932 eval; eval(shift(@thread67));
933 eval(shift(@thread1)); eval(shift(@thread67));
934 eval(shift(@thread2)); eval(shift(@thread67));
935 eval(shift(@thread3)); eval(shift(@thread67));
936 eval(shift(@thread4)); eval(shift(@thread67));
937 eval(shift(@thread5)); eval(shift(@thread67));
940 cbnz $ctr,.Loop_lower_neon
942 add.32 @x[0],@x[0],@d[0] // accumulate key block
943 ldp @K[0],@K[1],[sp,#0]
944 add @x[1],@x[1],@d[0],lsr#32
945 ldp @K[2],@K[3],[sp,#32]
946 add.32 @x[2],@x[2],@d[1]
947 ldp @K[4],@K[5],[sp,#64]
948 add @x[3],@x[3],@d[1],lsr#32
950 add.32 @x[4],@x[4],@d[2]
952 add @x[5],@x[5],@d[2],lsr#32
954 add.32 @x[6],@x[6],@d[3]
956 add @x[7],@x[7],@d[3],lsr#32
958 add.32 @x[8],@x[8],@d[4]
960 add @x[9],@x[9],@d[4],lsr#32
962 add.32 @x[10],@x[10],@d[5]
964 add @x[11],@x[11],@d[5],lsr#32
966 add.32 @x[12],@x[12],@d[6]
968 add @x[13],@x[13],@d[6],lsr#32
970 add.32 @x[14],@x[14],@d[7]
972 add @x[15],@x[15],@d[7],lsr#32
973 add $D4,$D4,$ONE // +4
974 add @x[0],@x[0],@x[1],lsl#32 // pack
975 add $D5,$D5,$ONE // +4
976 add @x[2],@x[2],@x[3],lsl#32
978 ldp @x[1],@x[3],[$inp,#0] // load input
980 add @x[4],@x[4],@x[5],lsl#32
982 add @x[6],@x[6],@x[7],lsl#32
984 ldp @x[5],@x[7],[$inp,#16]
986 add @x[8],@x[8],@x[9],lsl#32
988 add @x[10],@x[10],@x[11],lsl#32
990 ldp @x[9],@x[11],[$inp,#32]
992 add @x[12],@x[12],@x[13],lsl#32
994 add @x[14],@x[14],@x[15],lsl#32
996 ldp @x[13],@x[15],[$inp,#48]
1011 ld1.8 {$T0-$T3},[$inp],#64
1012 eor @x[0],@x[0],@x[1]
1013 eor @x[2],@x[2],@x[3]
1014 eor @x[4],@x[4],@x[5]
1015 eor @x[6],@x[6],@x[7]
1016 eor @x[8],@x[8],@x[9]
1018 eor @x[10],@x[10],@x[11]
1020 eor @x[12],@x[12],@x[13]
1022 eor @x[14],@x[14],@x[15]
1024 ld1.8 {$T0-$T3},[$inp],#64
1026 stp @x[0],@x[2],[$out,#0] // store output
1027 add @d[6],@d[6],#7 // increment counter
1028 stp @x[4],@x[6],[$out,#16]
1029 stp @x[8],@x[10],[$out,#32]
1030 stp @x[12],@x[14],[$out,#48]
1032 st1.8 {$A0-$D0},[$out],#64
1034 ld1.8 {$A0-$D0},[$inp],#64
1039 st1.8 {$A1-$D1},[$out],#64
1041 ld1.8 {$A1-$D1},[$inp],#64
1043 ldp @K[0],@K[1],[sp,#0]
1045 ldp @K[2],@K[3],[sp,#32]
1048 st1.8 {$A2-$D2},[$out],#64
1050 ld1.8 {$A2-$D2},[$inp],#64
1055 st1.8 {$A3-$D3},[$out],#64
1057 ld1.8 {$A3-$D3},[$inp],#64
1062 st1.8 {$A4-$D4},[$out],#64
1064 shl $A0,$ONE,#1 // 4 -> 8
1069 st1.8 {$A5-$D5},[$out],#64
1071 add @K[3],@K[3],$A0 // += 8
1076 b.hs .Loop_outer_512_neon
1079 ushr $A0,$ONE,#2 // 4 -> 1
1081 ldp d8,d9,[sp,#128+0] // meet ABI requirements
1082 ldp d10,d11,[sp,#128+16]
1083 ldp d12,d13,[sp,#128+32]
1084 ldp d14,d15,[sp,#128+48]
1086 stp @K[0],$ONE,[sp,#0] // wipe off-load area
1087 stp @K[0],$ONE,[sp,#32]
1088 stp @K[0],$ONE,[sp,#64]
1090 b.eq .Ldone_512_neon
1093 sub @K[3],@K[3],$A0 // -= 1
1097 b.hs .Loop_outer_neon
1099 eor @K[1],@K[1],@K[1]
1100 eor @K[2],@K[2],@K[2]
1101 eor @K[3],@K[3],@K[3]
1102 eor @K[4],@K[4],@K[4]
1103 eor @K[5],@K[5],@K[5]
1104 eor @K[6],@K[6],@K[6]
1108 ldp x19,x20,[x29,#16]
1110 ldp x21,x22,[x29,#32]
1111 ldp x23,x24,[x29,#48]
1112 ldp x25,x26,[x29,#64]
1113 ldp x27,x28,[x29,#80]
1114 ldp x29,x30,[sp],#96
1115 .inst 0xd50323bf // autiasp
1117 .size ChaCha20_512_neon,.-ChaCha20_512_neon
1122 foreach (split("\n",$code)) {
1123 s/\`([^\`]*)\`/eval $1/geo;
1125 (s/\b([a-z]+)\.32\b/$1/ and (s/x([0-9]+)/w$1/g or 1)) or
1126 (m/\b(eor|ext|mov)\b/ and (s/\.4s/\.16b/g or 1)) or
1127 (s/\b((?:ld|st)1)\.8\b/$1/ and (s/\.4s/\.16b/g or 1)) or
1128 (m/\b(ld|st)[rp]\b/ and (s/v([0-9]+)\.4s/q$1/g or 1)) or
1129 (s/\brev32\.16\b/rev32/ and (s/\.4s/\.8h/g or 1));
1131 #s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo;
1135 close STDOUT; # flush
projects / openssl.git / blob