3 # ====================================================================
4 # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
12 # This is a "teaser" code, as it can be improved in several ways...
13 # First of all non-SSE2 path should be implemented (yes, for now it
14 # performs Montgomery multiplication/convolution only on SSE2-capable
15 # CPUs such as P4, others fall down to original code). Then inner loop
16 # can be unrolled and modulo-scheduled to improve ILP and possibly
17 # moved to 128-bit XMM register bank (though it would require input
18 # rearrangement and/or increase bus bandwidth utilization). Dedicated
19 # squaring procedure should give further performance improvement...
20 # Yet, for being draft, the code improves rsa512 *sign* benchmark by
21 # 110%(!), rsa1024 one - by 70% and rsa4096 - by 20%:-)
25 # Modulo-scheduling SSE2 loops results in further 15-20% improvement.
26 # Integer-only code [being equipped with dedicated squaring procedure]
27 # gives ~40% on rsa512 sign benchmark...
29 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
30 push(@INC,"${dir}","${dir}../../perlasm");
33 &asm_init($ARGV[0],$0);
36 for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
38 &external_label("OPENSSL_ia32cap_P") if ($sse2);
40 &function_begin("bn_mul_mont");
44 $ap="esi"; $tp="esi"; # overlapping variables!!!
45 $rp="edi"; $bp="edi"; # overlapping variables!!!
49 $_num=&DWP(4*0,"esp"); # stack top layout
54 $_n0=&DWP(4*5,"esp"); $_n0q=&QWP(4*5,"esp");
56 $_bpend=&DWP(4*7,"esp");
57 $frame=32; # size of above frame rounded up to 16n
60 &mov ("edi",&wparam(5)); # int num
62 &jl (&label("just_leave"));
64 &lea ("esi",&wparam(0)); # put aside pointer to argument block
65 &lea ("edx",&wparam(1)); # load ap
66 &add ("edi",2); # extra two words on top of tp
68 &lea ("ebp",&DWP(-$frame,"esp","edi",4)); # future alloca($frame+4*(num+2))
71 # minimize cache contention by arraning 2K window between stack
72 # pointer and ap argument [np is also position sensitive vector,
73 # but it's assumed to be near ap, as it's allocated at ~same
78 &sub ("ebp","eax"); # this aligns sp and ap modulo 2048
83 &sub ("ebp","edx"); # this splits them apart modulo 4096
85 &and ("ebp",-64); # align to cache line
87 # Some OSes, *cough*-dows, insist on stack being "wired" to
88 # physical memory in strictly sequential manner, i.e. if stack
89 # allocation spans two pages, then reference to farmost one can
90 # be punishable by SEGV. But page walking can do good even on
91 # other OSes, because it guarantees that villain thread hits
92 # the guard page before it can make damage to innocent one...
96 &mov ("edx","esp"); # saved stack pointer!
97 &lea ("esp",&DWP(0,"ebp","eax"));
98 &mov ("eax",&DWP(0,"esp"));
100 &ja (&label("page_walk"));
101 &jmp (&label("page_walk_done"));
103 &set_label("page_walk",16);
104 &lea ("esp",&DWP(-4096,"esp"));
105 &mov ("eax",&DWP(0,"esp"));
107 &ja (&label("page_walk"));
108 &set_label("page_walk_done");
110 ################################# load argument block...
111 &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp
112 &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap
113 &mov ("ecx",&DWP(2*4,"esi"));# const BN_ULONG *bp
114 &mov ("ebp",&DWP(3*4,"esi"));# const BN_ULONG *np
115 &mov ("esi",&DWP(4*4,"esi"));# const BN_ULONG *n0
116 #&mov ("edi",&DWP(5*4,"esi"));# int num
118 &mov ("esi",&DWP(0,"esi")); # pull n0[0]
119 &mov ($_rp,"eax"); # ... save a copy of argument block
124 &lea ($num,&DWP(-3,"edi")); # num=num-1 to assist modulo-scheduling
125 #&mov ($_num,$num); # redundant as $num is not reused
126 &mov ($_sp,"edx"); # saved stack pointer!
129 $acc0="mm0"; # mmx register bank layout
138 &picmeup("eax","OPENSSL_ia32cap_P");
139 &bt (&DWP(0,"eax"),26);
140 &jnc (&label("non_sse2"));
143 &movd ($mask,"eax"); # mask 32 lower bits
145 &mov ($ap,$_ap); # load input pointers
152 &movd ($mul0,&DWP(0,$bp)); # bp[0]
153 &movd ($mul1,&DWP(0,$ap)); # ap[0]
154 &movd ($car1,&DWP(0,$np)); # np[0]
156 &pmuludq($mul1,$mul0); # ap[0]*bp[0]
158 &movq ($acc0,$mul1); # I wish movd worked for
159 &pand ($acc0,$mask); # inter-register transfers
161 &pmuludq($mul1,$_n0q); # *=n0
163 &pmuludq($car1,$mul1); # "t[0]"*np[0]*n0
164 &paddq ($car1,$acc0);
166 &movd ($acc1,&DWP(4,$np)); # np[1]
167 &movd ($acc0,&DWP(4,$ap)); # ap[1]
173 &set_label("1st",16);
174 &pmuludq($acc0,$mul0); # ap[j]*bp[0]
175 &pmuludq($acc1,$mul1); # np[j]*m1
176 &paddq ($car0,$acc0); # +=c0
177 &paddq ($car1,$acc1); # +=c1
181 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1]
182 &paddq ($car1,$acc0); # +=ap[j]*bp[0];
183 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1]
185 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[j-1]=
188 &lea ($j,&DWP(1,$j));
192 &pmuludq($acc0,$mul0); # ap[num-1]*bp[0]
193 &pmuludq($acc1,$mul1); # np[num-1]*m1
194 &paddq ($car0,$acc0); # +=c0
195 &paddq ($car1,$acc1); # +=c1
199 &paddq ($car1,$acc0); # +=ap[num-1]*bp[0];
200 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]=
205 &paddq ($car1,$car0);
206 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1]
212 &movd ($mul0,&DWP(0,$bp,$i,4)); # bp[i]
213 &movd ($mul1,&DWP(0,$ap)); # ap[0]
214 &movd ($temp,&DWP($frame,"esp")); # tp[0]
215 &movd ($car1,&DWP(0,$np)); # np[0]
216 &pmuludq($mul1,$mul0); # ap[0]*bp[i]
218 &paddq ($mul1,$temp); # +=tp[0]
223 &pmuludq($mul1,$_n0q); # *=n0
225 &pmuludq($car1,$mul1);
226 &paddq ($car1,$acc0);
228 &movd ($temp,&DWP($frame+4,"esp")); # tp[1]
229 &movd ($acc1,&DWP(4,$np)); # np[1]
230 &movd ($acc0,&DWP(4,$ap)); # ap[1]
234 &paddq ($car0,$temp); # +=tp[1]
239 &pmuludq($acc0,$mul0); # ap[j]*bp[i]
240 &pmuludq($acc1,$mul1); # np[j]*m1
241 &paddq ($car0,$acc0); # +=c0
242 &paddq ($car1,$acc1); # +=c1
245 &movd ($temp,&DWP($frame+4,"esp",$j,4));# tp[j+1]
247 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1]
248 &paddq ($car1,$acc0); # +=ap[j]*bp[i]+tp[j]
249 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1]
251 &movd (&DWP($frame-4,"esp",$j,4),$car1);# tp[j-1]=
253 &paddq ($car0,$temp); # +=tp[j+1]
256 &lea ($j,&DWP(1,$j)); # j++
257 &jnz (&label("inner"));
260 &pmuludq($acc0,$mul0); # ap[num-1]*bp[i]
261 &pmuludq($acc1,$mul1); # np[num-1]*m1
262 &paddq ($car0,$acc0); # +=c0
263 &paddq ($car1,$acc1); # +=c1
267 &paddq ($car1,$acc0); # +=ap[num-1]*bp[i]+tp[num-1]
268 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]=
272 &movd ($temp,&DWP($frame+4,"esp",$num,4)); # += tp[num]
273 &paddq ($car1,$car0);
274 &paddq ($car1,$temp);
275 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1]
277 &lea ($i,&DWP(1,$i)); # i++
279 &jle (&label("outer"));
281 &emms (); # done with mmx bank
282 &jmp (&label("common_tail"));
284 &set_label("non_sse2",16);
289 &xor ("eax","eax"); # signal "not fast enough [yet]"
290 &jmp (&label("just_leave"));
291 # While the below code provides competitive performance for
292 # all key lengthes on modern Intel cores, it's still more
293 # than 10% slower for 4096-bit key elsewhere:-( "Competitive"
294 # means compared to the original integer-only assembler.
295 # 512-bit RSA sign is better by ~40%, but that's about all
296 # one can say about all CPUs...
298 $inp="esi"; # integer path uses these registers differently
303 &lea ($carry,&DWP(1,$num));
307 &and ($carry,1); # see if num is even
308 &sub ("edx",$word); # see if ap==bp
309 &lea ("eax",&DWP(4,$word,$num,4)); # &bp[num]
311 &mov ($word,&DWP(0,$word)); # bp[0]
312 &jz (&label("bn_sqr_mont"));
313 &mov ($_bpend,"eax");
314 &mov ("eax",&DWP(0,$inp));
317 &set_label("mull",16);
319 &mul ($word); # ap[j]*bp[0]
321 &lea ($j,&DWP(1,$j));
323 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1]
325 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
326 &jl (&label("mull"));
329 &mul ($word); # ap[num-1]*bp[0]
334 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
336 &mov (&DWP($frame,"esp",$num,4),"eax"); # tp[num-1]=
338 &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]=
339 &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]=
341 &mov ("eax",&DWP(0,$inp)); # np[0]
342 &mul ($word); # np[0]*m
343 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
344 &mov ("eax",&DWP(4,$inp)); # np[1]
348 &jmp (&label("2ndmadd"));
350 &set_label("1stmadd",16);
352 &mul ($word); # ap[j]*bp[i]
353 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
354 &lea ($j,&DWP(1,$j));
357 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1]
360 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
361 &jl (&label("1stmadd"));
364 &mul ($word); # ap[num-1]*bp[i]
365 &add ("eax",&DWP($frame,"esp",$num,4)); # +=tp[num-1]
371 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
374 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
375 &mov (&DWP($frame,"esp",$num,4),$carry); # tp[num-1]=
377 &mov ("eax",&DWP(0,$inp)); # np[0]
378 &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]=
379 &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]=
381 &mul ($word); # np[0]*m
382 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
383 &mov ("eax",&DWP(4,$inp)); # np[1]
387 &set_label("2ndmadd",16);
389 &mul ($word); # np[j]*m
390 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
391 &lea ($j,&DWP(1,$j));
394 &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+1]
397 &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j-1]=
398 &jl (&label("2ndmadd"));
401 &mul ($word); # np[j]*m
402 &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1]
406 &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]=
409 &mov ($j,$_bp); # &bp[i]
410 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
411 &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1]
412 &lea ($j,&DWP(4,$j));
413 &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]=
415 &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]=
416 &je (&label("common_tail"));
418 &mov ($word,&DWP(0,$j)); # bp[i+1]
420 &mov ($_bp,$j); # &bp[++i]
423 &mov ("eax",&DWP(0,$inp));
424 &jmp (&label("1stmadd"));
426 &set_label("bn_sqr_mont",16);
429 &mov ($_bp,$j); # i=0
431 &mov ("eax",$word); # ap[0]
432 &mul ($word); # ap[0]*ap[0]
433 &mov (&DWP($frame,"esp"),"eax"); # tp[0]=
438 &set_label("sqr",16);
439 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j]
441 &mul ($word); # ap[j]*ap[0]
443 &lea ($j,&DWP(1,$j));
445 &lea ($carry,&DWP(0,$sbit,"eax",2));
449 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
452 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[num-1]
454 &mul ($word); # ap[num-1]*ap[0]
459 &lea ($carry,&DWP(0,$sbit,"eax",2));
460 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
462 &mov (&DWP($frame,"esp",$j,4),$carry); # tp[num-1]=
464 &lea ($carry,&DWP(0,"eax","edx",2));
465 &mov ("eax",&DWP(0,$inp)); # np[0]
467 &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num]=
468 &mov (&DWP($frame+8,"esp",$j,4),"edx"); # tp[num+1]=
470 &mul ($word); # np[0]*m
471 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
474 &mov ("eax",&DWP(4,$inp)); # np[1]
477 &set_label("3rdmadd",16);
479 &mul ($word); # np[j]*m
480 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
483 &mov ("eax",&DWP(4,$inp,$j,4)); # np[j+1]
485 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j-1]=
488 &mul ($word); # np[j+1]*m
489 &add ($carry,&DWP($frame+4,"esp",$j,4)); # +=tp[j+1]
490 &lea ($j,&DWP(2,$j));
493 &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+2]
496 &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j]=
497 &jl (&label("3rdmadd"));
500 &mul ($word); # np[j]*m
501 &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1]
505 &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]=
510 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
511 &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1]
512 &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]=
514 &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]=
515 &je (&label("common_tail"));
517 &mov ($word,&DWP(4,$inp,$j,4)); # ap[i]
518 &lea ($j,&DWP(1,$j));
520 &mov ($_bp,$j); # ++i
521 &mul ($word); # ap[i]*ap[i]
522 &add ("eax",&DWP($frame,"esp",$j,4)); # +=tp[i]
524 &mov (&DWP($frame,"esp",$j,4),"eax"); # tp[i]=
525 &xor ($carry,$carry);
527 &lea ($j,&DWP(1,$j));
528 &je (&label("sqrlast"));
530 &mov ($sbit,"edx"); # zaps $num
533 &set_label("sqradd",16);
534 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j]
536 &mul ($word); # ap[j]*ap[i]
538 &lea ($carry,&DWP(0,"eax","eax"));
541 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
542 &lea ($j,&DWP(1,$j));
547 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
549 &jle (&label("sqradd"));
556 &set_label("sqrlast");
559 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
561 &add ("edx",&DWP($frame,"esp",$j,4)); # +=tp[num]
562 &mov ("eax",&DWP(0,$inp)); # np[0]
564 &mov (&DWP($frame,"esp",$j,4),"edx"); # tp[num]=
565 &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num+1]=
567 &mul ($word); # np[0]*m
568 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
569 &lea ($num,&DWP(-1,$j));
572 &mov ("eax",&DWP(4,$inp)); # np[1]
574 &jmp (&label("3rdmadd"));
577 &set_label("common_tail",16);
578 &mov ($np,$_np); # load modulus pointer
579 &mov ($rp,$_rp); # load result pointer
580 &lea ($tp,&DWP($frame,"esp")); # [$ap and $bp are zapped]
582 &mov ("eax",&DWP(0,$tp)); # tp[0]
583 &mov ($j,$num); # j=num-1
584 &xor ($i,$i); # i=0 and clear CF!
586 &set_label("sub",16);
587 &sbb ("eax",&DWP(0,$np,$i,4));
588 &mov (&DWP(0,$rp,$i,4),"eax"); # rp[i]=tp[i]-np[i]
589 &dec ($j); # doesn't affect CF!
590 &mov ("eax",&DWP(4,$tp,$i,4)); # tp[i+1]
591 &lea ($i,&DWP(1,$i)); # i++
592 &jge (&label("sub"));
594 &sbb ("eax",0); # handle upmost overflow bit
599 &or ($tp,$np); # tp=carry?tp:rp
601 &set_label("copy",16); # copy or in-place refresh
602 &mov ("eax",&DWP(0,$tp,$num,4));
603 &mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i]
604 &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector
606 &jge (&label("copy"));
608 &mov ("esp",$_sp); # pull saved stack pointer
610 &set_label("just_leave");
611 &function_end("bn_mul_mont");
613 &asciz("Montgomery Multiplication for x86, CRYPTOGAMS by <appro\@openssl.org>");
projects / openssl.git / blob