2 # Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
19 # This is a "teaser" code, as it can be improved in several ways...
20 # First of all non-SSE2 path should be implemented (yes, for now it
21 # performs Montgomery multiplication/convolution only on SSE2-capable
22 # CPUs such as P4, others fall down to original code). Then inner loop
23 # can be unrolled and modulo-scheduled to improve ILP and possibly
24 # moved to 128-bit XMM register bank (though it would require input
25 # rearrangement and/or increase bus bandwidth utilization). Dedicated
26 # squaring procedure should give further performance improvement...
27 # Yet, for being draft, the code improves rsa512 *sign* benchmark by
28 # 110%(!), rsa1024 one - by 70% and rsa4096 - by 20%:-)
32 # Modulo-scheduling SSE2 loops results in further 15-20% improvement.
33 # Integer-only code [being equipped with dedicated squaring procedure]
34 # gives ~40% on rsa512 sign benchmark...
36 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
37 push(@INC,"${dir}","${dir}../../perlasm");
40 $output = pop and open STDOUT,">$output";
45 for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
47 &external_label("OPENSSL_ia32cap_P") if ($sse2);
49 &function_begin("bn_mul_mont");
53 $ap="esi"; $tp="esi"; # overlapping variables!!!
54 $rp="edi"; $bp="edi"; # overlapping variables!!!
58 $_num=&DWP(4*0,"esp"); # stack top layout
63 $_n0=&DWP(4*5,"esp"); $_n0q=&QWP(4*5,"esp");
65 $_bpend=&DWP(4*7,"esp");
66 $frame=32; # size of above frame rounded up to 16n
69 &mov ("edi",&wparam(5)); # int num
71 &jl (&label("just_leave"));
73 &lea ("esi",&wparam(0)); # put aside pointer to argument block
74 &lea ("edx",&wparam(1)); # load ap
75 &add ("edi",2); # extra two words on top of tp
77 &lea ("ebp",&DWP(-$frame,"esp","edi",4)); # future alloca($frame+4*(num+2))
80 # minimize cache contention by arranging 2K window between stack
81 # pointer and ap argument [np is also position sensitive vector,
82 # but it's assumed to be near ap, as it's allocated at ~same
87 &sub ("ebp","eax"); # this aligns sp and ap modulo 2048
92 &sub ("ebp","edx"); # this splits them apart modulo 4096
94 &and ("ebp",-64); # align to cache line
96 # An OS-agnostic version of __chkstk.
98 # Some OSes (Windows) insist on stack being "wired" to
99 # physical memory in strictly sequential manner, i.e. if stack
100 # allocation spans two pages, then reference to farmost one can
101 # be punishable by SEGV. But page walking can do good even on
102 # other OSes, because it guarantees that villain thread hits
103 # the guard page before it can make damage to innocent one...
107 &mov ("edx","esp"); # saved stack pointer!
108 &lea ("esp",&DWP(0,"ebp","eax"));
109 &mov ("eax",&DWP(0,"esp"));
111 &ja (&label("page_walk"));
112 &jmp (&label("page_walk_done"));
114 &set_label("page_walk",16);
115 &lea ("esp",&DWP(-4096,"esp"));
116 &mov ("eax",&DWP(0,"esp"));
118 &ja (&label("page_walk"));
119 &set_label("page_walk_done");
121 ################################# load argument block...
122 &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp
123 &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap
124 &mov ("ecx",&DWP(2*4,"esi"));# const BN_ULONG *bp
125 &mov ("ebp",&DWP(3*4,"esi"));# const BN_ULONG *np
126 &mov ("esi",&DWP(4*4,"esi"));# const BN_ULONG *n0
127 #&mov ("edi",&DWP(5*4,"esi"));# int num
129 &mov ("esi",&DWP(0,"esi")); # pull n0[0]
130 &mov ($_rp,"eax"); # ... save a copy of argument block
135 &lea ($num,&DWP(-3,"edi")); # num=num-1 to assist modulo-scheduling
136 #&mov ($_num,$num); # redundant as $num is not reused
137 &mov ($_sp,"edx"); # saved stack pointer!
140 $acc0="mm0"; # mmx register bank layout
149 &picmeup("eax","OPENSSL_ia32cap_P");
150 &bt (&DWP(0,"eax"),26);
151 &jnc (&label("non_sse2"));
154 &movd ($mask,"eax"); # mask 32 lower bits
156 &mov ($ap,$_ap); # load input pointers
163 &movd ($mul0,&DWP(0,$bp)); # bp[0]
164 &movd ($mul1,&DWP(0,$ap)); # ap[0]
165 &movd ($car1,&DWP(0,$np)); # np[0]
167 &pmuludq($mul1,$mul0); # ap[0]*bp[0]
169 &movq ($acc0,$mul1); # I wish movd worked for
170 &pand ($acc0,$mask); # inter-register transfers
172 &pmuludq($mul1,$_n0q); # *=n0
174 &pmuludq($car1,$mul1); # "t[0]"*np[0]*n0
175 &paddq ($car1,$acc0);
177 &movd ($acc1,&DWP(4,$np)); # np[1]
178 &movd ($acc0,&DWP(4,$ap)); # ap[1]
184 &set_label("1st",16);
185 &pmuludq($acc0,$mul0); # ap[j]*bp[0]
186 &pmuludq($acc1,$mul1); # np[j]*m1
187 &paddq ($car0,$acc0); # +=c0
188 &paddq ($car1,$acc1); # +=c1
192 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1]
193 &paddq ($car1,$acc0); # +=ap[j]*bp[0];
194 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1]
196 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[j-1]=
199 &lea ($j,&DWP(1,$j));
203 &pmuludq($acc0,$mul0); # ap[num-1]*bp[0]
204 &pmuludq($acc1,$mul1); # np[num-1]*m1
205 &paddq ($car0,$acc0); # +=c0
206 &paddq ($car1,$acc1); # +=c1
210 &paddq ($car1,$acc0); # +=ap[num-1]*bp[0];
211 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]=
216 &paddq ($car1,$car0);
217 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1]
223 &movd ($mul0,&DWP(0,$bp,$i,4)); # bp[i]
224 &movd ($mul1,&DWP(0,$ap)); # ap[0]
225 &movd ($temp,&DWP($frame,"esp")); # tp[0]
226 &movd ($car1,&DWP(0,$np)); # np[0]
227 &pmuludq($mul1,$mul0); # ap[0]*bp[i]
229 &paddq ($mul1,$temp); # +=tp[0]
234 &pmuludq($mul1,$_n0q); # *=n0
236 &pmuludq($car1,$mul1);
237 &paddq ($car1,$acc0);
239 &movd ($temp,&DWP($frame+4,"esp")); # tp[1]
240 &movd ($acc1,&DWP(4,$np)); # np[1]
241 &movd ($acc0,&DWP(4,$ap)); # ap[1]
245 &paddq ($car0,$temp); # +=tp[1]
250 &pmuludq($acc0,$mul0); # ap[j]*bp[i]
251 &pmuludq($acc1,$mul1); # np[j]*m1
252 &paddq ($car0,$acc0); # +=c0
253 &paddq ($car1,$acc1); # +=c1
256 &movd ($temp,&DWP($frame+4,"esp",$j,4));# tp[j+1]
258 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1]
259 &paddq ($car1,$acc0); # +=ap[j]*bp[i]+tp[j]
260 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1]
262 &movd (&DWP($frame-4,"esp",$j,4),$car1);# tp[j-1]=
264 &paddq ($car0,$temp); # +=tp[j+1]
267 &lea ($j,&DWP(1,$j)); # j++
268 &jnz (&label("inner"));
271 &pmuludq($acc0,$mul0); # ap[num-1]*bp[i]
272 &pmuludq($acc1,$mul1); # np[num-1]*m1
273 &paddq ($car0,$acc0); # +=c0
274 &paddq ($car1,$acc1); # +=c1
278 &paddq ($car1,$acc0); # +=ap[num-1]*bp[i]+tp[num-1]
279 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]=
283 &movd ($temp,&DWP($frame+4,"esp",$num,4)); # += tp[num]
284 &paddq ($car1,$car0);
285 &paddq ($car1,$temp);
286 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1]
288 &lea ($i,&DWP(1,$i)); # i++
290 &jle (&label("outer"));
292 &emms (); # done with mmx bank
293 &jmp (&label("common_tail"));
295 &set_label("non_sse2",16);
300 &xor ("eax","eax"); # signal "not fast enough [yet]"
301 &jmp (&label("just_leave"));
302 # While the below code provides competitive performance for
303 # all key lengths on modern Intel cores, it's still more
304 # than 10% slower for 4096-bit key elsewhere:-( "Competitive"
305 # means compared to the original integer-only assembler.
306 # 512-bit RSA sign is better by ~40%, but that's about all
307 # one can say about all CPUs...
309 $inp="esi"; # integer path uses these registers differently
314 &lea ($carry,&DWP(1,$num));
318 &and ($carry,1); # see if num is even
319 &sub ("edx",$word); # see if ap==bp
320 &lea ("eax",&DWP(4,$word,$num,4)); # &bp[num]
322 &mov ($word,&DWP(0,$word)); # bp[0]
323 &jz (&label("bn_sqr_mont"));
324 &mov ($_bpend,"eax");
325 &mov ("eax",&DWP(0,$inp));
328 &set_label("mull",16);
330 &mul ($word); # ap[j]*bp[0]
332 &lea ($j,&DWP(1,$j));
334 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1]
336 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
337 &jl (&label("mull"));
340 &mul ($word); # ap[num-1]*bp[0]
345 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
347 &mov (&DWP($frame,"esp",$num,4),"eax"); # tp[num-1]=
349 &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]=
350 &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]=
352 &mov ("eax",&DWP(0,$inp)); # np[0]
353 &mul ($word); # np[0]*m
354 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
355 &mov ("eax",&DWP(4,$inp)); # np[1]
359 &jmp (&label("2ndmadd"));
361 &set_label("1stmadd",16);
363 &mul ($word); # ap[j]*bp[i]
364 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
365 &lea ($j,&DWP(1,$j));
368 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1]
371 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
372 &jl (&label("1stmadd"));
375 &mul ($word); # ap[num-1]*bp[i]
376 &add ("eax",&DWP($frame,"esp",$num,4)); # +=tp[num-1]
382 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
385 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
386 &mov (&DWP($frame,"esp",$num,4),$carry); # tp[num-1]=
388 &mov ("eax",&DWP(0,$inp)); # np[0]
389 &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]=
390 &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]=
392 &mul ($word); # np[0]*m
393 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
394 &mov ("eax",&DWP(4,$inp)); # np[1]
398 &set_label("2ndmadd",16);
400 &mul ($word); # np[j]*m
401 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
402 &lea ($j,&DWP(1,$j));
405 &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+1]
408 &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j-1]=
409 &jl (&label("2ndmadd"));
412 &mul ($word); # np[j]*m
413 &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1]
417 &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]=
420 &mov ($j,$_bp); # &bp[i]
421 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
422 &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1]
423 &lea ($j,&DWP(4,$j));
424 &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]=
426 &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]=
427 &je (&label("common_tail"));
429 &mov ($word,&DWP(0,$j)); # bp[i+1]
431 &mov ($_bp,$j); # &bp[++i]
434 &mov ("eax",&DWP(0,$inp));
435 &jmp (&label("1stmadd"));
437 &set_label("bn_sqr_mont",16);
440 &mov ($_bp,$j); # i=0
442 &mov ("eax",$word); # ap[0]
443 &mul ($word); # ap[0]*ap[0]
444 &mov (&DWP($frame,"esp"),"eax"); # tp[0]=
449 &set_label("sqr",16);
450 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j]
452 &mul ($word); # ap[j]*ap[0]
454 &lea ($j,&DWP(1,$j));
456 &lea ($carry,&DWP(0,$sbit,"eax",2));
460 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
463 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[num-1]
465 &mul ($word); # ap[num-1]*ap[0]
470 &lea ($carry,&DWP(0,$sbit,"eax",2));
471 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
473 &mov (&DWP($frame,"esp",$j,4),$carry); # tp[num-1]=
475 &lea ($carry,&DWP(0,"eax","edx",2));
476 &mov ("eax",&DWP(0,$inp)); # np[0]
478 &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num]=
479 &mov (&DWP($frame+8,"esp",$j,4),"edx"); # tp[num+1]=
481 &mul ($word); # np[0]*m
482 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
485 &mov ("eax",&DWP(4,$inp)); # np[1]
488 &set_label("3rdmadd",16);
490 &mul ($word); # np[j]*m
491 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
494 &mov ("eax",&DWP(4,$inp,$j,4)); # np[j+1]
496 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j-1]=
499 &mul ($word); # np[j+1]*m
500 &add ($carry,&DWP($frame+4,"esp",$j,4)); # +=tp[j+1]
501 &lea ($j,&DWP(2,$j));
504 &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+2]
507 &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j]=
508 &jl (&label("3rdmadd"));
511 &mul ($word); # np[j]*m
512 &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1]
516 &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]=
521 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
522 &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1]
523 &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]=
525 &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]=
526 &je (&label("common_tail"));
528 &mov ($word,&DWP(4,$inp,$j,4)); # ap[i]
529 &lea ($j,&DWP(1,$j));
531 &mov ($_bp,$j); # ++i
532 &mul ($word); # ap[i]*ap[i]
533 &add ("eax",&DWP($frame,"esp",$j,4)); # +=tp[i]
535 &mov (&DWP($frame,"esp",$j,4),"eax"); # tp[i]=
536 &xor ($carry,$carry);
538 &lea ($j,&DWP(1,$j));
539 &je (&label("sqrlast"));
541 &mov ($sbit,"edx"); # zaps $num
544 &set_label("sqradd",16);
545 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j]
547 &mul ($word); # ap[j]*ap[i]
549 &lea ($carry,&DWP(0,"eax","eax"));
552 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
553 &lea ($j,&DWP(1,$j));
558 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
560 &jle (&label("sqradd"));
567 &set_label("sqrlast");
570 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
572 &add ("edx",&DWP($frame,"esp",$j,4)); # +=tp[num]
573 &mov ("eax",&DWP(0,$inp)); # np[0]
575 &mov (&DWP($frame,"esp",$j,4),"edx"); # tp[num]=
576 &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num+1]=
578 &mul ($word); # np[0]*m
579 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
580 &lea ($num,&DWP(-1,$j));
583 &mov ("eax",&DWP(4,$inp)); # np[1]
585 &jmp (&label("3rdmadd"));
588 &set_label("common_tail",16);
589 &mov ($np,$_np); # load modulus pointer
590 &mov ($rp,$_rp); # load result pointer
591 &lea ($tp,&DWP($frame,"esp")); # [$ap and $bp are zapped]
593 &mov ("eax",&DWP(0,$tp)); # tp[0]
594 &mov ($j,$num); # j=num-1
595 &xor ($i,$i); # i=0 and clear CF!
597 &set_label("sub",16);
598 &sbb ("eax",&DWP(0,$np,$i,4));
599 &mov (&DWP(0,$rp,$i,4),"eax"); # rp[i]=tp[i]-np[i]
600 &dec ($j); # doesn't affect CF!
601 &mov ("eax",&DWP(4,$tp,$i,4)); # tp[i+1]
602 &lea ($i,&DWP(1,$i)); # i++
603 &jge (&label("sub"));
605 &sbb ("eax",0); # handle upmost overflow bit
608 &jmp (&label("copy"));
610 &set_label("copy",16); # conditional copy
611 &mov ($tp,&DWP($frame,"esp",$num,4));
612 &mov ($np,&DWP(0,$rp,$num,4));
613 &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector
617 &mov (&DWP(0,$rp,$num,4),$np);
619 &jge (&label("copy"));
621 &mov ("esp",$_sp); # pull saved stack pointer
623 &set_label("just_leave");
624 &function_end("bn_mul_mont");
626 &asciz("Montgomery Multiplication for x86, CRYPTOGAMS by <appro\@openssl.org>");
630 close STDOUT or die "error closing STDOUT: $!";
projects / openssl.git / blob