3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
12 # Montgomery multiplication routine for x86_64. While it gives modest
13 # 9% improvement of rsa4096 sign on Opteron, rsa512 sign runs more
14 # than twice, >2x, as fast. Most common rsa1024 sign is improved by
15 # respectful 50%. It remains to be seen if loop unrolling and
16 # dedicated squaring routine can provide further improvement...
20 # Add dedicated squaring procedure. Performance improvement varies
21 # from platform to platform, but in average it's ~5%/15%/25%/33%
22 # for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively.
26 # Unroll and modulo-schedule inner loops in such manner that they
27 # are "fallen through" for input lengths of 8, which is critical for
28 # 1024-bit RSA *sign*. Average performance improvement in comparison
29 # to *initial* version of this module from 2005 is ~0%/30%/40%/45%
30 # for 512-/1024-/2048-/4096-bit RSA *sign* benchmarks respectively.
34 # Optimize reduction in squaring procedure and improve 1024+-bit RSA
35 # sign performance by 10-16% on Intel Sandy Bridge and later
36 # (virtually same on non-Intel processors).
40 # Add MULX/ADOX/ADCX code path.
44 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
46 $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
48 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
49 ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
50 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
51 die "can't locate x86_64-xlate.pl";
53 open OUT,"| \"$^X\" $xlate $flavour $output";
56 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
57 =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
61 if (!$addx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
62 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
66 if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
67 `ml64 2>&1` =~ /Version ([0-9]+)\./) {
72 $rp="%rdi"; # BN_ULONG *rp,
73 $ap="%rsi"; # const BN_ULONG *ap,
74 $bp="%rdx"; # const BN_ULONG *bp,
75 $np="%rcx"; # const BN_ULONG *np,
76 $n0="%r8"; # const BN_ULONG *n0,
77 $num="%r9"; # int num);
89 .extern OPENSSL_ia32cap_P
92 .type bn_mul_mont,\@function,6
100 $code.=<<___ if ($addx);
101 mov OPENSSL_ia32cap_P+8(%rip),%r11d
123 lea (%rsp,%r10,8),%rsp # tp=alloca(8*(num+2))
124 and \$-1024,%rsp # minimize TLB usage
126 mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp
128 mov $bp,%r12 # reassign $bp
132 mov ($n0),$n0 # pull n0[0] value
133 mov ($bp),$m0 # m0=bp[0]
140 mulq $m0 # ap[0]*bp[0]
144 imulq $lo0,$m1 # "tp[0]"*n0
148 add %rax,$lo0 # discarded
161 add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0]
164 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
168 mulq $m0 # ap[j]*bp[0]
180 mov ($ap),%rax # ap[0]
182 add $hi0,$hi1 # np[j]*m1+ap[j]*bp[0]
184 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
191 mov $hi1,-8(%rsp,$num,8)
192 mov %rdx,(%rsp,$num,8) # store upmost overflow bit
198 mov ($bp,$i,8),$m0 # m0=bp[i]
202 mulq $m0 # ap[0]*bp[i]
203 add %rax,$lo0 # ap[0]*bp[i]+tp[0]
207 imulq $lo0,$m1 # tp[0]*n0
211 add %rax,$lo0 # discarded
214 mov 8(%rsp),$lo0 # tp[1]
225 add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j]
228 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
232 mulq $m0 # ap[j]*bp[i]
236 add $hi0,$lo0 # ap[j]*bp[i]+tp[j]
246 mov ($ap),%rax # ap[0]
248 add $lo0,$hi1 # np[j]*m1+ap[j]*bp[i]+tp[j]
251 mov $hi1,-16(%rsp,$j,8) # tp[j-1]
257 add $lo0,$hi1 # pull upmost overflow bit
259 mov $hi1,-8(%rsp,$num,8)
260 mov %rdx,(%rsp,$num,8) # store upmost overflow bit
266 xor $i,$i # i=0 and clear CF!
267 mov (%rsp),%rax # tp[0]
268 lea (%rsp),$ap # borrow ap for tp
272 .Lsub: sbb ($np,$i,8),%rax
273 mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i]
274 mov 8($ap,$i,8),%rax # tp[i+1]
276 dec $j # doesnn't affect CF!
279 sbb \$0,%rax # handle upmost overflow bit
286 or $np,$ap # ap=borrow?tp:rp
288 .Lcopy: # copy or in-place refresh
290 mov $i,(%rsp,$i,8) # zap temporary vector
291 mov %rax,($rp,$i,8) # rp[i]=tp[i]
296 mov 8(%rsp,$num,8),%rsi # restore %rsp
307 .size bn_mul_mont,.-bn_mul_mont
310 my @A=("%r10","%r11");
311 my @N=("%r13","%rdi");
313 .type bn_mul4x_mont,\@function,6
318 $code.=<<___ if ($addx);
335 lea (%rsp,%r10,8),%rsp # tp=alloca(8*(num+4))
336 and \$-1024,%rsp # minimize TLB usage
338 mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp
340 mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp
341 mov %rdx,%r12 # reassign $bp
345 mov ($n0),$n0 # pull n0[0] value
346 mov ($bp),$m0 # m0=bp[0]
353 mulq $m0 # ap[0]*bp[0]
357 imulq $A[0],$m1 # "tp[0]"*n0
361 add %rax,$A[0] # discarded
384 mulq $m0 # ap[j]*bp[0]
386 mov -16($np,$j,8),%rax
392 mov -8($ap,$j,8),%rax
394 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
396 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
399 mulq $m0 # ap[j]*bp[0]
401 mov -8($np,$j,8),%rax
409 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
411 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
414 mulq $m0 # ap[j]*bp[0]
424 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
426 mov $N[0],-8(%rsp,$j,8) # tp[j-1]
429 mulq $m0 # ap[j]*bp[0]
438 mov -16($ap,$j,8),%rax
440 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
442 mov $N[1],-32(%rsp,$j,8) # tp[j-1]
447 mulq $m0 # ap[j]*bp[0]
449 mov -16($np,$j,8),%rax
455 mov -8($ap,$j,8),%rax
457 add $A[0],$N[0] # np[j]*m1+ap[j]*bp[0]
459 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
462 mulq $m0 # ap[j]*bp[0]
464 mov -8($np,$j,8),%rax
470 mov ($ap),%rax # ap[0]
472 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[0]
474 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
480 mov $N[0],-8(%rsp,$j,8)
481 mov $N[1],(%rsp,$j,8) # store upmost overflow bit
486 mov ($bp,$i,8),$m0 # m0=bp[i]
490 mulq $m0 # ap[0]*bp[i]
491 add %rax,$A[0] # ap[0]*bp[i]+tp[0]
495 imulq $A[0],$m1 # tp[0]*n0
499 add %rax,$A[0] # "$N[0]", discarded
504 mulq $m0 # ap[j]*bp[i]
508 add 8(%rsp),$A[1] # +tp[1]
516 add $A[1],$N[1] # np[j]*m1+ap[j]*bp[i]+tp[j]
519 mov $N[1],(%rsp) # tp[j-1]
524 mulq $m0 # ap[j]*bp[i]
526 mov -16($np,$j,8),%rax
528 add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
534 mov -8($ap,$j,8),%rax
538 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
541 mulq $m0 # ap[j]*bp[i]
543 mov -8($np,$j,8),%rax
545 add -8(%rsp,$j,8),$A[1]
555 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
558 mulq $m0 # ap[j]*bp[i]
562 add (%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
572 mov $N[0],-8(%rsp,$j,8) # tp[j-1]
575 mulq $m0 # ap[j]*bp[i]
579 add 8(%rsp,$j,8),$A[1]
586 mov -16($ap,$j,8),%rax
590 mov $N[1],-32(%rsp,$j,8) # tp[j-1]
595 mulq $m0 # ap[j]*bp[i]
597 mov -16($np,$j,8),%rax
599 add -16(%rsp,$j,8),$A[0] # ap[j]*bp[i]+tp[j]
605 mov -8($ap,$j,8),%rax
609 mov $N[0],-24(%rsp,$j,8) # tp[j-1]
612 mulq $m0 # ap[j]*bp[i]
614 mov -8($np,$j,8),%rax
616 add -8(%rsp,$j,8),$A[1]
623 mov ($ap),%rax # ap[0]
627 mov $N[1],-16(%rsp,$j,8) # tp[j-1]
633 add (%rsp,$num,8),$N[0] # pull upmost overflow bit
635 mov $N[0],-8(%rsp,$j,8)
636 mov $N[1],(%rsp,$j,8) # store upmost overflow bit
642 my @ri=("%rax","%rdx",$m0,$m1);
644 mov 16(%rsp,$num,8),$rp # restore $rp
645 mov 0(%rsp),@ri[0] # tp[0]
647 mov 8(%rsp),@ri[1] # tp[1]
648 shr \$2,$num # num/=4
649 lea (%rsp),$ap # borrow ap for tp
650 xor $i,$i # i=0 and clear CF!
653 mov 16($ap),@ri[2] # tp[2]
654 mov 24($ap),@ri[3] # tp[3]
656 lea -1($num),$j # j=num/4-1
660 mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
661 mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
662 sbb 16($np,$i,8),@ri[2]
663 mov 32($ap,$i,8),@ri[0] # tp[i+1]
664 mov 40($ap,$i,8),@ri[1]
665 sbb 24($np,$i,8),@ri[3]
666 mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i]
667 mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
668 sbb 32($np,$i,8),@ri[0]
669 mov 48($ap,$i,8),@ri[2]
670 mov 56($ap,$i,8),@ri[3]
671 sbb 40($np,$i,8),@ri[1]
673 dec $j # doesnn't affect CF!
676 mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
677 mov 32($ap,$i,8),@ri[0] # load overflow bit
678 sbb 16($np,$i,8),@ri[2]
679 mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
680 sbb 24($np,$i,8),@ri[3]
681 mov @ri[2],16($rp,$i,8) # rp[i]=tp[i]-np[i]
683 sbb \$0,@ri[0] # handle upmost overflow bit
684 mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
691 or $np,$ap # ap=borrow?tp:rp
698 .Lcopy4x: # copy or in-place refresh
699 movdqu 16($ap,$i),%xmm2
700 movdqu 32($ap,$i),%xmm1
701 movdqa %xmm0,16(%rsp,$i)
702 movdqu %xmm2,16($rp,$i)
703 movdqa %xmm0,32(%rsp,$i)
704 movdqu %xmm1,32($rp,$i)
710 movdqu 16($ap,$i),%xmm2
711 movdqa %xmm0,16(%rsp,$i)
712 movdqu %xmm2,16($rp,$i)
716 mov 8(%rsp,$num,8),%rsi # restore %rsp
727 .size bn_mul4x_mont,.-bn_mul4x_mont
731 ######################################################################
732 # void bn_sqr8x_mont(
733 my $rptr="%rdi"; # const BN_ULONG *rptr,
734 my $aptr="%rsi"; # const BN_ULONG *aptr,
735 my $bptr="%rdx"; # not used
736 my $nptr="%rcx"; # const BN_ULONG *nptr,
737 my $n0 ="%r8"; # const BN_ULONG *n0);
738 my $num ="%r9"; # int num, has to be divisible by 8
740 my ($i,$j,$tptr)=("%rbp","%rcx",$rptr);
741 my @A0=("%r10","%r11");
742 my @A1=("%r12","%r13");
743 my ($a0,$a1,$ai)=("%r14","%r15","%rbx");
746 .type bn_sqr8x_mont,\@function,6
751 $code.=<<___ if ($addx);
764 shl \$3,${num}d # convert $num to bytes
766 mov %rsp,%r11 # put aside %rsp
767 sub $num,%r10 # -$num
769 lea -72(%rsp,%r10,2),%rsp # alloca(frame+2*$num)
770 and \$-1024,%rsp # minimize TLB usage
771 ##############################################################
774 # +0 saved $num, used in reduction section
775 # +8 &t[2*$num], used in reduction section
782 mov $rptr,32(%rsp) # save $rptr
785 mov %r11, 56(%rsp) # save original %rsp
787 ##############################################################
790 # a) multiply-n-add everything but a[i]*a[i];
791 # b) shift result of a) by 1 to the left and accumulate
792 # a[i]*a[i] products;
794 ##############################################################
860 lea 32(%r10),$i # $i=-($num-32)
861 lea ($aptr,$num),$aptr # end of a[] buffer, ($aptr,$i)=&ap[2]
863 mov $num,$j # $j=$num
865 # comments apply to $num==8 case
866 mov -32($aptr,$i),$a0 # a[0]
867 lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num]
868 mov -24($aptr,$i),%rax # a[1]
869 lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"]
870 mov -16($aptr,$i),$ai # a[2]
874 mov %rax,$A0[0] # a[1]*a[0]
877 mov $A0[0],-24($tptr,$i) # t[1]
883 mov $A0[1],-16($tptr,$i) # t[2]
886 lea -16($i),$j # j=-16
889 mov 8($aptr,$j),$ai # a[3]
891 mov %rax,$A1[0] # a[2]*a[1]+t[3]
897 add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3]
903 mov $A0[0],-8($tptr,$j) # t[3]
908 mov ($aptr,$j),$ai # a[4]
910 add %rax,$A1[1] # a[3]*a[1]+t[4]
916 add %rax,$A0[1] # a[4]*a[0]+a[3]*a[1]+t[4]
918 mov 8($aptr,$j),$ai # a[5]
926 add %rax,$A1[0] # a[4]*a[3]+t[5]
928 mov $A0[1],($tptr,$j) # t[4]
933 add %rax,$A0[0] # a[5]*a[2]+a[4]*a[3]+t[5]
935 mov 16($aptr,$j),$ai # a[6]
942 add %rax,$A1[1] # a[5]*a[3]+t[6]
944 mov $A0[0],8($tptr,$j) # t[5]
949 add %rax,$A0[1] # a[6]*a[2]+a[5]*a[3]+t[6]
951 mov 24($aptr,$j),$ai # a[7]
959 add %rax,$A1[0] # a[6]*a[5]+t[7]
961 mov $A0[1],16($tptr,$j) # t[6]
966 add %rax,$A0[0] # a[7]*a[4]+a[6]*a[5]+t[6]
973 mov $A0[0],-8($tptr,$j) # t[7]
985 mov $A1[1],($tptr) # t[8]
987 mov %rdx,8($tptr) # t[9]
991 .Lsqr4x_outer: # comments apply to $num==6 case
992 mov -32($aptr,$i),$a0 # a[0]
993 lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num]
994 mov -24($aptr,$i),%rax # a[1]
995 lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"]
996 mov -16($aptr,$i),$ai # a[2]
999 mov -24($tptr,$i),$A0[0] # t[1]
1001 add %rax,$A0[0] # a[1]*a[0]+t[1]
1004 mov $A0[0],-24($tptr,$i) # t[1]
1011 add -16($tptr,$i),$A0[1] # a[2]*a[0]+t[2]
1014 mov $A0[1],-16($tptr,$i) # t[2]
1016 lea -16($i),$j # j=-16
1020 mov 8($aptr,$j),$ai # a[3]
1022 add %rax,$A1[0] # a[2]*a[1]+t[3]
1025 add 8($tptr,$j),$A1[0]
1030 add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3]
1036 mov $A0[0],8($tptr,$j) # t[3]
1043 mov ($aptr,$j),$ai # a[4]
1045 add %rax,$A1[1] # a[3]*a[1]+t[4]
1049 add ($tptr,$j),$A1[1]
1053 add %rax,$A0[1] # a[4]*a[0]+a[3]*a[1]+t[4]
1055 mov 8($aptr,$j),$ai # a[5]
1062 add %rax,$A1[0] # a[4]*a[3]+t[5]
1063 mov $A0[1],($tptr,$j) # t[4]
1067 add 8($tptr,$j),$A1[0]
1072 add %rax,$A0[0] # a[5]*a[2]+a[4]*a[3]+t[5]
1078 mov $A0[0],-8($tptr,$j) # t[5], "preloaded t[1]" below
1089 mov $A1[1],($tptr) # t[6], "preloaded t[2]" below
1091 mov %rdx,8($tptr) # t[7], "preloaded t[3]" below
1096 # comments apply to $num==4 case
1097 mov -32($aptr),$a0 # a[0]
1098 lea 64(%rsp,$num,2),$tptr # end of tp[] buffer, &tp[2*$num]
1099 mov -24($aptr),%rax # a[1]
1100 lea -32($tptr,$i),$tptr # end of tp[] window, &tp[2*$num-"$i"]
1101 mov -16($aptr),$ai # a[2]
1105 add %rax,$A0[0] # a[1]*a[0]+t[1], preloaded t[1]
1113 mov $A0[0],-24($tptr) # t[1]
1116 add $A1[1],$A0[1] # a[2]*a[0]+t[2], preloaded t[2]
1117 mov -8($aptr),$ai # a[3]
1121 add %rax,$A1[0] # a[2]*a[1]+t[3], preloaded t[3]
1123 mov $A0[1],-16($tptr) # t[2]
1128 add %rax,$A0[0] # a[3]*a[0]+a[2]*a[1]+t[3]
1134 mov $A0[0],-8($tptr) # t[3]
1138 mov -16($aptr),%rax # a[2]
1143 mov $A1[1],($tptr) # t[4]
1145 mov %rdx,8($tptr) # t[5]
1150 my ($shift,$carry)=($a0,$a1);
1151 my @S=(@A1,$ai,$n0);
1155 sub $num,$i # $i=16-$num
1158 add $A1[0],%rax # t[5]
1160 mov %rax,8($tptr) # t[5]
1161 mov %rdx,16($tptr) # t[6]
1162 mov $carry,24($tptr) # t[7]
1164 mov -16($aptr,$i),%rax # a[0]
1166 xor $A0[0],$A0[0] # t[0]
1167 mov 8($tptr),$A0[1] # t[1]
1169 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1171 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1173 or $A0[0],$S[1] # | t[2*i]>>63
1174 mov 16($tptr),$A0[0] # t[2*i+2] # prefetch
1175 mov $A0[1],$shift # shift=t[2*i+1]>>63
1176 mul %rax # a[i]*a[i]
1177 neg $carry # mov $carry,cf
1178 mov 24($tptr),$A0[1] # t[2*i+2+1] # prefetch
1180 mov -8($aptr,$i),%rax # a[i+1] # prefetch
1184 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift
1186 sbb $carry,$carry # mov cf,$carry
1188 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1190 or $A0[0],$S[3] # | t[2*i]>>63
1191 mov 32($tptr),$A0[0] # t[2*i+2] # prefetch
1192 mov $A0[1],$shift # shift=t[2*i+1]>>63
1193 mul %rax # a[i]*a[i]
1194 neg $carry # mov $carry,cf
1195 mov 40($tptr),$A0[1] # t[2*i+2+1] # prefetch
1197 mov 0($aptr,$i),%rax # a[i+1] # prefetch
1202 sbb $carry,$carry # mov cf,$carry
1204 jmp .Lsqr4x_shift_n_add
1207 .Lsqr4x_shift_n_add:
1208 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1210 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1212 or $A0[0],$S[1] # | t[2*i]>>63
1213 mov -16($tptr),$A0[0] # t[2*i+2] # prefetch
1214 mov $A0[1],$shift # shift=t[2*i+1]>>63
1215 mul %rax # a[i]*a[i]
1216 neg $carry # mov $carry,cf
1217 mov -8($tptr),$A0[1] # t[2*i+2+1] # prefetch
1219 mov -8($aptr,$i),%rax # a[i+1] # prefetch
1220 mov $S[0],-32($tptr)
1223 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift
1224 mov $S[1],-24($tptr)
1225 sbb $carry,$carry # mov cf,$carry
1227 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1229 or $A0[0],$S[3] # | t[2*i]>>63
1230 mov 0($tptr),$A0[0] # t[2*i+2] # prefetch
1231 mov $A0[1],$shift # shift=t[2*i+1]>>63
1232 mul %rax # a[i]*a[i]
1233 neg $carry # mov $carry,cf
1234 mov 8($tptr),$A0[1] # t[2*i+2+1] # prefetch
1236 mov 0($aptr,$i),%rax # a[i+1] # prefetch
1237 mov $S[2],-16($tptr)
1240 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1242 sbb $carry,$carry # mov cf,$carry
1244 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1246 or $A0[0],$S[1] # | t[2*i]>>63
1247 mov 16($tptr),$A0[0] # t[2*i+2] # prefetch
1248 mov $A0[1],$shift # shift=t[2*i+1]>>63
1249 mul %rax # a[i]*a[i]
1250 neg $carry # mov $carry,cf
1251 mov 24($tptr),$A0[1] # t[2*i+2+1] # prefetch
1253 mov 8($aptr,$i),%rax # a[i+1] # prefetch
1257 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1 | shift
1259 sbb $carry,$carry # mov cf,$carry
1261 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1263 or $A0[0],$S[3] # | t[2*i]>>63
1264 mov 32($tptr),$A0[0] # t[2*i+2] # prefetch
1265 mov $A0[1],$shift # shift=t[2*i+1]>>63
1266 mul %rax # a[i]*a[i]
1267 neg $carry # mov $carry,cf
1268 mov 40($tptr),$A0[1] # t[2*i+2+1] # prefetch
1270 mov 16($aptr,$i),%rax # a[i+1] # prefetch
1274 sbb $carry,$carry # mov cf,$carry
1277 jnz .Lsqr4x_shift_n_add
1279 lea ($shift,$A0[0],2),$S[0] # t[2*i]<<1 | shift
1281 lea ($j,$A0[1],2),$S[1] # t[2*i+1]<<1 |
1283 or $A0[0],$S[1] # | t[2*i]>>63
1284 mov -16($tptr),$A0[0] # t[2*i+2] # prefetch
1285 mov $A0[1],$shift # shift=t[2*i+1]>>63
1286 mul %rax # a[i]*a[i]
1287 neg $carry # mov $carry,cf
1288 mov -8($tptr),$A0[1] # t[2*i+2+1] # prefetch
1290 mov -8($aptr),%rax # a[i+1] # prefetch
1291 mov $S[0],-32($tptr)
1294 lea ($shift,$A0[0],2),$S[2] # t[2*i]<<1|shift
1295 mov $S[1],-24($tptr)
1296 sbb $carry,$carry # mov cf,$carry
1298 lea ($j,$A0[1],2),$S[3] # t[2*i+1]<<1 |
1300 or $A0[0],$S[3] # | t[2*i]>>63
1301 mul %rax # a[i]*a[i]
1302 neg $carry # mov $carry,cf
1305 mov $S[2],-16($tptr)
1309 ######################################################################
1310 # Montgomery reduction part, "word-by-word" algorithm.
1312 # This new path is inspired by multiple submissions from Intel, by
1313 # Shay Gueron, Vlad Krasnov, Erdinc Ozturk, James Guilford,
1316 my ($nptr,$tptr,$carry,$m0)=("%rbp","%rdi","%rsi","%rbx");
1319 mov 40(%rsp),$nptr # pull $nptr
1321 lea ($nptr,$num),%rdx # end of n[]
1322 lea 64(%rsp,$num,2),$tptr # end of t[] buffer
1325 mov %rax,($tptr) # clear top-most carry bit
1326 lea 64(%rsp,$num),$tptr # end of initial t[] window
1328 jmp .L8x_reduction_loop
1331 .L8x_reduction_loop:
1332 lea ($tptr,$num),$tptr # start of current t[] window
1341 lea 8*8($tptr),$tptr
1344 imulq 48(%rsp),$m0 # n0*a[0]
1345 mov 8*0($nptr),%rax # n[0]
1352 mov 8*1($nptr),%rax # n[1]
1362 mov $m0,64-8(%rsp,%rcx,8) # put aside n0*a[i]
1371 mov 48(%rsp),$carry # pull n0, borrow $carry
1379 imulq %r8,$carry # modulo-scheduled
1409 mov $carry,$m0 # n0*a[i]
1411 mov 8*0($nptr),%rax # n[0]
1420 lea 8*8($nptr),$nptr
1422 mov 8(%rsp),%rdx # pull end of t[]
1423 cmp 0(%rsp),$nptr # end of n[]?
1434 sbb $carry,$carry # top carry
1436 mov 64+56(%rsp),$m0 # pull n0*a[0]
1446 mov %r8,($tptr) # save result
1455 lea 8($tptr),$tptr # $tptr++
1500 mov 64-16(%rsp,%rcx,8),$m0 # pull n0*a[i]
1504 mov 8*0($nptr),%rax # pull n[0]
1511 lea 8*8($nptr),$nptr
1512 mov 8(%rsp),%rdx # pull end of t[]
1513 cmp 0(%rsp),$nptr # end of n[]?
1514 jae .L8x_tail_done # break out of loop
1516 mov 64+56(%rsp),$m0 # pull n0*a[0]
1518 mov 8*0($nptr),%rax # pull n[0]
1527 sbb $carry,$carry # top carry
1534 add (%rdx),%r8 # can this overflow?
1547 adc \$0,%rax # top-most carry
1549 mov 40(%rsp),$nptr # restore $nptr
1551 mov %r8,8*0($tptr) # store top 512 bits
1553 mov $nptr,$num # $num is %r9, can't be moved upwards
1555 sub 0(%rsp),$num # -$num
1561 lea 8*8($tptr),$tptr
1562 mov %rax,(%rdx) # store top-most carry
1564 cmp %rdx,$tptr # end of t[]?
1565 jb .L8x_reduction_loop
1567 neg $num # restore $num
1570 ##############################################################
1571 # Post-condition, 4x unrolled copy from bn_mul_mont
1574 my ($tptr,$nptr)=("%rbx",$aptr);
1575 my @ri=("%rax","%rdx","%r10","%r11");
1577 mov 64(%rsp,$num),@ri[0] # tp[0]
1578 lea 64(%rsp,$num),$tptr # upper half of t[2*$num] holds result
1579 mov 40(%rsp),$nptr # restore $nptr
1580 shr \$5,$num # num/4
1581 mov 8($tptr),@ri[1] # t[1]
1582 xor $i,$i # i=0 and clear CF!
1584 mov 32(%rsp),$rptr # restore $rptr
1586 mov 16($tptr),@ri[2] # t[2]
1587 mov 24($tptr),@ri[3] # t[3]
1589 lea -1($num),$j # j=num/4-1
1593 mov @ri[0],0($rptr) # rp[i]=tp[i]-np[i]
1594 mov @ri[1],8($rptr) # rp[i]=tp[i]-np[i]
1595 sbb 16($nptr,$i,8),@ri[2]
1596 mov 32($tptr,$i,8),@ri[0] # tp[i+1]
1597 mov 40($tptr,$i,8),@ri[1]
1598 sbb 24($nptr,$i,8),@ri[3]
1599 mov @ri[2],16($rptr) # rp[i]=tp[i]-np[i]
1600 mov @ri[3],24($rptr) # rp[i]=tp[i]-np[i]
1602 sbb 32($nptr,$i,8),@ri[0]
1603 mov 48($tptr,$i,8),@ri[2]
1604 mov 56($tptr,$i,8),@ri[3]
1605 sbb 40($nptr,$i,8),@ri[1]
1607 dec $j # doesn't affect CF!
1610 mov @ri[0],0($rptr) # rp[i]=tp[i]-np[i]
1611 mov 32($tptr,$i,8),@ri[0] # load overflow bit
1612 sbb 16($nptr,$i,8),@ri[2]
1613 mov @ri[1],8($rptr) # rp[i]=tp[i]-np[i]
1614 sbb 24($nptr,$i,8),@ri[3]
1615 mov @ri[2],16($rptr) # rp[i]=tp[i]-np[i]
1617 sbb \$0,@ri[0] # handle upmost overflow bit
1618 mov @ri[3],24($rptr) # rp[i]=tp[i]-np[i]
1619 mov 32(%rsp),$rptr # restore $rptr
1626 or $nptr,$tptr # tp=borrow?tp:rp
1629 lea 64(%rsp,$num,8),$nptr
1630 movdqu ($tptr),%xmm1
1631 lea ($nptr,$num,8),$nptr
1632 movdqa %xmm0,64(%rsp) # zap lower half of temporary vector
1633 movdqa %xmm0,($nptr) # zap upper half of temporary vector
1634 movdqu %xmm1,($rptr)
1637 .Lsqr4x_copy: # copy or in-place refresh
1638 movdqu 16($tptr,$i),%xmm2
1639 movdqu 32($tptr,$i),%xmm1
1640 movdqa %xmm0,80(%rsp,$i) # zap lower half of temporary vector
1641 movdqa %xmm0,96(%rsp,$i) # zap lower half of temporary vector
1642 movdqa %xmm0,16($nptr,$i) # zap upper half of temporary vector
1643 movdqa %xmm0,32($nptr,$i) # zap upper half of temporary vector
1644 movdqu %xmm2,16($rptr,$i)
1645 movdqu %xmm1,32($rptr,$i)
1650 movdqu 16($tptr,$i),%xmm2
1651 movdqa %xmm0,80(%rsp,$i) # zap lower half of temporary vector
1652 movdqa %xmm0,16($nptr,$i) # zap upper half of temporary vector
1653 movdqu %xmm2,16($rptr,$i)
1657 mov 56(%rsp),%rsi # restore %rsp
1668 .size bn_sqr8x_mont,.-bn_sqr8x_mont
1673 my $bp="%rdx"; # original value
1676 .type bn_mulx4x_mont,\@function,6
1687 shl \$3,${num}d # convert $num to bytes
1690 mov %rsp,%r11 # put aside %rsp
1691 sub $num,%r10 # -$num
1693 lea -72(%rsp,%r10),%rsp # alloca(frame+$num+8)
1696 ##############################################################
1699 # +8 off-loaded &b[i]
1708 mov $num,0(%rsp) # save $num
1710 mov %r10,16(%rsp) # end of b[num]
1712 mov $n0, 24(%rsp) # save *n0
1713 mov $rp, 32(%rsp) # save $rp
1714 mov $num,48(%rsp) # inner counter
1715 mov %r11,56(%rsp) # save original %rsp
1721 my ($aptr, $bptr, $nptr, $tptr, $mi, $bi, $zero, $num)=
1722 ("%rsi","%rdi","%rcx","%rbx","%r8","%r9","%rbp","%rax");
1726 mov ($bp),%rdx # b[0], $bp==%rdx actually
1727 lea 64+32(%rsp),$tptr
1730 mulx 0*8($aptr),$mi,%rax # a[0]*b[0]
1731 mulx 1*8($aptr),%r11,%r14 # a[1]*b[0]
1733 mov $bptr,8(%rsp) # off-load &b[i]
1734 mulx 2*8($aptr),%r12,%r13 # ...
1738 mov $mi,$bptr # borrow $bptr
1739 imulq 24(%rsp),$mi # "t[0]"*n0
1740 xor $zero,$zero # cf=0, of=0
1742 mulx 3*8($aptr),%rax,%r14
1744 lea 4*8($aptr),$aptr
1746 adcx $zero,%r14 # cf=0
1748 mulx 0*8($nptr),%rax,%r10
1749 adcx %rax,$bptr # discarded
1751 mulx 1*8($nptr),%rax,%r11
1754 .byte 0xc4,0x62,0xfb,0xf6,0xa1,0x10,0x00,0x00,0x00 # mulx 2*8($nptr),%rax,%r12
1755 mov 48(%rsp),$bptr # counter value
1756 mov %r10,-4*8($tptr)
1759 mulx 3*8($nptr),%rax,%r15
1761 mov %r11,-3*8($tptr)
1763 adox $zero,%r15 # of=0
1764 lea 4*8($nptr),$nptr
1765 mov %r12,-2*8($tptr)
1771 adcx $zero,%r15 # cf=0, modulo-scheduled
1772 mulx 0*8($aptr),%r10,%rax # a[4]*b[0]
1774 mulx 1*8($aptr),%r11,%r14 # a[5]*b[0]
1776 mulx 2*8($aptr),%r12,%rax # ...
1778 mulx 3*8($aptr),%r13,%r14
1782 adcx $zero,%r14 # cf=0
1783 lea 4*8($aptr),$aptr
1784 lea 4*8($tptr),$tptr
1787 mulx 0*8($nptr),%rax,%r15
1790 mulx 1*8($nptr),%rax,%r15
1793 mulx 2*8($nptr),%rax,%r15
1794 mov %r10,-5*8($tptr)
1796 mov %r11,-4*8($tptr)
1798 mulx 3*8($nptr),%rax,%r15
1800 mov %r12,-3*8($tptr)
1803 lea 4*8($nptr),$nptr
1804 mov %r13,-2*8($tptr)
1806 dec $bptr # of=0, pass cf
1809 mov 0(%rsp),$num # load num
1810 mov 8(%rsp),$bptr # re-load &b[i]
1811 adc $zero,%r15 # modulo-scheduled
1813 sbb %r15,%r15 # top-most carry
1814 mov %r14,-1*8($tptr)
1819 mov ($bptr),%rdx # b[i]
1821 sub $num,$aptr # rewind $aptr
1822 mov %r15,($tptr) # save top-most carry
1825 sub $num,$nptr # rewind $nptr
1826 xor $zero,$zero # cf=0, of=0
1829 mulx 0*8($aptr),$mi,%rax # a[0]*b[i]
1832 mulx 1*8($aptr),%r11,%r14 # a[1]*b[i]
1834 mov $bptr,8(%rsp) # off-load &b[i]
1835 mulx 2*8($aptr),%r12,%r13 # ...
1843 mov $mi,$bptr # borrow $bptr
1844 imulq 24(%rsp),$mi # "t[0]"*n0
1845 xor $zero,$zero # cf=0, of=0
1847 mulx 3*8($aptr),%rax,%r14
1851 adox 3*8($tptr),%r13
1853 lea 4*8($aptr),$aptr
1854 lea 4*8($tptr),$tptr
1857 mulx 0*8($nptr),%rax,%r10
1858 adcx %rax,$bptr # discarded
1860 mulx 1*8($nptr),%rax,%r11
1863 mulx 2*8($nptr),%rax,%r12
1864 mov %r10,-4*8($tptr)
1867 mulx 3*8($nptr),%rax,%r15
1869 mov %r11,-3*8($tptr)
1871 adox $zero,%r15 # of=0
1872 mov 48(%rsp),$bptr # counter value
1873 mov %r12,-2*8($tptr)
1875 lea 4*8($nptr),$nptr
1881 adcx $zero,%r15 # cf=0, modulo-scheduled
1882 adox 0*8($tptr),%r14
1883 mulx 0*8($aptr),%r10,%rax # a[4]*b[i]
1885 mulx 1*8($aptr),%r11,%r14 # a[5]*b[i]
1887 mulx 2*8($aptr),%r12,%rax # ...
1888 adcx 1*8($tptr),%r11
1890 mulx 3*8($aptr),%r13,%r14
1892 adcx 2*8($tptr),%r12
1894 adcx 3*8($tptr),%r13
1895 adox $zero,%r14 # of=0
1896 lea 4*8($aptr),$aptr
1897 lea 4*8($tptr),$tptr
1898 adcx $zero,%r14 # cf=0
1901 mulx 0*8($nptr),%rax,%r15
1904 mulx 1*8($nptr),%rax,%r15
1907 mulx 2*8($nptr),%rax,%r15
1908 mov %r10,-5*8($tptr)
1911 mulx 3*8($nptr),%rax,%r15
1913 mov %r11,-4*8($tptr)
1914 mov %r12,-3*8($tptr)
1917 lea 4*8($nptr),$nptr
1918 mov %r13,-2*8($tptr)
1920 dec $bptr # of=0, pass cf
1923 mov 0(%rsp),$num # load num
1924 mov 8(%rsp),$bptr # re-load &b[i]
1925 adc $zero,%r15 # modulo-scheduled
1926 sub 0*8($tptr),$zero # pull top-most carry
1928 sbb %r15,%r15 # top-most carry
1929 mov %r14,-1*8($tptr)
1936 mov 32(%rsp),$rptr # restore rp
1940 mov 0*8($nptr,$num),%r8
1941 mov 1*8($nptr,$num),%r9
1943 jmp .Lmulx4x_sub_entry
1947 mov 0*8($nptr,$num),%r8
1948 mov 1*8($nptr,$num),%r9
1951 mov 2*8($nptr,$num),%r10
1954 mov 3*8($nptr,$num),%r11
1961 neg %rdx # mov %rdx,%cf
1964 movdqa %xmm0,($tptr)
1967 movdqa %xmm0,16($tptr)
1968 lea 4*8($tptr),$tptr
1969 sbb %rdx,%rdx # mov %cf,%rdx
1975 lea 4*8($rptr),$rptr
1980 mov 56(%rsp),%rsi # restore %rsp
1991 .size bn_mulx4x_mont,.-bn_mulx4x_mont
1994 ######################################################################
1995 # void bn_sqr8x_mont(
1996 my $rptr="%rdi"; # const BN_ULONG *rptr,
1997 my $aptr="%rsi"; # const BN_ULONG *aptr,
1998 my $bptr="%rdx"; # not used
1999 my $nptr="%rcx"; # const BN_ULONG *nptr,
2000 my $n0 ="%r8"; # const BN_ULONG *n0);
2001 my $num ="%r9"; # int num, has to be divisible by 8
2003 my ($i,$j,$tptr)=("%rbp","%rcx",$rptr);
2004 my @A0=("%r10","%r11");
2005 my @A1=("%r12","%r13");
2006 my ($a0,$a1,$ai)=("%r14","%r15","%rbx");
2009 .type bn_sqrx8x_mont,\@function,6
2020 shl \$3,${num}d # convert $num to bytes
2023 mov %rsp,%r11 # put aside %rsp
2024 sub $num,%r10 # -$num
2026 lea -64(%rsp,%r10,2),%rsp # alloca(frame+2*$num)
2027 and \$-1024,%rsp # minimize TLB usage
2028 ##############################################################
2031 # +0 saved $num, used in reduction section
2032 # +8 &t[2*$num], used in reduction section
2033 # +16 intermediate carry bit
2034 # +24 top-most carry bit, used in reduction section
2038 movq $rptr,%xmm1 # save $rptr
2039 movq $nptr,%xmm2 # save $nptr
2040 movq %r10, %xmm3 # -$num
2041 movq %r11, %xmm4 # save original %rsp
2044 $code.=<<___ if ($win64);
2050 ##################################################################
2053 # a) multiply-n-add everything but a[i]*a[i];
2054 # b) shift result of a) by 1 to the left and accumulate
2055 # a[i]*a[i] products;
2057 ##################################################################
2058 # a[7]a[7]a[6]a[6]a[5]a[5]a[4]a[4]a[3]a[3]a[2]a[2]a[1]a[1]a[0]a[0]
2089 # a[7]a[7]a[6]a[6]a[5]a[5]a[4]a[4]a[3]a[3]a[2]a[2]a[1]a[1]a[0]a[0]
2092 my ($zero,$carry)=("%rbp","%rcx");
2097 lea ($aptr,$num),$aaptr
2098 mov $num,(%rsp) # save $num
2099 mov $aaptr,8(%rsp) # save end of $aptr
2100 jmp .Lsqr8x_zero_start
2103 .byte 0x66,0x66,0x66,0x2e,0x0f,0x1f,0x84,0x00,0x00,0x00,0x00,0x00
2106 movdqa %xmm0,0*8($tptr)
2107 movdqa %xmm0,2*8($tptr)
2108 movdqa %xmm0,4*8($tptr)
2109 movdqa %xmm0,6*8($tptr)
2110 .Lsqr8x_zero_start: # aligned at 32
2111 movdqa %xmm0,8*8($tptr)
2112 movdqa %xmm0,10*8($tptr)
2113 movdqa %xmm0,12*8($tptr)
2114 movdqa %xmm0,14*8($tptr)
2115 lea 16*8($tptr),$tptr
2119 mov 0*8($aptr),%rdx # a[0], modulo-scheduled
2120 #xor %r9,%r9 # t[1], ex-$num, zero already
2128 xor $zero,$zero # cf=0, cf=0
2129 jmp .Lsqrx8x_outer_loop
2132 .Lsqrx8x_outer_loop:
2133 mulx 1*8($aptr),%r8,%rax # a[1]*a[0]
2134 adcx %r9,%r8 # a[1]*a[0]+=t[1]
2136 mulx 2*8($aptr),%r9,%rax # a[2]*a[0]
2139 .byte 0xc4,0xe2,0xab,0xf6,0x86,0x18,0x00,0x00,0x00 # mulx 3*8($aptr),%r10,%rax # ...
2142 .byte 0xc4,0xe2,0xa3,0xf6,0x86,0x20,0x00,0x00,0x00 # mulx 4*8($aptr),%r11,%rax
2145 mulx 5*8($aptr),%r12,%rax
2148 mulx 6*8($aptr),%r13,%rax
2151 mulx 7*8($aptr),%r14,%r15
2152 mov 1*8($aptr),%rdx # a[1]
2156 mov %r8,1*8($tptr) # t[1]
2157 mov %r9,2*8($tptr) # t[2]
2158 sbb $carry,$carry # mov %cf,$carry
2159 xor $zero,$zero # cf=0, of=0
2162 mulx 2*8($aptr),%r8,%rbx # a[2]*a[1]
2163 mulx 3*8($aptr),%r9,%rax # a[3]*a[1]
2166 mulx 4*8($aptr),%r10,%rbx # ...
2169 .byte 0xc4,0xe2,0xa3,0xf6,0x86,0x28,0x00,0x00,0x00 # mulx 5*8($aptr),%r11,%rax
2172 .byte 0xc4,0xe2,0x9b,0xf6,0x9e,0x30,0x00,0x00,0x00 # mulx 6*8($aptr),%r12,%rbx
2175 .byte 0xc4,0x62,0x93,0xf6,0xb6,0x38,0x00,0x00,0x00 # mulx 7*8($aptr),%r13,%r14
2176 mov 2*8($aptr),%rdx # a[2]
2180 adox $zero,%r14 # of=0
2181 adcx $zero,%r14 # cf=0
2183 mov %r8,3*8($tptr) # t[3]
2184 mov %r9,4*8($tptr) # t[4]
2186 mulx 3*8($aptr),%r8,%rbx # a[3]*a[2]
2187 mulx 4*8($aptr),%r9,%rax # a[4]*a[2]
2190 mulx 5*8($aptr),%r10,%rbx # ...
2193 .byte 0xc4,0xe2,0xa3,0xf6,0x86,0x30,0x00,0x00,0x00 # mulx 6*8($aptr),%r11,%rax
2196 .byte 0xc4,0x62,0x9b,0xf6,0xae,0x38,0x00,0x00,0x00 # mulx 7*8($aptr),%r12,%r13
2198 mov 3*8($aptr),%rdx # a[3]
2202 mov %r8,5*8($tptr) # t[5]
2203 mov %r9,6*8($tptr) # t[6]
2204 mulx 4*8($aptr),%r8,%rax # a[4]*a[3]
2205 adox $zero,%r13 # of=0
2206 adcx $zero,%r13 # cf=0
2208 mulx 5*8($aptr),%r9,%rbx # a[5]*a[3]
2211 mulx 6*8($aptr),%r10,%rax # ...
2214 mulx 7*8($aptr),%r11,%r12
2215 mov 4*8($aptr),%rdx # a[4]
2216 mov 5*8($aptr),%r14 # a[5]
2219 mov 6*8($aptr),%r15 # a[6]
2221 adox $zero,%r12 # of=0
2222 adcx $zero,%r12 # cf=0
2224 mov %r8,7*8($tptr) # t[7]
2225 mov %r9,8*8($tptr) # t[8]
2227 mulx %r14,%r9,%rax # a[5]*a[4]
2228 mov 7*8($aptr),%r8 # a[7]
2230 mulx %r15,%r10,%rbx # a[6]*a[4]
2233 mulx %r8,%r11,%rax # a[7]*a[4]
2234 mov %r14,%rdx # a[5]
2237 #adox $zero,%rax # of=0
2238 adcx $zero,%rax # cf=0
2240 mulx %r15,%r14,%rbx # a[6]*a[5]
2241 mulx %r8,%r12,%r13 # a[7]*a[5]
2242 mov %r15,%rdx # a[6]
2243 lea 8*8($aptr),$aptr
2250 mulx %r8,%r8,%r14 # a[7]*a[6]
2255 je .Lsqrx8x_outer_break
2257 neg $carry # mov $carry,%cf
2261 adcx 9*8($tptr),%r9 # +=t[9]
2262 adcx 10*8($tptr),%r10 # ...
2263 adcx 11*8($tptr),%r11
2264 adc 12*8($tptr),%r12
2265 adc 13*8($tptr),%r13
2266 adc 14*8($tptr),%r14
2267 adc 15*8($tptr),%r15
2269 lea 2*8*8($tptr),$tptr
2270 sbb %rax,%rax # mov %cf,$carry
2272 mov -64($aptr),%rdx # a[0]
2273 mov %rax,16(%rsp) # offload $carry
2276 #lea 8*8($tptr),$tptr # see 2*8*8($tptr) above
2277 xor %eax,%eax # cf=0, of=0
2283 mulx 0*8($aaptr),%rax,%r8 # a[8]*a[i]
2284 adcx %rax,%rbx # +=t[8]
2287 mulx 1*8($aaptr),%rax,%r9 # ...
2291 mulx 2*8($aaptr),%rax,%r10
2295 mulx 3*8($aaptr),%rax,%r11
2299 .byte 0xc4,0x62,0xfb,0xf6,0xa5,0x20,0x00,0x00,0x00 # mulx 4*8($aaptr),%rax,%r12
2303 mulx 5*8($aaptr),%rax,%r13
2307 mulx 6*8($aaptr),%rax,%r14
2308 mov %rbx,($tptr,%rcx,8) # store t[8+i]
2313 .byte 0xc4,0x62,0xfb,0xf6,0xbd,0x38,0x00,0x00,0x00 # mulx 7*8($aaptr),%rax,%r15
2314 mov 8($aptr,%rcx,8),%rdx # a[i]
2316 adox %rbx,%r15 # %rbx is 0, of=0
2317 adcx %rbx,%r15 # cf=0
2323 lea 8*8($aaptr),$aaptr
2325 cmp 8(%rsp),$aaptr # done?
2328 sub 16(%rsp),%rbx # mov 16(%rsp),%cf
2339 lea 8*8($tptr),$tptr
2341 sbb %rax,%rax # mov %cf,%rax
2342 xor %ebx,%ebx # cf=0, of=0
2343 mov %rax,16(%rsp) # offload carry
2348 sub 16(%rsp),%r8 # consume last carry
2349 mov 24(%rsp),$carry # initial $tptr, borrow $carry
2350 mov 0*8($aptr),%rdx # a[8], modulo-scheduled
2351 xor %ebp,%ebp # xor $zero,$zero
2353 cmp $carry,$tptr # cf=0, of=0
2354 je .Lsqrx8x_outer_loop
2359 mov 2*8($carry),%r10
2361 mov 3*8($carry),%r11
2363 mov 4*8($carry),%r12
2365 mov 5*8($carry),%r13
2367 mov 6*8($carry),%r14
2369 mov 7*8($carry),%r15
2371 jmp .Lsqrx8x_outer_loop
2374 .Lsqrx8x_outer_break:
2375 mov %r9,9*8($tptr) # t[9]
2376 movq %xmm3,%rcx # -$num
2377 mov %r10,10*8($tptr) # ...
2378 mov %r11,11*8($tptr)
2379 mov %r12,12*8($tptr)
2380 mov %r13,13*8($tptr)
2381 mov %r14,14*8($tptr)
2387 mov ($aptr,$i),%rdx # a[0]
2389 mov 8($tptr),$A0[1] # t[1]
2390 xor $A0[0],$A0[0] # t[0], of=0, cf=0
2391 mov (%rsp),$num # restore $num
2393 mov 16($tptr),$A1[0] # t[2] # prefetch
2394 mov 24($tptr),$A1[1] # t[3] # prefetch
2396 #jmp .Lsqrx4x_shift_n_add # happens to be aligned
2399 .Lsqrx4x_shift_n_add:
2403 .byte 0x48,0x8b,0x94,0x0e,0x08,0x00,0x00,0x00 # mov 8($aptr,$i),%rdx # a[i+1] # prefetch
2404 .byte 0x4c,0x8b,0x97,0x20,0x00,0x00,0x00 # mov 32($tptr),$A0[0] # t[2*i+4] # prefetch
2407 mov 40($tptr),$A0[1] # t[2*i+4+1] # prefetch
2414 mov 16($aptr,$i),%rdx # a[i+2] # prefetch
2415 mov 48($tptr),$A1[0] # t[2*i+6] # prefetch
2418 mov 56($tptr),$A1[1] # t[2*i+6+1] # prefetch
2425 mov 24($aptr,$i),%rdx # a[i+3] # prefetch
2427 mov 64($tptr),$A0[0] # t[2*i+8] # prefetch
2430 mov 72($tptr),$A0[1] # t[2*i+8+1] # prefetch
2437 jrcxz .Lsqrx4x_shift_n_add_break
2438 .byte 0x48,0x8b,0x94,0x0e,0x00,0x00,0x00,0x00 # mov 0($aptr,$i),%rdx # a[i+4] # prefetch
2441 mov 80($tptr),$A1[0] # t[2*i+10] # prefetch
2442 mov 88($tptr),$A1[1] # t[2*i+10+1] # prefetch
2447 jmp .Lsqrx4x_shift_n_add
2450 .Lsqrx4x_shift_n_add_break:
2454 lea 64($tptr),$tptr # end of t[] buffer
2457 ######################################################################
2458 # Montgomery reduction part, "word-by-word" algorithm.
2460 # This new path is inspired by multiple submissions from Intel, by
2461 # Shay Gueron, Vlad Krasnov, Erdinc Ozturk, James Guilford,
2464 my ($nptr,$carry,$m0)=("%rbp","%rsi","%rdx");
2468 xor %eax,%eax # initial top-most carry bit
2469 mov 32(%rsp),%rbx # n0
2470 mov 48(%rsp),%rdx # "%r8", 8*0($tptr)
2471 lea -64($nptr,$num),%rcx # end of n[]
2472 #lea 48(%rsp,$num,2),$tptr # end of t[] buffer
2473 mov %rcx, 0(%rsp) # save end of n[]
2474 mov $tptr,8(%rsp) # save end of t[]
2476 lea 48(%rsp),$tptr # initial t[] window
2477 jmp .Lsqrx8x_reduction_loop
2480 .Lsqrx8x_reduction_loop:
2486 imulq %rbx,%rdx # n0*a[i]
2490 mov %rax,24(%rsp) # store top-most carry bit
2492 lea 8*8($tptr),$tptr
2493 xor $carry,$carry # cf=0,of=0
2500 mulx 8*0($nptr),%rax,%r8 # n[0]
2501 adcx %rbx,%rax # discarded
2504 mulx 8*1($nptr),%rbx,%r9 # n[1]
2508 mulx 8*2($nptr),%rbx,%r10
2512 mulx 8*3($nptr),%rbx,%r11
2516 .byte 0xc4,0x62,0xe3,0xf6,0xa5,0x20,0x00,0x00,0x00 # mulx 8*4($nptr),%rbx,%r12
2522 mulx 32(%rsp),%rbx,%rdx # %rdx discarded
2524 mov %rax,48+64(%rsp,%rcx,8) # put aside n0*a[i]
2526 mulx 8*5($nptr),%rax,%r13
2530 mulx 8*6($nptr),%rax,%r14
2534 mulx 8*7($nptr),%rax,%r15
2537 adox $carry,%r15 # $carry is 0
2538 adcx $carry,%r15 # cf=0
2545 mov $carry,%rax # xor %rax,%rax
2546 cmp 0(%rsp),$nptr # end of n[]?
2547 jae .Lsqrx8x_no_tail
2549 mov 48(%rsp),%rdx # pull n0*a[0]
2551 lea 8*8($nptr),$nptr
2560 lea 8*8($tptr),$tptr
2561 sbb %rax,%rax # top carry
2563 xor $carry,$carry # of=0, cf=0
2570 mulx 8*0($nptr),%rax,%r8
2574 mulx 8*1($nptr),%rax,%r9
2578 mulx 8*2($nptr),%rax,%r10
2582 mulx 8*3($nptr),%rax,%r11
2586 .byte 0xc4,0x62,0xfb,0xf6,0xa5,0x20,0x00,0x00,0x00 # mulx 8*4($nptr),%rax,%r12
2590 mulx 8*5($nptr),%rax,%r13
2594 mulx 8*6($nptr),%rax,%r14
2598 mulx 8*7($nptr),%rax,%r15
2599 mov 48+72(%rsp,%rcx,8),%rdx # pull n0*a[i]
2603 mov %rbx,($tptr,%rcx,8) # save result
2605 adcx $carry,%r15 # cf=0
2610 cmp 0(%rsp),$nptr # end of n[]?
2611 jae .Lsqrx8x_tail_done # break out of loop
2613 sub 16(%rsp),$carry # mov 16(%rsp),%cf
2614 mov 48(%rsp),%rdx # pull n0*a[0]
2615 lea 8*8($nptr),$nptr
2624 lea 8*8($tptr),$tptr
2628 xor $carry,$carry # of=0, cf=0
2634 add 24(%rsp),%r8 # can this overflow?
2635 mov $carry,%rax # xor %rax,%rax
2637 sub 16(%rsp),$carry # mov 16(%rsp),%cf
2638 .Lsqrx8x_no_tail: # %cf is 0 if jumped here
2642 movq %xmm2,$nptr # restore $nptr
2644 lea 8*8($tptr),$carry # borrow $carry
2650 adc %rax,%rax # top-most carry
2652 mov 32(%rsp),%rbx # n0
2653 mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8"
2655 mov %r8,8*0($tptr) # store top 512 bits
2664 lea 8*8($tptr,%rcx),$tptr # start of current t[] window
2665 cmp 8(%rsp),$carry # end of t[]?
2666 jb .Lsqrx8x_reduction_loop
2668 mov %rcx,%rdx # -$num
2672 ##############################################################
2673 # Post-condition, 8x unrolled
2676 my ($rptr,$nptr,$lptr,$i)=($aptr,"%rbp","%rbx","%rcx");
2677 my @ri=map("%r$_",(10..13));
2678 my @ni=map("%r$_",(14..15));
2682 neg %rdx # restore $num
2683 neg %rax # top-most carry as mask
2686 lea ($nptr,%rdx),$nptr # end of $nptr
2687 lea 48(%rsp,%rdx),$lptr # end of lower half of t[2*num]
2688 lea 48(%rsp,%rdx),$tptr
2691 movq %xmm1,$rptr # restore $rptr
2694 jmp .Lsqrx8x_sub_entry
2696 .byte 0x66,0x66,0x0f,0x1f,0x84,0x00,0x00,0x00,0x00,0x00
2698 mov 0*8($nptr,$i),%r8
2699 mov 1*8($nptr,$i),%r9
2701 .Lsqrx8x_sub_entry: # aligned at 32
2702 mov 2*8($nptr,$i),%r10
2705 mov 3*8($nptr,$i),%r11
2708 mov 4*8($nptr,$i),%r12
2711 mov 5*8($nptr,$i),%r13
2714 mov 6*8($nptr,$i),%r14
2717 mov 7*8($nptr,$i),%r15
2720 movdqa %xmm0,0*8($lptr,$i) # zap lower half
2723 movdqa %xmm0,2*8($lptr,$i)
2726 neg %edx # mov %edx,%cf
2727 movdqa %xmm0,4*8($lptr,$i)
2729 mov %r8,0*8($rptr) # result
2731 movdqa %xmm0,6*8($lptr,$i)
2735 movdqa %xmm0,0*8($tptr) # zap upper half
2739 movdqa %xmm0,2*8($tptr)
2743 sbb %edx,%edx # mov %cf,%edx
2744 movdqa %xmm0,4*8($tptr)
2745 movdqa %xmm0,6*8($tptr)
2746 lea 8*8($tptr),$tptr
2751 lea 8*8($rptr),$rptr
2758 movq %xmm4,%rsi # restore %rsp
2769 .size bn_sqrx8x_mont,.-bn_sqrx8x_mont
2773 .asciz "Montgomery Multiplication for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
2777 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
2778 # CONTEXT *context,DISPATCHER_CONTEXT *disp)
2786 .extern __imp_RtlVirtualUnwind
2787 .type mul_handler,\@abi-omnipotent
2801 mov 120($context),%rax # pull context->Rax
2802 mov 248($context),%rbx # pull context->Rip
2804 mov 8($disp),%rsi # disp->ImageBase
2805 mov 56($disp),%r11 # disp->HandlerData
2807 mov 0(%r11),%r10d # HandlerData[0]
2808 lea (%rsi,%r10),%r10 # end of prologue label
2809 cmp %r10,%rbx # context->Rip<end of prologue label
2810 jb .Lcommon_seh_tail
2812 mov 152($context),%rax # pull context->Rsp
2814 mov 4(%r11),%r10d # HandlerData[1]
2815 lea (%rsi,%r10),%r10 # epilogue label
2816 cmp %r10,%rbx # context->Rip>=epilogue label
2817 jae .Lcommon_seh_tail
2819 mov 192($context),%r10 # pull $num
2820 mov 8(%rax,%r10,8),%rax # pull saved stack pointer
2829 mov %rbx,144($context) # restore context->Rbx
2830 mov %rbp,160($context) # restore context->Rbp
2831 mov %r12,216($context) # restore context->R12
2832 mov %r13,224($context) # restore context->R13
2833 mov %r14,232($context) # restore context->R14
2834 mov %r15,240($context) # restore context->R15
2836 jmp .Lcommon_seh_tail
2837 .size mul_handler,.-mul_handler
2839 .type sqr_handler,\@abi-omnipotent
2853 mov 120($context),%rax # pull context->Rax
2854 mov 248($context),%rbx # pull context->Rip
2856 mov 8($disp),%rsi # disp->ImageBase
2857 mov 56($disp),%r11 # disp->HandlerData
2859 mov 0(%r11),%r10d # HandlerData[0]
2860 lea (%rsi,%r10),%r10 # end of prologue label
2861 cmp %r10,%rbx # context->Rip<.Lsqr_body
2862 jb .Lcommon_seh_tail
2864 mov 152($context),%rax # pull context->Rsp
2866 mov 4(%r11),%r10d # HandlerData[1]
2867 lea (%rsi,%r10),%r10 # epilogue label
2868 cmp %r10,%rbx # context->Rip>=.Lsqr_epilogue
2869 jae .Lcommon_seh_tail
2871 mov 56(%rax),%rax # pull saved stack pointer
2880 mov %rbx,144($context) # restore context->Rbx
2881 mov %rbp,160($context) # restore context->Rbp
2882 mov %r12,216($context) # restore context->R12
2883 mov %r13,224($context) # restore context->R13
2884 mov %r14,232($context) # restore context->R14
2885 mov %r15,240($context) # restore context->R15
2890 mov %rax,152($context) # restore context->Rsp
2891 mov %rsi,168($context) # restore context->Rsi
2892 mov %rdi,176($context) # restore context->Rdi
2894 mov 40($disp),%rdi # disp->ContextRecord
2895 mov $context,%rsi # context
2896 mov \$154,%ecx # sizeof(CONTEXT)
2897 .long 0xa548f3fc # cld; rep movsq
2900 xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
2901 mov 8(%rsi),%rdx # arg2, disp->ImageBase
2902 mov 0(%rsi),%r8 # arg3, disp->ControlPc
2903 mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
2904 mov 40(%rsi),%r10 # disp->ContextRecord
2905 lea 56(%rsi),%r11 # &disp->HandlerData
2906 lea 24(%rsi),%r12 # &disp->EstablisherFrame
2907 mov %r10,32(%rsp) # arg5
2908 mov %r11,40(%rsp) # arg6
2909 mov %r12,48(%rsp) # arg7
2910 mov %rcx,56(%rsp) # arg8, (NULL)
2911 call *__imp_RtlVirtualUnwind(%rip)
2913 mov \$1,%eax # ExceptionContinueSearch
2925 .size sqr_handler,.-sqr_handler
2929 .rva .LSEH_begin_bn_mul_mont
2930 .rva .LSEH_end_bn_mul_mont
2931 .rva .LSEH_info_bn_mul_mont
2933 .rva .LSEH_begin_bn_mul4x_mont
2934 .rva .LSEH_end_bn_mul4x_mont
2935 .rva .LSEH_info_bn_mul4x_mont
2937 .rva .LSEH_begin_bn_sqr8x_mont
2938 .rva .LSEH_end_bn_sqr8x_mont
2939 .rva .LSEH_info_bn_sqr8x_mont
2941 $code.=<<___ if ($addx);
2942 .rva .LSEH_begin_bn_mulx4x_mont
2943 .rva .LSEH_end_bn_mulx4x_mont
2944 .rva .LSEH_info_bn_mulx4x_mont
2946 .rva .LSEH_begin_bn_sqrx8x_mont
2947 .rva .LSEH_end_bn_sqrx8x_mont
2948 .rva .LSEH_info_bn_sqrx8x_mont
2953 .LSEH_info_bn_mul_mont:
2956 .rva .Lmul_body,.Lmul_epilogue # HandlerData[]
2957 .LSEH_info_bn_mul4x_mont:
2960 .rva .Lmul4x_body,.Lmul4x_epilogue # HandlerData[]
2961 .LSEH_info_bn_sqr8x_mont:
2964 .rva .Lsqr8x_body,.Lsqr8x_epilogue # HandlerData[]
2966 $code.=<<___ if ($addx);
2967 .LSEH_info_bn_mulx4x_mont:
2970 .rva .Lmulx4x_body,.Lmulx4x_epilogue # HandlerData[]
2971 .LSEH_info_bn_sqrx8x_mont:
2974 .rva .Lsqrx8x_body,.Lsqrx8x_epilogue # HandlerData[]
projects / openssl.git / blob