2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # ECP_NISTZ256 module for ARMv8.
21 # Original ECP_NISTZ256 submission targeting x86_64 is detailed in
22 # http://eprint.iacr.org/2013/816.
24 # with/without -DECP_NISTZ256_ASM
26 # Cortex-A53 +120-400%
27 # Cortex-A57 +120-350%
31 # Ranges denote minimum and maximum improvement coefficients depending
32 # on benchmark. Lower coefficients are for ECDSA sign, server-side
33 # operation. Keep in mind that +400% means 5x improvement.
36 while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
38 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
39 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
40 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
41 die "can't locate arm-xlate.pl";
43 open OUT,"| \"$^X\" $xlate $flavour $output";
47 my ($rp,$ap,$bp,$bi,$a0,$a1,$a2,$a3,$t0,$t1,$t2,$t3,$poly1,$poly3,
48 $acc0,$acc1,$acc2,$acc3,$acc4,$acc5) =
49 map("x$_",(0..17,19,20));
51 my ($acc6,$acc7)=($ap,$bp); # used in __ecp_nistz256_sqr_mont
58 ########################################################################
59 # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7
61 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
62 open TABLE,"<ecp_nistz256_table.c" or
63 open TABLE,"<${dir}../ecp_nistz256_table.c" or
64 die "failed to open ecp_nistz256_table.c:",$!;
69 s/TOBN\(\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*\)/push @arr,hex($2),hex($1)/geo;
73 # See ecp_nistz256_table.c for explanation for why it's 64*16*37.
74 # 64*16*37-1 is because $#arr returns last valid index or @arr, not
76 die "insane number of elements" if ($#arr != 64*16*37-1);
79 .globl ecp_nistz256_precomputed
80 .type ecp_nistz256_precomputed,%object
82 ecp_nistz256_precomputed:
84 ########################################################################
85 # this conversion smashes P256_POINT_AFFINE by individual bytes with
86 # 64 byte interval, similar to
90 @tbl = splice(@arr,0,64*16);
91 for($i=0;$i<64;$i++) {
93 for($j=0;$j<64;$j++) {
94 push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff;
97 $code.=join(',',map { sprintf "0x%02x",$_} @line);
102 .size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed
105 .quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
106 .LRR: // 2^512 mod P precomputed for NIST P256 polynomial
107 .quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
109 .quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
112 .asciz "ECP_NISTZ256 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
114 // void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
115 .globl ecp_nistz256_to_mont
116 .type ecp_nistz256_to_mont,%function
118 ecp_nistz256_to_mont:
119 stp x29,x30,[sp,#-32]!
123 ldr $bi,.LRR // bp[0]
125 ldp $a2,$a3,[$ap,#16]
128 adr $bp,.LRR // &bp[0]
130 bl __ecp_nistz256_mul_mont
135 .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
137 // void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
138 .globl ecp_nistz256_from_mont
139 .type ecp_nistz256_from_mont,%function
141 ecp_nistz256_from_mont:
142 stp x29,x30,[sp,#-32]!
148 ldp $a2,$a3,[$ap,#16]
151 adr $bp,.Lone // &bp[0]
153 bl __ecp_nistz256_mul_mont
158 .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
160 // void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
161 // const BN_ULONG x2[4]);
162 .globl ecp_nistz256_mul_mont
163 .type ecp_nistz256_mul_mont,%function
165 ecp_nistz256_mul_mont:
166 stp x29,x30,[sp,#-32]!
170 ldr $bi,[$bp] // bp[0]
172 ldp $a2,$a3,[$ap,#16]
176 bl __ecp_nistz256_mul_mont
181 .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
183 // void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
184 .globl ecp_nistz256_sqr_mont
185 .type ecp_nistz256_sqr_mont,%function
187 ecp_nistz256_sqr_mont:
188 stp x29,x30,[sp,#-32]!
193 ldp $a2,$a3,[$ap,#16]
197 bl __ecp_nistz256_sqr_mont
202 .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
204 // void ecp_nistz256_add(BN_ULONG x0[4],const BN_ULONG x1[4],
205 // const BN_ULONG x2[4]);
206 .globl ecp_nistz256_add
207 .type ecp_nistz256_add,%function
210 stp x29,x30,[sp,#-16]!
213 ldp $acc0,$acc1,[$ap]
215 ldp $acc2,$acc3,[$ap,#16]
216 ldp $t2,$t3,[$bp,#16]
220 bl __ecp_nistz256_add
224 .size ecp_nistz256_add,.-ecp_nistz256_add
226 // void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
227 .globl ecp_nistz256_div_by_2
228 .type ecp_nistz256_div_by_2,%function
230 ecp_nistz256_div_by_2:
231 stp x29,x30,[sp,#-16]!
234 ldp $acc0,$acc1,[$ap]
235 ldp $acc2,$acc3,[$ap,#16]
239 bl __ecp_nistz256_div_by_2
243 .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
245 // void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
246 .globl ecp_nistz256_mul_by_2
247 .type ecp_nistz256_mul_by_2,%function
249 ecp_nistz256_mul_by_2:
250 stp x29,x30,[sp,#-16]!
253 ldp $acc0,$acc1,[$ap]
254 ldp $acc2,$acc3,[$ap,#16]
262 bl __ecp_nistz256_add // ret = a+a // 2*a
266 .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
268 // void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
269 .globl ecp_nistz256_mul_by_3
270 .type ecp_nistz256_mul_by_3,%function
272 ecp_nistz256_mul_by_3:
273 stp x29,x30,[sp,#-16]!
276 ldp $acc0,$acc1,[$ap]
277 ldp $acc2,$acc3,[$ap,#16]
289 bl __ecp_nistz256_add // ret = a+a // 2*a
296 bl __ecp_nistz256_add // ret += a // 2*a+a=3*a
300 .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
302 // void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
303 // const BN_ULONG x2[4]);
304 .globl ecp_nistz256_sub
305 .type ecp_nistz256_sub,%function
308 stp x29,x30,[sp,#-16]!
311 ldp $acc0,$acc1,[$ap]
312 ldp $acc2,$acc3,[$ap,#16]
316 bl __ecp_nistz256_sub_from
320 .size ecp_nistz256_sub,.-ecp_nistz256_sub
322 // void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
323 .globl ecp_nistz256_neg
324 .type ecp_nistz256_neg,%function
327 stp x29,x30,[sp,#-16]!
331 mov $acc0,xzr // a = 0
338 bl __ecp_nistz256_sub_from
342 .size ecp_nistz256_neg,.-ecp_nistz256_neg
344 // note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
345 // to $a0-$a3 and b[0] - to $bi
346 .type __ecp_nistz256_mul_mont,%function
348 __ecp_nistz256_mul_mont:
349 mul $acc0,$a0,$bi // a[0]*b[0]
352 mul $acc1,$a1,$bi // a[1]*b[0]
355 mul $acc2,$a2,$bi // a[2]*b[0]
358 mul $acc3,$a3,$bi // a[3]*b[0]
360 ldr $bi,[$bp,#8] // b[1]
362 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
370 for($i=1;$i<4;$i++) {
371 # Reduction iteration is normally performed by accumulating
372 # result of multiplication of modulus by "magic" digit [and
373 # omitting least significant word, which is guaranteed to
374 # be 0], but thanks to special form of modulus and "magic"
375 # digit being equal to least significant word, it can be
376 # performed with additions and subtractions alone. Indeed:
378 # ffff0001.00000000.0000ffff.ffffffff
380 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
382 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
385 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
386 # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000
387 # - 0000abcd.efgh0000.00000000.00000000.abcdefgh
389 # or marking redundant operations:
391 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.--------
392 # + abcdefgh.abcdefgh.0000abcd.efgh0000.--------
393 # - 0000abcd.efgh0000.--------.--------.--------
396 subs $t2,$acc0,$t0 // "*0xffff0001"
398 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
399 mul $t0,$a0,$bi // lo(a[0]*b[i])
401 mul $t1,$a1,$bi // lo(a[1]*b[i])
402 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
403 mul $t2,$a2,$bi // lo(a[2]*b[i])
405 mul $t3,$a3,$bi // lo(a[3]*b[i])
408 adds $acc0,$acc0,$t0 // accumulate low parts of multiplication
409 umulh $t0,$a0,$bi // hi(a[0]*b[i])
411 umulh $t1,$a1,$bi // hi(a[1]*b[i])
413 umulh $t2,$a2,$bi // hi(a[2]*b[i])
415 umulh $t3,$a3,$bi // hi(a[3]*b[i])
418 $code.=<<___ if ($i<3);
419 ldr $bi,[$bp,#8*($i+1)] // b[$i+1]
422 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
433 subs $t2,$acc0,$t0 // "*0xffff0001"
435 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
437 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
441 adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
442 sbcs $t1,$acc1,$poly1
444 sbcs $t3,$acc3,$poly3
445 sbcs xzr,$acc4,xzr // did it borrow?
447 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
448 csel $acc1,$acc1,$t1,lo
449 csel $acc2,$acc2,$t2,lo
450 stp $acc0,$acc1,[$rp]
451 csel $acc3,$acc3,$t3,lo
452 stp $acc2,$acc3,[$rp,#16]
455 .size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
457 // note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
459 .type __ecp_nistz256_sqr_mont,%function
461 __ecp_nistz256_sqr_mont:
462 // | | | | | |a1*a0| |
463 // | | | | |a2*a0| | |
464 // | |a3*a2|a3*a0| | | |
465 // | | | |a2*a1| | | |
466 // | | |a3*a1| | | | |
467 // *| | | | | | | | 2|
468 // +|a3*a3|a2*a2|a1*a1|a0*a0|
469 // |--+--+--+--+--+--+--+--|
470 // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
472 // "can't overflow" below mark carrying into high part of
473 // multiplication result, which can't overflow, because it
474 // can never be all ones.
476 mul $acc1,$a1,$a0 // a[1]*a[0]
478 mul $acc2,$a2,$a0 // a[2]*a[0]
480 mul $acc3,$a3,$a0 // a[3]*a[0]
483 adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
484 mul $t0,$a2,$a1 // a[2]*a[1]
487 mul $t2,$a3,$a1 // a[3]*a[1]
489 adc $acc4,$acc4,xzr // can't overflow
491 mul $acc5,$a3,$a2 // a[3]*a[2]
494 adds $t1,$t1,$t2 // accumulate high parts of multiplication
495 mul $acc0,$a0,$a0 // a[0]*a[0]
496 adc $t2,$t3,xzr // can't overflow
498 adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
501 mul $t1,$a1,$a1 // a[1]*a[1]
504 adc $acc6,$acc6,xzr // can't overflow
506 adds $acc1,$acc1,$acc1 // acc[1-6]*=2
507 mul $t2,$a2,$a2 // a[2]*a[2]
508 adcs $acc2,$acc2,$acc2
510 adcs $acc3,$acc3,$acc3
511 mul $t3,$a3,$a3 // a[3]*a[3]
512 adcs $acc4,$acc4,$acc4
514 adcs $acc5,$acc5,$acc5
515 adcs $acc6,$acc6,$acc6
518 adds $acc1,$acc1,$a0 // +a[i]*a[i]
528 for($i=0;$i<3;$i++) { # reductions, see commentary in
529 # multiplication for details
531 subs $t2,$acc0,$t0 // "*0xffff0001"
533 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
536 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
538 adc $acc3,$t3,xzr // can't overflow
542 subs $t2,$acc0,$t0 // "*0xffff0001"
544 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
546 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
547 adc $acc3,$t3,xzr // can't overflow
549 adds $acc0,$acc0,$acc4 // accumulate upper half
550 adcs $acc1,$acc1,$acc5
551 adcs $acc2,$acc2,$acc6
552 adcs $acc3,$acc3,$acc7
555 adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
556 sbcs $t1,$acc1,$poly1
558 sbcs $t3,$acc3,$poly3
559 sbcs xzr,$acc4,xzr // did it borrow?
561 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
562 csel $acc1,$acc1,$t1,lo
563 csel $acc2,$acc2,$t2,lo
564 stp $acc0,$acc1,[$rp]
565 csel $acc3,$acc3,$t3,lo
566 stp $acc2,$acc3,[$rp,#16]
569 .size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont
571 // Note that __ecp_nistz256_add expects both input vectors pre-loaded to
572 // $a0-$a3 and $t0-$t3. This is done because it's used in multiple
573 // contexts, e.g. in multiplication by 2 and 3...
574 .type __ecp_nistz256_add,%function
577 adds $acc0,$acc0,$t0 // ret = a+b
581 adc $ap,xzr,xzr // zap $ap
583 adds $t0,$acc0,#1 // subs $t0,$a0,#-1 // tmp = ret-modulus
584 sbcs $t1,$acc1,$poly1
586 sbcs $t3,$acc3,$poly3
587 sbcs xzr,$ap,xzr // did subtraction borrow?
589 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
590 csel $acc1,$acc1,$t1,lo
591 csel $acc2,$acc2,$t2,lo
592 stp $acc0,$acc1,[$rp]
593 csel $acc3,$acc3,$t3,lo
594 stp $acc2,$acc3,[$rp,#16]
597 .size __ecp_nistz256_add,.-__ecp_nistz256_add
599 .type __ecp_nistz256_sub_from,%function
601 __ecp_nistz256_sub_from:
603 ldp $t2,$t3,[$bp,#16]
604 subs $acc0,$acc0,$t0 // ret = a-b
608 sbc $ap,xzr,xzr // zap $ap
610 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
611 adcs $t1,$acc1,$poly1
614 cmp $ap,xzr // did subtraction borrow?
616 csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
617 csel $acc1,$acc1,$t1,eq
618 csel $acc2,$acc2,$t2,eq
619 stp $acc0,$acc1,[$rp]
620 csel $acc3,$acc3,$t3,eq
621 stp $acc2,$acc3,[$rp,#16]
624 .size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
626 .type __ecp_nistz256_sub_morf,%function
628 __ecp_nistz256_sub_morf:
630 ldp $t2,$t3,[$bp,#16]
631 subs $acc0,$t0,$acc0 // ret = b-a
635 sbc $ap,xzr,xzr // zap $ap
637 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
638 adcs $t1,$acc1,$poly1
641 cmp $ap,xzr // did subtraction borrow?
643 csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
644 csel $acc1,$acc1,$t1,eq
645 csel $acc2,$acc2,$t2,eq
646 stp $acc0,$acc1,[$rp]
647 csel $acc3,$acc3,$t3,eq
648 stp $acc2,$acc3,[$rp,#16]
651 .size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
653 .type __ecp_nistz256_div_by_2,%function
655 __ecp_nistz256_div_by_2:
656 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = a+modulus
657 adcs $t1,$acc1,$poly1
659 adcs $t3,$acc3,$poly3
660 adc $ap,xzr,xzr // zap $ap
661 tst $acc0,#1 // is a even?
663 csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus
664 csel $acc1,$acc1,$t1,eq
665 csel $acc2,$acc2,$t2,eq
666 csel $acc3,$acc3,$t3,eq
669 lsr $acc0,$acc0,#1 // ret >>= 1
670 orr $acc0,$acc0,$acc1,lsl#63
672 orr $acc1,$acc1,$acc2,lsl#63
674 orr $acc2,$acc2,$acc3,lsl#63
676 stp $acc0,$acc1,[$rp]
677 orr $acc3,$acc3,$ap,lsl#63
678 stp $acc2,$acc3,[$rp,#16]
681 .size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
683 ########################################################################
684 # following subroutines are "literal" implementation of those found in
687 ########################################################################
688 # void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
691 my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3));
692 # above map() describes stack layout with 4 temporary
693 # 256-bit vectors on top.
694 my ($rp_real,$ap_real) = map("x$_",(21,22));
697 .globl ecp_nistz256_point_double
698 .type ecp_nistz256_point_double,%function
700 ecp_nistz256_point_double:
701 stp x29,x30,[sp,#-80]!
708 ldp $acc0,$acc1,[$ap,#32]
710 ldp $acc2,$acc3,[$ap,#48]
716 ldp $a0,$a1,[$ap_real,#64] // forward load for p256_sqr_mont
719 ldp $a2,$a3,[$ap_real,#64+16]
721 bl __ecp_nistz256_add // p256_mul_by_2(S, in_y);
724 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
726 ldp $t0,$t1,[$ap_real]
727 ldp $t2,$t3,[$ap_real,#16]
728 mov $a0,$acc0 // put Zsqr aside for p256_sub
733 bl __ecp_nistz256_add // p256_add(M, Zsqr, in_x);
736 mov $acc0,$a0 // restore Zsqr
738 ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
741 ldp $a2,$a3,[sp,#$S+16]
743 bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
746 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
748 ldr $bi,[$ap_real,#32]
749 ldp $a0,$a1,[$ap_real,#64]
750 ldp $a2,$a3,[$ap_real,#64+16]
753 bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
757 ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
760 ldp $a2,$a3,[sp,#$S+16]
762 bl __ecp_nistz256_add // p256_mul_by_2(res_z, tmp0);
765 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
767 ldr $bi,[sp,#$Zsqr] // forward load for p256_mul_mont
769 ldp $a2,$a3,[sp,#$M+16]
771 bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
775 bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
777 mov $t0,$acc0 // duplicate M
781 mov $a0,$acc0 // put M aside
786 bl __ecp_nistz256_add
787 mov $t0,$a0 // restore M
789 ldr $bi,[$ap_real] // forward load for p256_mul_mont
793 ldp $a2,$a3,[sp,#$S+16]
794 bl __ecp_nistz256_add // p256_mul_by_3(M, M);
798 bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
802 ldp $a0,$a1,[sp,#$M] // forward load for p256_sqr_mont
805 ldp $a2,$a3,[sp,#$M+16]
807 bl __ecp_nistz256_add // p256_mul_by_2(tmp0, S);
810 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
813 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
817 bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
820 mov $a0,$acc0 // copy S
825 bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
829 bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
831 add sp,x29,#0 // destroy frame
832 ldp x19,x20,[x29,#16]
833 ldp x21,x22,[x29,#32]
836 .size ecp_nistz256_point_double,.-ecp_nistz256_point_double
840 ########################################################################
841 # void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
842 # const P256_POINT *in2);
844 my ($res_x,$res_y,$res_z,
845 $H,$Hsqr,$R,$Rsqr,$Hcub,
846 $U1,$U2,$S1,$S2)=map(32*$_,(0..11));
847 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
848 # above map() describes stack layout with 12 temporary
849 # 256-bit vectors on top.
850 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
853 .globl ecp_nistz256_point_add
854 .type ecp_nistz256_point_add,%function
856 ecp_nistz256_point_add:
857 stp x29,x30,[sp,#-80]!
866 ldp $a2,$a3,[$bp,#16]
867 ldp $t0,$t1,[$bp,#32]
868 ldp $t2,$t3,[$bp,#48]
874 ldp $acc0,$acc1,[$ap]
877 ldp $acc2,$acc3,[$ap,#16]
880 ldp $t0,$t1,[$ap,#32]
881 orr $in2infty,$a0,$t2
883 ldp $t2,$t3,[$ap,#48]
884 csetm $in2infty,ne // !in2infty
886 ldp $a0,$a1,[$bp_real,#64] // forward load for p256_sqr_mont
887 orr $acc0,$acc0,$acc1
888 orr $acc2,$acc2,$acc3
889 ldp $a2,$a3,[$bp_real,#64+16]
892 orr $acc0,$acc0,$acc2
894 orr $in1infty,$acc0,$t0
898 csetm $in1infty,ne // !in1infty
901 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
903 ldp $a0,$a1,[$ap_real,#64]
904 ldp $a2,$a3,[$ap_real,#64+16]
906 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
908 ldr $bi,[$bp_real,#64]
909 ldp $a0,$a1,[sp,#$Z2sqr]
910 ldp $a2,$a3,[sp,#$Z2sqr+16]
913 bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
915 ldr $bi,[$ap_real,#64]
916 ldp $a0,$a1,[sp,#$Z1sqr]
917 ldp $a2,$a3,[sp,#$Z1sqr+16]
920 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
922 ldr $bi,[$ap_real,#32]
923 ldp $a0,$a1,[sp,#$S1]
924 ldp $a2,$a3,[sp,#$S1+16]
927 bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
929 ldr $bi,[$bp_real,#32]
930 ldp $a0,$a1,[sp,#$S2]
931 ldp $a2,$a3,[sp,#$S2+16]
934 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
937 ldr $bi,[sp,#$Z2sqr] // forward load for p256_mul_mont
938 ldp $a0,$a1,[$ap_real]
939 ldp $a2,$a3,[$ap_real,#16]
941 bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
943 orr $acc0,$acc0,$acc1 // see if result is zero
944 orr $acc2,$acc2,$acc3
945 orr $temp,$acc0,$acc2
949 bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
952 ldp $a0,$a1,[$bp_real]
953 ldp $a2,$a3,[$bp_real,#16]
956 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
959 ldp $a0,$a1,[sp,#$R] // forward load for p256_sqr_mont
960 ldp $a2,$a3,[sp,#$R+16]
962 bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
964 orr $acc0,$acc0,$acc1 // see if result is zero
965 orr $acc2,$acc2,$acc3
966 orr $acc0,$acc0,$acc2
968 b.ne .Ladd_proceed // is_equal(U1,U2)?
970 tst $in1infty,$in2infty
971 b.eq .Ladd_proceed // (in1infty || in2infty)?
974 b.eq .Ladd_double // is_equal(S1,S2)?
978 stp $a0,$a1,[$rp_real]
979 stp $a0,$a1,[$rp_real,#16]
980 stp $a0,$a1,[$rp_real,#32]
981 stp $a0,$a1,[$rp_real,#48]
982 stp $a0,$a1,[$rp_real,#64]
983 stp $a0,$a1,[$rp_real,#80]
990 ldp x23,x24,[x29,#48]
991 ldp x25,x26,[x29,#64]
992 add sp,sp,#32*(12-4) // difference in stack frames
998 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
1000 ldr $bi,[$ap_real,#64]
1001 ldp $a0,$a1,[sp,#$H]
1002 ldp $a2,$a3,[sp,#$H+16]
1003 add $bp,$ap_real,#64
1005 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
1007 ldp $a0,$a1,[sp,#$H]
1008 ldp $a2,$a3,[sp,#$H+16]
1010 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
1012 ldr $bi,[$bp_real,#64]
1013 ldp $a0,$a1,[sp,#$res_z]
1014 ldp $a2,$a3,[sp,#$res_z+16]
1015 add $bp,$bp_real,#64
1017 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
1020 ldp $a0,$a1,[sp,#$Hsqr]
1021 ldp $a2,$a3,[sp,#$Hsqr+16]
1024 bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
1027 ldp $a0,$a1,[sp,#$U1]
1028 ldp $a2,$a3,[sp,#$U1+16]
1031 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
1038 bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2);
1042 bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
1045 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
1048 ldr $bi,[sp,#$Hcub] // forward load for p256_mul_mont
1049 ldp $a0,$a1,[sp,#$S1]
1050 ldp $a2,$a3,[sp,#$S1+16]
1052 bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
1056 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
1059 ldp $a0,$a1,[sp,#$res_y]
1060 ldp $a2,$a3,[sp,#$res_y+16]
1063 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
1066 bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
1068 ldp $a0,$a1,[sp,#$res_x] // res
1069 ldp $a2,$a3,[sp,#$res_x+16]
1070 ldp $t0,$t1,[$bp_real] // in2
1071 ldp $t2,$t3,[$bp_real,#16]
1073 for($i=0;$i<64;$i+=32) { # conditional moves
1075 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1076 cmp $in1infty,#0 // !$in1intfy, remember?
1077 ldp $acc2,$acc3,[$ap_real,#$i+16]
1080 ldp $a0,$a1,[sp,#$res_x+$i+32] // res
1083 cmp $in2infty,#0 // !$in2intfy, remember?
1084 ldp $a2,$a3,[sp,#$res_x+$i+48]
1085 csel $acc0,$t0,$acc0,ne
1086 csel $acc1,$t1,$acc1,ne
1087 ldp $t0,$t1,[$bp_real,#$i+32] // in2
1088 csel $acc2,$t2,$acc2,ne
1089 csel $acc3,$t3,$acc3,ne
1090 ldp $t2,$t3,[$bp_real,#$i+48]
1091 stp $acc0,$acc1,[$rp_real,#$i]
1092 stp $acc2,$acc3,[$rp_real,#$i+16]
1096 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1097 cmp $in1infty,#0 // !$in1intfy, remember?
1098 ldp $acc2,$acc3,[$ap_real,#$i+16]
1103 cmp $in2infty,#0 // !$in2intfy, remember?
1104 csel $acc0,$t0,$acc0,ne
1105 csel $acc1,$t1,$acc1,ne
1106 csel $acc2,$t2,$acc2,ne
1107 csel $acc3,$t3,$acc3,ne
1108 stp $acc0,$acc1,[$rp_real,#$i]
1109 stp $acc2,$acc3,[$rp_real,#$i+16]
1112 add sp,x29,#0 // destroy frame
1113 ldp x19,x20,[x29,#16]
1114 ldp x21,x22,[x29,#32]
1115 ldp x23,x24,[x29,#48]
1116 ldp x25,x26,[x29,#64]
1117 ldp x29,x30,[sp],#80
1119 .size ecp_nistz256_point_add,.-ecp_nistz256_point_add
1123 ########################################################################
1124 # void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
1125 # const P256_POINT_AFFINE *in2);
1127 my ($res_x,$res_y,$res_z,
1128 $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9));
1130 # above map() describes stack layout with 10 temporary
1131 # 256-bit vectors on top.
1132 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
1135 .globl ecp_nistz256_point_add_affine
1136 .type ecp_nistz256_point_add_affine,%function
1138 ecp_nistz256_point_add_affine:
1139 stp x29,x30,[sp,#-80]!
1141 stp x19,x20,[sp,#16]
1142 stp x21,x22,[sp,#32]
1143 stp x23,x24,[sp,#48]
1144 stp x25,x26,[sp,#64]
1151 ldr $poly3,.Lpoly+24
1154 ldp $a2,$a3,[$ap,#16]
1155 ldp $t0,$t1,[$ap,#32]
1156 ldp $t2,$t3,[$ap,#48]
1163 orr $in1infty,$a0,$t0
1165 csetm $in1infty,ne // !in1infty
1168 ldp $a2,$a3,[$bp,#16]
1169 ldp $t0,$t1,[$bp,#32]
1170 ldp $t2,$t3,[$bp,#48]
1177 orr $in2infty,$a0,$t0
1179 csetm $in2infty,ne // !in2infty
1181 ldp $a0,$a1,[$ap_real,#64]
1182 ldp $a2,$a3,[$ap_real,#64+16]
1184 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
1193 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
1196 ldr $bi,[$ap_real,#64] // forward load for p256_mul_mont
1197 ldp $a0,$a1,[sp,#$Z1sqr]
1198 ldp $a2,$a3,[sp,#$Z1sqr+16]
1200 bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
1202 add $bp,$ap_real,#64
1204 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
1206 ldr $bi,[$ap_real,#64]
1207 ldp $a0,$a1,[sp,#$H]
1208 ldp $a2,$a3,[sp,#$H+16]
1209 add $bp,$ap_real,#64
1211 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
1213 ldr $bi,[$bp_real,#32]
1214 ldp $a0,$a1,[sp,#$S2]
1215 ldp $a2,$a3,[sp,#$S2+16]
1216 add $bp,$bp_real,#32
1218 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
1220 add $bp,$ap_real,#32
1221 ldp $a0,$a1,[sp,#$H] // forward load for p256_sqr_mont
1222 ldp $a2,$a3,[sp,#$H+16]
1224 bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
1227 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
1229 ldp $a0,$a1,[sp,#$R]
1230 ldp $a2,$a3,[sp,#$R+16]
1232 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
1235 ldp $a0,$a1,[sp,#$Hsqr]
1236 ldp $a2,$a3,[sp,#$Hsqr+16]
1239 bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
1242 ldp $a0,$a1,[sp,#$Hsqr]
1243 ldp $a2,$a3,[sp,#$Hsqr+16]
1246 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
1253 bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2);
1257 bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
1260 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
1263 ldr $bi,[$ap_real,#32] // forward load for p256_mul_mont
1264 ldp $a0,$a1,[sp,#$Hcub]
1265 ldp $a2,$a3,[sp,#$Hcub+16]
1267 bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
1269 add $bp,$ap_real,#32
1271 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
1274 ldp $a0,$a1,[sp,#$res_y]
1275 ldp $a2,$a3,[sp,#$res_y+16]
1278 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
1281 bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
1283 ldp $a0,$a1,[sp,#$res_x] // res
1284 ldp $a2,$a3,[sp,#$res_x+16]
1285 ldp $t0,$t1,[$bp_real] // in2
1286 ldp $t2,$t3,[$bp_real,#16]
1288 for($i=0;$i<64;$i+=32) { # conditional moves
1290 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1291 cmp $in1infty,#0 // !$in1intfy, remember?
1292 ldp $acc2,$acc3,[$ap_real,#$i+16]
1295 ldp $a0,$a1,[sp,#$res_x+$i+32] // res
1298 cmp $in2infty,#0 // !$in2intfy, remember?
1299 ldp $a2,$a3,[sp,#$res_x+$i+48]
1300 csel $acc0,$t0,$acc0,ne
1301 csel $acc1,$t1,$acc1,ne
1302 ldp $t0,$t1,[$bp_real,#$i+32] // in2
1303 csel $acc2,$t2,$acc2,ne
1304 csel $acc3,$t3,$acc3,ne
1305 ldp $t2,$t3,[$bp_real,#$i+48]
1306 stp $acc0,$acc1,[$rp_real,#$i]
1307 stp $acc2,$acc3,[$rp_real,#$i+16]
1309 $code.=<<___ if ($i == 0);
1310 adr $bp_real,.Lone_mont-64
1314 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1315 cmp $in1infty,#0 // !$in1intfy, remember?
1316 ldp $acc2,$acc3,[$ap_real,#$i+16]
1321 cmp $in2infty,#0 // !$in2intfy, remember?
1322 csel $acc0,$t0,$acc0,ne
1323 csel $acc1,$t1,$acc1,ne
1324 csel $acc2,$t2,$acc2,ne
1325 csel $acc3,$t3,$acc3,ne
1326 stp $acc0,$acc1,[$rp_real,#$i]
1327 stp $acc2,$acc3,[$rp_real,#$i+16]
1329 add sp,x29,#0 // destroy frame
1330 ldp x19,x20,[x29,#16]
1331 ldp x21,x22,[x29,#32]
1332 ldp x23,x24,[x29,#48]
1333 ldp x25,x26,[x29,#64]
1334 ldp x29,x30,[sp],#80
1336 .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
1340 ########################################################################
1341 # scatter-gather subroutines
1343 my ($out,$inp,$index,$mask)=map("x$_",(0..3));
1345 // void ecp_nistz256_scatter_w5(void *x0,const P256_POINT *x1,
1347 .globl ecp_nistz256_scatter_w5
1348 .type ecp_nistz256_scatter_w5,%function
1350 ecp_nistz256_scatter_w5:
1351 stp x29,x30,[sp,#-16]!
1354 add $out,$out,$index,lsl#2
1356 ldp x4,x5,[$inp] // X
1357 ldp x6,x7,[$inp,#16]
1358 str w4,[$out,#64*0-4]
1360 str w5,[$out,#64*1-4]
1362 str w6,[$out,#64*2-4]
1364 str w7,[$out,#64*3-4]
1366 str w4,[$out,#64*4-4]
1367 str w5,[$out,#64*5-4]
1368 str w6,[$out,#64*6-4]
1369 str w7,[$out,#64*7-4]
1372 ldp x4,x5,[$inp,#32] // Y
1373 ldp x6,x7,[$inp,#48]
1374 str w4,[$out,#64*0-4]
1376 str w5,[$out,#64*1-4]
1378 str w6,[$out,#64*2-4]
1380 str w7,[$out,#64*3-4]
1382 str w4,[$out,#64*4-4]
1383 str w5,[$out,#64*5-4]
1384 str w6,[$out,#64*6-4]
1385 str w7,[$out,#64*7-4]
1388 ldp x4,x5,[$inp,#64] // Z
1389 ldp x6,x7,[$inp,#80]
1390 str w4,[$out,#64*0-4]
1392 str w5,[$out,#64*1-4]
1394 str w6,[$out,#64*2-4]
1396 str w7,[$out,#64*3-4]
1398 str w4,[$out,#64*4-4]
1399 str w5,[$out,#64*5-4]
1400 str w6,[$out,#64*6-4]
1401 str w7,[$out,#64*7-4]
1405 .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
1407 // void ecp_nistz256_gather_w5(P256_POINT *x0,const void *x1,
1409 .globl ecp_nistz256_gather_w5
1410 .type ecp_nistz256_gather_w5,%function
1412 ecp_nistz256_gather_w5:
1413 stp x29,x30,[sp,#-16]!
1418 add $index,$index,x3
1419 add $inp,$inp,$index,lsl#2
1427 ldr w10,[$inp,#64*6]
1428 ldr w11,[$inp,#64*7]
1432 orr x6,x6,x10,lsl#32
1433 orr x7,x7,x11,lsl#32
1438 stp x4,x5,[$out] // X
1439 stp x6,x7,[$out,#16]
1447 ldr w10,[$inp,#64*6]
1448 ldr w11,[$inp,#64*7]
1452 orr x6,x6,x10,lsl#32
1453 orr x7,x7,x11,lsl#32
1458 stp x4,x5,[$out,#32] // Y
1459 stp x6,x7,[$out,#48]
1467 ldr w10,[$inp,#64*6]
1468 ldr w11,[$inp,#64*7]
1471 orr x6,x6,x10,lsl#32
1472 orr x7,x7,x11,lsl#32
1477 stp x4,x5,[$out,#64] // Z
1478 stp x6,x7,[$out,#80]
1482 .size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
1484 // void ecp_nistz256_scatter_w7(void *x0,const P256_POINT_AFFINE *x1,
1486 .globl ecp_nistz256_scatter_w7
1487 .type ecp_nistz256_scatter_w7,%function
1489 ecp_nistz256_scatter_w7:
1490 stp x29,x30,[sp,#-16]!
1493 add $out,$out,$index
1497 subs $index,$index,#1
1498 prfm pstl1strm,[$out,#4096+64*0]
1499 prfm pstl1strm,[$out,#4096+64*1]
1500 prfm pstl1strm,[$out,#4096+64*2]
1501 prfm pstl1strm,[$out,#4096+64*3]
1502 prfm pstl1strm,[$out,#4096+64*4]
1503 prfm pstl1strm,[$out,#4096+64*5]
1504 prfm pstl1strm,[$out,#4096+64*6]
1505 prfm pstl1strm,[$out,#4096+64*7]
1506 strb w3,[$out,#64*0-1]
1508 strb w3,[$out,#64*1-1]
1510 strb w3,[$out,#64*2-1]
1512 strb w3,[$out,#64*3-1]
1514 strb w3,[$out,#64*4-1]
1516 strb w3,[$out,#64*5-1]
1518 strb w3,[$out,#64*6-1]
1520 strb w3,[$out,#64*7-1]
1522 b.ne .Loop_scatter_w7
1526 .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
1528 // void ecp_nistz256_gather_w7(P256_POINT_AFFINE *x0,const void *x1,
1530 .globl ecp_nistz256_gather_w7
1531 .type ecp_nistz256_gather_w7,%function
1533 ecp_nistz256_gather_w7:
1534 stp x29,x30,[sp,#-16]!
1539 add $index,$index,x3
1540 add $inp,$inp,$index
1544 ldrb w4,[$inp,#64*0]
1545 prfm pldl1strm,[$inp,#4096+64*0]
1546 subs $index,$index,#1
1547 ldrb w5,[$inp,#64*1]
1548 prfm pldl1strm,[$inp,#4096+64*1]
1549 ldrb w6,[$inp,#64*2]
1550 prfm pldl1strm,[$inp,#4096+64*2]
1551 ldrb w7,[$inp,#64*3]
1552 prfm pldl1strm,[$inp,#4096+64*3]
1553 ldrb w8,[$inp,#64*4]
1554 prfm pldl1strm,[$inp,#4096+64*4]
1555 ldrb w9,[$inp,#64*5]
1556 prfm pldl1strm,[$inp,#4096+64*5]
1557 ldrb w10,[$inp,#64*6]
1558 prfm pldl1strm,[$inp,#4096+64*6]
1559 ldrb w11,[$inp,#64*7]
1560 prfm pldl1strm,[$inp,#4096+64*7]
1566 orr x10,x10,x11,lsl#8
1568 orr x4,x4,x10,lsl#48
1571 b.ne .Loop_gather_w7
1575 .size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
1579 foreach (split("\n",$code)) {
1580 s/\`([^\`]*)\`/eval $1/ge;
1584 close STDOUT; # enforce flush
projects / openssl.git / blob