2 # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # ECP_NISTZ256 module for ARMv8.
21 # Original ECP_NISTZ256 submission targeting x86_64 is detailed in
22 # http://eprint.iacr.org/2013/816.
24 # with/without -DECP_NISTZ256_ASM
26 # Cortex-A53 +190-400%
27 # Cortex-A57 +190-350%
30 # Ranges denote minimum and maximum improvement coefficients depending
31 # on benchmark. Lower coefficients are for ECDSA sign, server-side
32 # operation. Keep in mind that +400% means 5x improvement.
34 # $output is the last argument if it looks like a file (it has an extension)
35 # $flavour is the first argument if it doesn't look like a file
36 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
37 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
39 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
40 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
41 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
42 die "can't locate arm-xlate.pl";
44 open OUT,"| \"$^X\" $xlate $flavour \"$output\""
45 or die "can't call $xlate: $!";
49 my ($rp,$ap,$bp,$bi,$a0,$a1,$a2,$a3,$t0,$t1,$t2,$t3,$poly1,$poly3,
50 $acc0,$acc1,$acc2,$acc3,$acc4,$acc5) =
51 map("x$_",(0..17,19,20));
53 my ($acc6,$acc7)=($ap,$bp); # used in __ecp_nistz256_sqr_mont
60 ########################################################################
61 # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7
63 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
64 open TABLE,"<ecp_nistz256_table.c" or
65 open TABLE,"<${dir}../ecp_nistz256_table.c" or
66 die "failed to open ecp_nistz256_table.c:",$!;
71 s/TOBN\(\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*\)/push @arr,hex($2),hex($1)/geo;
75 # See ecp_nistz256_table.c for explanation for why it's 64*16*37.
76 # 64*16*37-1 is because $#arr returns last valid index or @arr, not
78 die "insane number of elements" if ($#arr != 64*16*37-1);
81 .globl ecp_nistz256_precomputed
82 .type ecp_nistz256_precomputed,%object
84 ecp_nistz256_precomputed:
86 ########################################################################
87 # this conversion smashes P256_POINT_AFFINE by individual bytes with
88 # 64 byte interval, similar to
92 @tbl = splice(@arr,0,64*16);
93 for($i=0;$i<64;$i++) {
95 for($j=0;$j<64;$j++) {
96 push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff;
99 $code.=join(',',map { sprintf "0x%02x",$_} @line);
104 .size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed
107 .quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
108 .LRR: // 2^512 mod P precomputed for NIST P256 polynomial
109 .quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
111 .quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
115 .quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000
117 .quad 0xccd1c8aaee00bc4f
118 .asciz "ECP_NISTZ256 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
120 // void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
121 .globl ecp_nistz256_to_mont
122 .type ecp_nistz256_to_mont,%function
124 ecp_nistz256_to_mont:
125 .inst 0xd503233f // paciasp
126 stp x29,x30,[sp,#-32]!
130 ldr $bi,.LRR // bp[0]
132 ldp $a2,$a3,[$ap,#16]
135 adr $bp,.LRR // &bp[0]
137 bl __ecp_nistz256_mul_mont
141 .inst 0xd50323bf // autiasp
143 .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
145 // void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
146 .globl ecp_nistz256_from_mont
147 .type ecp_nistz256_from_mont,%function
149 ecp_nistz256_from_mont:
150 .inst 0xd503233f // paciasp
151 stp x29,x30,[sp,#-32]!
157 ldp $a2,$a3,[$ap,#16]
160 adr $bp,.Lone // &bp[0]
162 bl __ecp_nistz256_mul_mont
166 .inst 0xd50323bf // autiasp
168 .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
170 // void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
171 // const BN_ULONG x2[4]);
172 .globl ecp_nistz256_mul_mont
173 .type ecp_nistz256_mul_mont,%function
175 ecp_nistz256_mul_mont:
176 .inst 0xd503233f // paciasp
177 stp x29,x30,[sp,#-32]!
181 ldr $bi,[$bp] // bp[0]
183 ldp $a2,$a3,[$ap,#16]
187 bl __ecp_nistz256_mul_mont
191 .inst 0xd50323bf // autiasp
193 .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
195 // void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
196 .globl ecp_nistz256_sqr_mont
197 .type ecp_nistz256_sqr_mont,%function
199 ecp_nistz256_sqr_mont:
200 .inst 0xd503233f // paciasp
201 stp x29,x30,[sp,#-32]!
206 ldp $a2,$a3,[$ap,#16]
210 bl __ecp_nistz256_sqr_mont
214 .inst 0xd50323bf // autiasp
216 .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
218 // void ecp_nistz256_add(BN_ULONG x0[4],const BN_ULONG x1[4],
219 // const BN_ULONG x2[4]);
220 .globl ecp_nistz256_add
221 .type ecp_nistz256_add,%function
224 .inst 0xd503233f // paciasp
225 stp x29,x30,[sp,#-16]!
228 ldp $acc0,$acc1,[$ap]
230 ldp $acc2,$acc3,[$ap,#16]
231 ldp $t2,$t3,[$bp,#16]
235 bl __ecp_nistz256_add
238 .inst 0xd50323bf // autiasp
240 .size ecp_nistz256_add,.-ecp_nistz256_add
242 // void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
243 .globl ecp_nistz256_div_by_2
244 .type ecp_nistz256_div_by_2,%function
246 ecp_nistz256_div_by_2:
247 .inst 0xd503233f // paciasp
248 stp x29,x30,[sp,#-16]!
251 ldp $acc0,$acc1,[$ap]
252 ldp $acc2,$acc3,[$ap,#16]
256 bl __ecp_nistz256_div_by_2
259 .inst 0xd50323bf // autiasp
261 .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
263 // void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
264 .globl ecp_nistz256_mul_by_2
265 .type ecp_nistz256_mul_by_2,%function
267 ecp_nistz256_mul_by_2:
268 .inst 0xd503233f // paciasp
269 stp x29,x30,[sp,#-16]!
272 ldp $acc0,$acc1,[$ap]
273 ldp $acc2,$acc3,[$ap,#16]
281 bl __ecp_nistz256_add // ret = a+a // 2*a
284 .inst 0xd50323bf // autiasp
286 .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
288 // void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
289 .globl ecp_nistz256_mul_by_3
290 .type ecp_nistz256_mul_by_3,%function
292 ecp_nistz256_mul_by_3:
293 .inst 0xd503233f // paciasp
294 stp x29,x30,[sp,#-16]!
297 ldp $acc0,$acc1,[$ap]
298 ldp $acc2,$acc3,[$ap,#16]
310 bl __ecp_nistz256_add // ret = a+a // 2*a
317 bl __ecp_nistz256_add // ret += a // 2*a+a=3*a
320 .inst 0xd50323bf // autiasp
322 .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
324 // void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
325 // const BN_ULONG x2[4]);
326 .globl ecp_nistz256_sub
327 .type ecp_nistz256_sub,%function
330 .inst 0xd503233f // paciasp
331 stp x29,x30,[sp,#-16]!
334 ldp $acc0,$acc1,[$ap]
335 ldp $acc2,$acc3,[$ap,#16]
339 bl __ecp_nistz256_sub_from
342 .inst 0xd50323bf // autiasp
344 .size ecp_nistz256_sub,.-ecp_nistz256_sub
346 // void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
347 .globl ecp_nistz256_neg
348 .type ecp_nistz256_neg,%function
351 .inst 0xd503233f // paciasp
352 stp x29,x30,[sp,#-16]!
356 mov $acc0,xzr // a = 0
363 bl __ecp_nistz256_sub_from
366 .inst 0xd50323bf // autiasp
368 .size ecp_nistz256_neg,.-ecp_nistz256_neg
370 // note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
371 // to $a0-$a3 and b[0] - to $bi
372 .type __ecp_nistz256_mul_mont,%function
374 __ecp_nistz256_mul_mont:
375 mul $acc0,$a0,$bi // a[0]*b[0]
378 mul $acc1,$a1,$bi // a[1]*b[0]
381 mul $acc2,$a2,$bi // a[2]*b[0]
384 mul $acc3,$a3,$bi // a[3]*b[0]
386 ldr $bi,[$bp,#8] // b[1]
388 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
396 for($i=1;$i<4;$i++) {
397 # Reduction iteration is normally performed by accumulating
398 # result of multiplication of modulus by "magic" digit [and
399 # omitting least significant word, which is guaranteed to
400 # be 0], but thanks to special form of modulus and "magic"
401 # digit being equal to least significant word, it can be
402 # performed with additions and subtractions alone. Indeed:
404 # ffff0001.00000000.0000ffff.ffffffff
406 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
408 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
411 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
412 # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000
413 # - 0000abcd.efgh0000.00000000.00000000.abcdefgh
415 # or marking redundant operations:
417 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.--------
418 # + abcdefgh.abcdefgh.0000abcd.efgh0000.--------
419 # - 0000abcd.efgh0000.--------.--------.--------
422 subs $t2,$acc0,$t0 // "*0xffff0001"
424 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
425 mul $t0,$a0,$bi // lo(a[0]*b[i])
427 mul $t1,$a1,$bi // lo(a[1]*b[i])
428 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
429 mul $t2,$a2,$bi // lo(a[2]*b[i])
431 mul $t3,$a3,$bi // lo(a[3]*b[i])
434 adds $acc0,$acc0,$t0 // accumulate low parts of multiplication
435 umulh $t0,$a0,$bi // hi(a[0]*b[i])
437 umulh $t1,$a1,$bi // hi(a[1]*b[i])
439 umulh $t2,$a2,$bi // hi(a[2]*b[i])
441 umulh $t3,$a3,$bi // hi(a[3]*b[i])
444 $code.=<<___ if ($i<3);
445 ldr $bi,[$bp,#8*($i+1)] // b[$i+1]
448 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
459 subs $t2,$acc0,$t0 // "*0xffff0001"
461 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
463 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
467 adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
468 sbcs $t1,$acc1,$poly1
470 sbcs $t3,$acc3,$poly3
471 sbcs xzr,$acc4,xzr // did it borrow?
473 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
474 csel $acc1,$acc1,$t1,lo
475 csel $acc2,$acc2,$t2,lo
476 stp $acc0,$acc1,[$rp]
477 csel $acc3,$acc3,$t3,lo
478 stp $acc2,$acc3,[$rp,#16]
481 .size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
483 // note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
485 .type __ecp_nistz256_sqr_mont,%function
487 __ecp_nistz256_sqr_mont:
488 // | | | | | |a1*a0| |
489 // | | | | |a2*a0| | |
490 // | |a3*a2|a3*a0| | | |
491 // | | | |a2*a1| | | |
492 // | | |a3*a1| | | | |
493 // *| | | | | | | | 2|
494 // +|a3*a3|a2*a2|a1*a1|a0*a0|
495 // |--+--+--+--+--+--+--+--|
496 // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
498 // "can't overflow" below mark carrying into high part of
499 // multiplication result, which can't overflow, because it
500 // can never be all ones.
502 mul $acc1,$a1,$a0 // a[1]*a[0]
504 mul $acc2,$a2,$a0 // a[2]*a[0]
506 mul $acc3,$a3,$a0 // a[3]*a[0]
509 adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
510 mul $t0,$a2,$a1 // a[2]*a[1]
513 mul $t2,$a3,$a1 // a[3]*a[1]
515 adc $acc4,$acc4,xzr // can't overflow
517 mul $acc5,$a3,$a2 // a[3]*a[2]
520 adds $t1,$t1,$t2 // accumulate high parts of multiplication
521 mul $acc0,$a0,$a0 // a[0]*a[0]
522 adc $t2,$t3,xzr // can't overflow
524 adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
527 mul $t1,$a1,$a1 // a[1]*a[1]
530 adc $acc6,$acc6,xzr // can't overflow
532 adds $acc1,$acc1,$acc1 // acc[1-6]*=2
533 mul $t2,$a2,$a2 // a[2]*a[2]
534 adcs $acc2,$acc2,$acc2
536 adcs $acc3,$acc3,$acc3
537 mul $t3,$a3,$a3 // a[3]*a[3]
538 adcs $acc4,$acc4,$acc4
540 adcs $acc5,$acc5,$acc5
541 adcs $acc6,$acc6,$acc6
544 adds $acc1,$acc1,$a0 // +a[i]*a[i]
554 for($i=0;$i<3;$i++) { # reductions, see commentary in
555 # multiplication for details
557 subs $t2,$acc0,$t0 // "*0xffff0001"
559 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
562 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
564 adc $acc3,$t3,xzr // can't overflow
568 subs $t2,$acc0,$t0 // "*0xffff0001"
570 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
572 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
573 adc $acc3,$t3,xzr // can't overflow
575 adds $acc0,$acc0,$acc4 // accumulate upper half
576 adcs $acc1,$acc1,$acc5
577 adcs $acc2,$acc2,$acc6
578 adcs $acc3,$acc3,$acc7
581 adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
582 sbcs $t1,$acc1,$poly1
584 sbcs $t3,$acc3,$poly3
585 sbcs xzr,$acc4,xzr // did it borrow?
587 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
588 csel $acc1,$acc1,$t1,lo
589 csel $acc2,$acc2,$t2,lo
590 stp $acc0,$acc1,[$rp]
591 csel $acc3,$acc3,$t3,lo
592 stp $acc2,$acc3,[$rp,#16]
595 .size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont
597 // Note that __ecp_nistz256_add expects both input vectors pre-loaded to
598 // $a0-$a3 and $t0-$t3. This is done because it's used in multiple
599 // contexts, e.g. in multiplication by 2 and 3...
600 .type __ecp_nistz256_add,%function
603 adds $acc0,$acc0,$t0 // ret = a+b
607 adc $ap,xzr,xzr // zap $ap
609 adds $t0,$acc0,#1 // subs $t0,$a0,#-1 // tmp = ret-modulus
610 sbcs $t1,$acc1,$poly1
612 sbcs $t3,$acc3,$poly3
613 sbcs xzr,$ap,xzr // did subtraction borrow?
615 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
616 csel $acc1,$acc1,$t1,lo
617 csel $acc2,$acc2,$t2,lo
618 stp $acc0,$acc1,[$rp]
619 csel $acc3,$acc3,$t3,lo
620 stp $acc2,$acc3,[$rp,#16]
623 .size __ecp_nistz256_add,.-__ecp_nistz256_add
625 .type __ecp_nistz256_sub_from,%function
627 __ecp_nistz256_sub_from:
629 ldp $t2,$t3,[$bp,#16]
630 subs $acc0,$acc0,$t0 // ret = a-b
634 sbc $ap,xzr,xzr // zap $ap
636 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
637 adcs $t1,$acc1,$poly1
640 cmp $ap,xzr // did subtraction borrow?
642 csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
643 csel $acc1,$acc1,$t1,eq
644 csel $acc2,$acc2,$t2,eq
645 stp $acc0,$acc1,[$rp]
646 csel $acc3,$acc3,$t3,eq
647 stp $acc2,$acc3,[$rp,#16]
650 .size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
652 .type __ecp_nistz256_sub_morf,%function
654 __ecp_nistz256_sub_morf:
656 ldp $t2,$t3,[$bp,#16]
657 subs $acc0,$t0,$acc0 // ret = b-a
661 sbc $ap,xzr,xzr // zap $ap
663 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
664 adcs $t1,$acc1,$poly1
667 cmp $ap,xzr // did subtraction borrow?
669 csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
670 csel $acc1,$acc1,$t1,eq
671 csel $acc2,$acc2,$t2,eq
672 stp $acc0,$acc1,[$rp]
673 csel $acc3,$acc3,$t3,eq
674 stp $acc2,$acc3,[$rp,#16]
677 .size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
679 .type __ecp_nistz256_div_by_2,%function
681 __ecp_nistz256_div_by_2:
682 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = a+modulus
683 adcs $t1,$acc1,$poly1
685 adcs $t3,$acc3,$poly3
686 adc $ap,xzr,xzr // zap $ap
687 tst $acc0,#1 // is a even?
689 csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus
690 csel $acc1,$acc1,$t1,eq
691 csel $acc2,$acc2,$t2,eq
692 csel $acc3,$acc3,$t3,eq
695 lsr $acc0,$acc0,#1 // ret >>= 1
696 orr $acc0,$acc0,$acc1,lsl#63
698 orr $acc1,$acc1,$acc2,lsl#63
700 orr $acc2,$acc2,$acc3,lsl#63
702 stp $acc0,$acc1,[$rp]
703 orr $acc3,$acc3,$ap,lsl#63
704 stp $acc2,$acc3,[$rp,#16]
707 .size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
709 ########################################################################
710 # following subroutines are "literal" implementation of those found in
713 ########################################################################
714 # void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
717 my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3));
718 # above map() describes stack layout with 4 temporary
719 # 256-bit vectors on top.
720 my ($rp_real,$ap_real) = map("x$_",(21,22));
723 .globl ecp_nistz256_point_double
724 .type ecp_nistz256_point_double,%function
726 ecp_nistz256_point_double:
727 .inst 0xd503233f // paciasp
728 stp x29,x30,[sp,#-96]!
735 ldp $acc0,$acc1,[$ap,#32]
737 ldp $acc2,$acc3,[$ap,#48]
743 ldp $a0,$a1,[$ap_real,#64] // forward load for p256_sqr_mont
746 ldp $a2,$a3,[$ap_real,#64+16]
748 bl __ecp_nistz256_add // p256_mul_by_2(S, in_y);
751 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
753 ldp $t0,$t1,[$ap_real]
754 ldp $t2,$t3,[$ap_real,#16]
755 mov $a0,$acc0 // put Zsqr aside for p256_sub
760 bl __ecp_nistz256_add // p256_add(M, Zsqr, in_x);
763 mov $acc0,$a0 // restore Zsqr
765 ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
768 ldp $a2,$a3,[sp,#$S+16]
770 bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
773 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
775 ldr $bi,[$ap_real,#32]
776 ldp $a0,$a1,[$ap_real,#64]
777 ldp $a2,$a3,[$ap_real,#64+16]
780 bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
784 ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
787 ldp $a2,$a3,[sp,#$S+16]
789 bl __ecp_nistz256_add // p256_mul_by_2(res_z, tmp0);
792 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
794 ldr $bi,[sp,#$Zsqr] // forward load for p256_mul_mont
796 ldp $a2,$a3,[sp,#$M+16]
798 bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
802 bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
804 mov $t0,$acc0 // duplicate M
808 mov $a0,$acc0 // put M aside
813 bl __ecp_nistz256_add
814 mov $t0,$a0 // restore M
816 ldr $bi,[$ap_real] // forward load for p256_mul_mont
820 ldp $a2,$a3,[sp,#$S+16]
821 bl __ecp_nistz256_add // p256_mul_by_3(M, M);
825 bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
829 ldp $a0,$a1,[sp,#$M] // forward load for p256_sqr_mont
832 ldp $a2,$a3,[sp,#$M+16]
834 bl __ecp_nistz256_add // p256_mul_by_2(tmp0, S);
837 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
840 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
844 bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
847 mov $a0,$acc0 // copy S
852 bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
856 bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
858 add sp,x29,#0 // destroy frame
859 ldp x19,x20,[x29,#16]
860 ldp x21,x22,[x29,#32]
862 .inst 0xd50323bf // autiasp
864 .size ecp_nistz256_point_double,.-ecp_nistz256_point_double
868 ########################################################################
869 # void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
870 # const P256_POINT *in2);
872 my ($res_x,$res_y,$res_z,
873 $H,$Hsqr,$R,$Rsqr,$Hcub,
874 $U1,$U2,$S1,$S2)=map(32*$_,(0..11));
875 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
876 # above map() describes stack layout with 12 temporary
877 # 256-bit vectors on top.
878 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp0,$temp1,$temp2)=map("x$_",(21..28));
881 .globl ecp_nistz256_point_add
882 .type ecp_nistz256_point_add,%function
884 ecp_nistz256_point_add:
885 .inst 0xd503233f // paciasp
886 stp x29,x30,[sp,#-96]!
895 ldp $a0,$a1,[$bp,#64] // in2_z
896 ldp $a2,$a3,[$bp,#64+16]
904 orr $in2infty,$t0,$t2
906 csetm $in2infty,ne // ~in2infty
908 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
910 ldp $a0,$a1,[$ap_real,#64] // in1_z
911 ldp $a2,$a3,[$ap_real,#64+16]
914 orr $in1infty,$t0,$t2
916 csetm $in1infty,ne // ~in1infty
918 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
920 ldr $bi,[$bp_real,#64]
921 ldp $a0,$a1,[sp,#$Z2sqr]
922 ldp $a2,$a3,[sp,#$Z2sqr+16]
925 bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
927 ldr $bi,[$ap_real,#64]
928 ldp $a0,$a1,[sp,#$Z1sqr]
929 ldp $a2,$a3,[sp,#$Z1sqr+16]
932 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
934 ldr $bi,[$ap_real,#32]
935 ldp $a0,$a1,[sp,#$S1]
936 ldp $a2,$a3,[sp,#$S1+16]
939 bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
941 ldr $bi,[$bp_real,#32]
942 ldp $a0,$a1,[sp,#$S2]
943 ldp $a2,$a3,[sp,#$S2+16]
946 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
949 ldr $bi,[sp,#$Z2sqr] // forward load for p256_mul_mont
950 ldp $a0,$a1,[$ap_real]
951 ldp $a2,$a3,[$ap_real,#16]
953 bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
955 orr $acc0,$acc0,$acc1 // see if result is zero
956 orr $acc2,$acc2,$acc3
957 orr $temp0,$acc0,$acc2 // ~is_equal(S1,S2)
961 bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
964 ldp $a0,$a1,[$bp_real]
965 ldp $a2,$a3,[$bp_real,#16]
968 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
971 ldp $a0,$a1,[sp,#$R] // forward load for p256_sqr_mont
972 ldp $a2,$a3,[sp,#$R+16]
974 bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
976 orr $acc0,$acc0,$acc1 // see if result is zero
977 orr $acc2,$acc2,$acc3
978 orr $acc0,$acc0,$acc2 // ~is_equal(U1,U2)
980 mvn $temp1,$in1infty // -1/0 -> 0/-1
981 mvn $temp2,$in2infty // -1/0 -> 0/-1
982 orr $acc0,$acc0,$temp1
983 orr $acc0,$acc0,$temp2
984 orr $acc0,$acc0,$temp0
985 cbnz $acc0,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
990 ldp x23,x24,[x29,#48]
991 ldp x25,x26,[x29,#64]
992 ldp x27,x28,[x29,#80]
993 add sp,sp,#32*(12-4) // difference in stack frames
999 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
1001 ldr $bi,[$ap_real,#64]
1002 ldp $a0,$a1,[sp,#$H]
1003 ldp $a2,$a3,[sp,#$H+16]
1004 add $bp,$ap_real,#64
1006 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
1008 ldp $a0,$a1,[sp,#$H]
1009 ldp $a2,$a3,[sp,#$H+16]
1011 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
1013 ldr $bi,[$bp_real,#64]
1014 ldp $a0,$a1,[sp,#$res_z]
1015 ldp $a2,$a3,[sp,#$res_z+16]
1016 add $bp,$bp_real,#64
1018 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
1021 ldp $a0,$a1,[sp,#$Hsqr]
1022 ldp $a2,$a3,[sp,#$Hsqr+16]
1025 bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
1028 ldp $a0,$a1,[sp,#$U1]
1029 ldp $a2,$a3,[sp,#$U1+16]
1032 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
1039 bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2);
1043 bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
1046 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
1049 ldr $bi,[sp,#$Hcub] // forward load for p256_mul_mont
1050 ldp $a0,$a1,[sp,#$S1]
1051 ldp $a2,$a3,[sp,#$S1+16]
1053 bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
1057 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
1060 ldp $a0,$a1,[sp,#$res_y]
1061 ldp $a2,$a3,[sp,#$res_y+16]
1064 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
1067 bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
1069 ldp $a0,$a1,[sp,#$res_x] // res
1070 ldp $a2,$a3,[sp,#$res_x+16]
1071 ldp $t0,$t1,[$bp_real] // in2
1072 ldp $t2,$t3,[$bp_real,#16]
1074 for($i=0;$i<64;$i+=32) { # conditional moves
1076 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1077 cmp $in1infty,#0 // ~$in1intfy, remember?
1078 ldp $acc2,$acc3,[$ap_real,#$i+16]
1081 ldp $a0,$a1,[sp,#$res_x+$i+32] // res
1084 cmp $in2infty,#0 // ~$in2intfy, remember?
1085 ldp $a2,$a3,[sp,#$res_x+$i+48]
1086 csel $acc0,$t0,$acc0,ne
1087 csel $acc1,$t1,$acc1,ne
1088 ldp $t0,$t1,[$bp_real,#$i+32] // in2
1089 csel $acc2,$t2,$acc2,ne
1090 csel $acc3,$t3,$acc3,ne
1091 ldp $t2,$t3,[$bp_real,#$i+48]
1092 stp $acc0,$acc1,[$rp_real,#$i]
1093 stp $acc2,$acc3,[$rp_real,#$i+16]
1097 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1098 cmp $in1infty,#0 // ~$in1intfy, remember?
1099 ldp $acc2,$acc3,[$ap_real,#$i+16]
1104 cmp $in2infty,#0 // ~$in2intfy, remember?
1105 csel $acc0,$t0,$acc0,ne
1106 csel $acc1,$t1,$acc1,ne
1107 csel $acc2,$t2,$acc2,ne
1108 csel $acc3,$t3,$acc3,ne
1109 stp $acc0,$acc1,[$rp_real,#$i]
1110 stp $acc2,$acc3,[$rp_real,#$i+16]
1113 add sp,x29,#0 // destroy frame
1114 ldp x19,x20,[x29,#16]
1115 ldp x21,x22,[x29,#32]
1116 ldp x23,x24,[x29,#48]
1117 ldp x25,x26,[x29,#64]
1118 ldp x27,x28,[x29,#80]
1119 ldp x29,x30,[sp],#96
1120 .inst 0xd50323bf // autiasp
1122 .size ecp_nistz256_point_add,.-ecp_nistz256_point_add
1126 ########################################################################
1127 # void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
1128 # const P256_POINT_AFFINE *in2);
1130 my ($res_x,$res_y,$res_z,
1131 $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9));
1133 # above map() describes stack layout with 10 temporary
1134 # 256-bit vectors on top.
1135 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
1138 .globl ecp_nistz256_point_add_affine
1139 .type ecp_nistz256_point_add_affine,%function
1141 ecp_nistz256_point_add_affine:
1142 .inst 0xd503233f // paciasp
1143 stp x29,x30,[sp,#-80]!
1145 stp x19,x20,[sp,#16]
1146 stp x21,x22,[sp,#32]
1147 stp x23,x24,[sp,#48]
1148 stp x25,x26,[sp,#64]
1155 ldr $poly3,.Lpoly+24
1157 ldp $a0,$a1,[$ap,#64] // in1_z
1158 ldp $a2,$a3,[$ap,#64+16]
1161 orr $in1infty,$t0,$t2
1163 csetm $in1infty,ne // ~in1infty
1165 ldp $acc0,$acc1,[$bp] // in2_x
1166 ldp $acc2,$acc3,[$bp,#16]
1167 ldp $t0,$t1,[$bp,#32] // in2_y
1168 ldp $t2,$t3,[$bp,#48]
1169 orr $acc0,$acc0,$acc1
1170 orr $acc2,$acc2,$acc3
1173 orr $acc0,$acc0,$acc2
1175 orr $in2infty,$acc0,$t0
1177 csetm $in2infty,ne // ~in2infty
1180 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
1189 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
1192 ldr $bi,[$ap_real,#64] // forward load for p256_mul_mont
1193 ldp $a0,$a1,[sp,#$Z1sqr]
1194 ldp $a2,$a3,[sp,#$Z1sqr+16]
1196 bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
1198 add $bp,$ap_real,#64
1200 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
1202 ldr $bi,[$ap_real,#64]
1203 ldp $a0,$a1,[sp,#$H]
1204 ldp $a2,$a3,[sp,#$H+16]
1205 add $bp,$ap_real,#64
1207 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
1209 ldr $bi,[$bp_real,#32]
1210 ldp $a0,$a1,[sp,#$S2]
1211 ldp $a2,$a3,[sp,#$S2+16]
1212 add $bp,$bp_real,#32
1214 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
1216 add $bp,$ap_real,#32
1217 ldp $a0,$a1,[sp,#$H] // forward load for p256_sqr_mont
1218 ldp $a2,$a3,[sp,#$H+16]
1220 bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
1223 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
1225 ldp $a0,$a1,[sp,#$R]
1226 ldp $a2,$a3,[sp,#$R+16]
1228 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
1231 ldp $a0,$a1,[sp,#$Hsqr]
1232 ldp $a2,$a3,[sp,#$Hsqr+16]
1235 bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
1238 ldp $a0,$a1,[sp,#$Hsqr]
1239 ldp $a2,$a3,[sp,#$Hsqr+16]
1242 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
1249 bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2);
1253 bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
1256 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
1259 ldr $bi,[$ap_real,#32] // forward load for p256_mul_mont
1260 ldp $a0,$a1,[sp,#$Hcub]
1261 ldp $a2,$a3,[sp,#$Hcub+16]
1263 bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
1265 add $bp,$ap_real,#32
1267 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
1270 ldp $a0,$a1,[sp,#$res_y]
1271 ldp $a2,$a3,[sp,#$res_y+16]
1274 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
1277 bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
1279 ldp $a0,$a1,[sp,#$res_x] // res
1280 ldp $a2,$a3,[sp,#$res_x+16]
1281 ldp $t0,$t1,[$bp_real] // in2
1282 ldp $t2,$t3,[$bp_real,#16]
1284 for($i=0;$i<64;$i+=32) { # conditional moves
1286 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1287 cmp $in1infty,#0 // ~$in1intfy, remember?
1288 ldp $acc2,$acc3,[$ap_real,#$i+16]
1291 ldp $a0,$a1,[sp,#$res_x+$i+32] // res
1294 cmp $in2infty,#0 // ~$in2intfy, remember?
1295 ldp $a2,$a3,[sp,#$res_x+$i+48]
1296 csel $acc0,$t0,$acc0,ne
1297 csel $acc1,$t1,$acc1,ne
1298 ldp $t0,$t1,[$bp_real,#$i+32] // in2
1299 csel $acc2,$t2,$acc2,ne
1300 csel $acc3,$t3,$acc3,ne
1301 ldp $t2,$t3,[$bp_real,#$i+48]
1302 stp $acc0,$acc1,[$rp_real,#$i]
1303 stp $acc2,$acc3,[$rp_real,#$i+16]
1305 $code.=<<___ if ($i == 0);
1306 adr $bp_real,.Lone_mont-64
1310 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1311 cmp $in1infty,#0 // ~$in1intfy, remember?
1312 ldp $acc2,$acc3,[$ap_real,#$i+16]
1317 cmp $in2infty,#0 // ~$in2intfy, remember?
1318 csel $acc0,$t0,$acc0,ne
1319 csel $acc1,$t1,$acc1,ne
1320 csel $acc2,$t2,$acc2,ne
1321 csel $acc3,$t3,$acc3,ne
1322 stp $acc0,$acc1,[$rp_real,#$i]
1323 stp $acc2,$acc3,[$rp_real,#$i+16]
1325 add sp,x29,#0 // destroy frame
1326 ldp x19,x20,[x29,#16]
1327 ldp x21,x22,[x29,#32]
1328 ldp x23,x24,[x29,#48]
1329 ldp x25,x26,[x29,#64]
1330 ldp x29,x30,[sp],#80
1331 .inst 0xd50323bf // autiasp
1333 .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
1337 my ($ord0,$ord1) = ($poly1,$poly3);
1338 my ($ord2,$ord3,$ordk,$t4) = map("x$_",(21..24));
1342 ////////////////////////////////////////////////////////////////////////
1343 // void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
1345 .globl ecp_nistz256_ord_mul_mont
1346 .type ecp_nistz256_ord_mul_mont,%function
1348 ecp_nistz256_ord_mul_mont:
1349 stp x29,x30,[sp,#-64]!
1351 stp x19,x20,[sp,#16]
1352 stp x21,x22,[sp,#32]
1353 stp x23,x24,[sp,#48]
1356 ldr $bi,[$bp] // bp[0]
1358 ldp $a2,$a3,[$ap,#16]
1360 ldp $ord0,$ord1,[$ordk,#0]
1361 ldp $ord2,$ord3,[$ordk,#16]
1362 ldr $ordk,[$ordk,#32]
1364 mul $acc0,$a0,$bi // a[0]*b[0]
1367 mul $acc1,$a1,$bi // a[1]*b[0]
1370 mul $acc2,$a2,$bi // a[2]*b[0]
1373 mul $acc3,$a3,$bi // a[3]*b[0]
1378 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
1379 adcs $acc2,$acc2,$t1
1380 adcs $acc3,$acc3,$t2
1384 for ($i=1;$i<4;$i++) {
1385 ################################################################
1386 # ffff0000.ffffffff.yyyyyyyy.zzzzzzzz
1388 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
1390 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
1393 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
1394 # - 0000abcd.efgh0000.abcdefgh.00000000.00000000
1395 # + abcdefgh.abcdefgh.yzayzbyz.cyzdyzey.zfyzgyzh
1397 ldr $bi,[$bp,#8*$i] // b[i]
1400 subs $acc2,$acc2,$t4
1402 sbcs $acc3,$acc3,$t0
1403 sbcs $acc4,$acc4,$t1
1416 adds $acc0,$acc1,$t2
1418 adcs $acc1,$acc2,$t3
1420 adcs $acc2,$acc3,$t4
1421 adcs $acc3,$acc4,$t4
1424 adds $acc0,$acc0,$t0 // accumulate low parts
1426 adcs $acc1,$acc1,$t1
1428 adcs $acc2,$acc2,$t2
1430 adcs $acc3,$acc3,$t3
1434 adds $acc1,$acc1,$t0 // accumulate high parts
1435 adcs $acc2,$acc2,$t1
1436 adcs $acc3,$acc3,$t2
1437 adcs $acc4,$acc4,$t3
1442 lsl $t0,$t4,#32 // last reduction
1443 subs $acc2,$acc2,$t4
1445 sbcs $acc3,$acc3,$t0
1446 sbcs $acc4,$acc4,$t1
1457 adds $acc0,$acc1,$t2
1458 adcs $acc1,$acc2,$t3
1459 adcs $acc2,$acc3,$t4
1460 adcs $acc3,$acc4,$t4
1463 subs $t0,$acc0,$ord0 // ret -= modulus
1464 sbcs $t1,$acc1,$ord1
1465 sbcs $t2,$acc2,$ord2
1466 sbcs $t3,$acc3,$ord3
1469 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
1470 csel $acc1,$acc1,$t1,lo
1471 csel $acc2,$acc2,$t2,lo
1472 stp $acc0,$acc1,[$rp]
1473 csel $acc3,$acc3,$t3,lo
1474 stp $acc2,$acc3,[$rp,#16]
1476 ldp x19,x20,[sp,#16]
1477 ldp x21,x22,[sp,#32]
1478 ldp x23,x24,[sp,#48]
1481 .size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont
1483 ////////////////////////////////////////////////////////////////////////
1484 // void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
1486 .globl ecp_nistz256_ord_sqr_mont
1487 .type ecp_nistz256_ord_sqr_mont,%function
1489 ecp_nistz256_ord_sqr_mont:
1490 stp x29,x30,[sp,#-64]!
1492 stp x19,x20,[sp,#16]
1493 stp x21,x22,[sp,#32]
1494 stp x23,x24,[sp,#48]
1498 ldp $a2,$a3,[$ap,#16]
1500 ldp $ord0,$ord1,[$ordk,#0]
1501 ldp $ord2,$ord3,[$ordk,#16]
1502 ldr $ordk,[$ordk,#32]
1508 ////////////////////////////////////////////////////////////////
1509 // | | | | | |a1*a0| |
1510 // | | | | |a2*a0| | |
1511 // | |a3*a2|a3*a0| | | |
1512 // | | | |a2*a1| | | |
1513 // | | |a3*a1| | | | |
1514 // *| | | | | | | | 2|
1515 // +|a3*a3|a2*a2|a1*a1|a0*a0|
1516 // |--+--+--+--+--+--+--+--|
1517 // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
1519 // "can't overflow" below mark carrying into high part of
1520 // multiplication result, which can't overflow, because it
1521 // can never be all ones.
1523 mul $acc1,$a1,$a0 // a[1]*a[0]
1525 mul $acc2,$a2,$a0 // a[2]*a[0]
1527 mul $acc3,$a3,$a0 // a[3]*a[0]
1530 adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
1531 mul $t0,$a2,$a1 // a[2]*a[1]
1533 adcs $acc3,$acc3,$t2
1534 mul $t2,$a3,$a1 // a[3]*a[1]
1536 adc $acc4,$acc4,xzr // can't overflow
1538 mul $acc5,$a3,$a2 // a[3]*a[2]
1541 adds $t1,$t1,$t2 // accumulate high parts of multiplication
1542 mul $acc0,$a0,$a0 // a[0]*a[0]
1543 adc $t2,$t3,xzr // can't overflow
1545 adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
1547 adcs $acc4,$acc4,$t1
1548 mul $t1,$a1,$a1 // a[1]*a[1]
1549 adcs $acc5,$acc5,$t2
1551 adc $acc6,$acc6,xzr // can't overflow
1553 adds $acc1,$acc1,$acc1 // acc[1-6]*=2
1554 mul $t2,$a2,$a2 // a[2]*a[2]
1555 adcs $acc2,$acc2,$acc2
1557 adcs $acc3,$acc3,$acc3
1558 mul $t3,$a3,$a3 // a[3]*a[3]
1559 adcs $acc4,$acc4,$acc4
1561 adcs $acc5,$acc5,$acc5
1562 adcs $acc6,$acc6,$acc6
1565 adds $acc1,$acc1,$a0 // +a[i]*a[i]
1567 adcs $acc2,$acc2,$t1
1568 adcs $acc3,$acc3,$a1
1569 adcs $acc4,$acc4,$t2
1570 adcs $acc5,$acc5,$a2
1571 adcs $acc6,$acc6,$t3
1574 for($i=0; $i<4; $i++) { # reductions
1584 adds $acc0,$acc1,$t2
1585 adcs $acc1,$acc2,$t3
1586 adcs $acc2,$acc3,$t4
1587 adc $acc3,xzr,$t4 // can't overflow
1589 $code.=<<___ if ($i<3);
1594 subs $acc1,$acc1,$t4
1596 sbcs $acc2,$acc2,$t0
1597 sbc $acc3,$acc3,$t1 // can't borrow
1599 ($t3,$t4) = ($t4,$t3);
1602 adds $acc0,$acc0,$acc4 // accumulate upper half
1603 adcs $acc1,$acc1,$acc5
1604 adcs $acc2,$acc2,$acc6
1605 adcs $acc3,$acc3,$acc7
1608 subs $t0,$acc0,$ord0 // ret -= modulus
1609 sbcs $t1,$acc1,$ord1
1610 sbcs $t2,$acc2,$ord2
1611 sbcs $t3,$acc3,$ord3
1614 csel $a0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
1615 csel $a1,$acc1,$t1,lo
1616 csel $a2,$acc2,$t2,lo
1617 csel $a3,$acc3,$t3,lo
1619 cbnz $bp,.Loop_ord_sqr
1622 stp $a2,$a3,[$rp,#16]
1624 ldp x19,x20,[sp,#16]
1625 ldp x21,x22,[sp,#32]
1626 ldp x23,x24,[sp,#48]
1629 .size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont
1633 ########################################################################
1634 # scatter-gather subroutines
1636 my ($out,$inp,$index,$mask)=map("x$_",(0..3));
1638 // void ecp_nistz256_scatter_w5(void *x0,const P256_POINT *x1,
1640 .globl ecp_nistz256_scatter_w5
1641 .type ecp_nistz256_scatter_w5,%function
1643 ecp_nistz256_scatter_w5:
1644 stp x29,x30,[sp,#-16]!
1647 add $out,$out,$index,lsl#2
1649 ldp x4,x5,[$inp] // X
1650 ldp x6,x7,[$inp,#16]
1651 stur w4,[$out,#64*0-4]
1653 str w5,[$out,#64*1-4]
1655 str w6,[$out,#64*2-4]
1657 str w7,[$out,#64*3-4]
1659 str w4,[$out,#64*4-4]
1660 str w5,[$out,#64*5-4]
1661 str w6,[$out,#64*6-4]
1662 str w7,[$out,#64*7-4]
1665 ldp x4,x5,[$inp,#32] // Y
1666 ldp x6,x7,[$inp,#48]
1667 stur w4,[$out,#64*0-4]
1669 str w5,[$out,#64*1-4]
1671 str w6,[$out,#64*2-4]
1673 str w7,[$out,#64*3-4]
1675 str w4,[$out,#64*4-4]
1676 str w5,[$out,#64*5-4]
1677 str w6,[$out,#64*6-4]
1678 str w7,[$out,#64*7-4]
1681 ldp x4,x5,[$inp,#64] // Z
1682 ldp x6,x7,[$inp,#80]
1683 stur w4,[$out,#64*0-4]
1685 str w5,[$out,#64*1-4]
1687 str w6,[$out,#64*2-4]
1689 str w7,[$out,#64*3-4]
1691 str w4,[$out,#64*4-4]
1692 str w5,[$out,#64*5-4]
1693 str w6,[$out,#64*6-4]
1694 str w7,[$out,#64*7-4]
1698 .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
1700 // void ecp_nistz256_gather_w5(P256_POINT *x0,const void *x1,
1702 .globl ecp_nistz256_gather_w5
1703 .type ecp_nistz256_gather_w5,%function
1705 ecp_nistz256_gather_w5:
1706 stp x29,x30,[sp,#-16]!
1711 add $index,$index,x3
1712 add $inp,$inp,$index,lsl#2
1720 ldr w10,[$inp,#64*6]
1721 ldr w11,[$inp,#64*7]
1725 orr x6,x6,x10,lsl#32
1726 orr x7,x7,x11,lsl#32
1731 stp x4,x5,[$out] // X
1732 stp x6,x7,[$out,#16]
1740 ldr w10,[$inp,#64*6]
1741 ldr w11,[$inp,#64*7]
1745 orr x6,x6,x10,lsl#32
1746 orr x7,x7,x11,lsl#32
1751 stp x4,x5,[$out,#32] // Y
1752 stp x6,x7,[$out,#48]
1760 ldr w10,[$inp,#64*6]
1761 ldr w11,[$inp,#64*7]
1764 orr x6,x6,x10,lsl#32
1765 orr x7,x7,x11,lsl#32
1770 stp x4,x5,[$out,#64] // Z
1771 stp x6,x7,[$out,#80]
1775 .size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
1777 // void ecp_nistz256_scatter_w7(void *x0,const P256_POINT_AFFINE *x1,
1779 .globl ecp_nistz256_scatter_w7
1780 .type ecp_nistz256_scatter_w7,%function
1782 ecp_nistz256_scatter_w7:
1783 stp x29,x30,[sp,#-16]!
1786 add $out,$out,$index
1790 subs $index,$index,#1
1791 prfm pstl1strm,[$out,#4096+64*0]
1792 prfm pstl1strm,[$out,#4096+64*1]
1793 prfm pstl1strm,[$out,#4096+64*2]
1794 prfm pstl1strm,[$out,#4096+64*3]
1795 prfm pstl1strm,[$out,#4096+64*4]
1796 prfm pstl1strm,[$out,#4096+64*5]
1797 prfm pstl1strm,[$out,#4096+64*6]
1798 prfm pstl1strm,[$out,#4096+64*7]
1799 strb w3,[$out,#64*0]
1801 strb w3,[$out,#64*1]
1803 strb w3,[$out,#64*2]
1805 strb w3,[$out,#64*3]
1807 strb w3,[$out,#64*4]
1809 strb w3,[$out,#64*5]
1811 strb w3,[$out,#64*6]
1813 strb w3,[$out,#64*7]
1815 b.ne .Loop_scatter_w7
1819 .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
1821 // void ecp_nistz256_gather_w7(P256_POINT_AFFINE *x0,const void *x1,
1823 .globl ecp_nistz256_gather_w7
1824 .type ecp_nistz256_gather_w7,%function
1826 ecp_nistz256_gather_w7:
1827 stp x29,x30,[sp,#-16]!
1832 add $index,$index,x3
1833 add $inp,$inp,$index
1837 ldrb w4,[$inp,#64*0]
1838 prfm pldl1strm,[$inp,#4096+64*0]
1839 subs $index,$index,#1
1840 ldrb w5,[$inp,#64*1]
1841 prfm pldl1strm,[$inp,#4096+64*1]
1842 ldrb w6,[$inp,#64*2]
1843 prfm pldl1strm,[$inp,#4096+64*2]
1844 ldrb w7,[$inp,#64*3]
1845 prfm pldl1strm,[$inp,#4096+64*3]
1846 ldrb w8,[$inp,#64*4]
1847 prfm pldl1strm,[$inp,#4096+64*4]
1848 ldrb w9,[$inp,#64*5]
1849 prfm pldl1strm,[$inp,#4096+64*5]
1850 ldrb w10,[$inp,#64*6]
1851 prfm pldl1strm,[$inp,#4096+64*6]
1852 ldrb w11,[$inp,#64*7]
1853 prfm pldl1strm,[$inp,#4096+64*7]
1859 orr x10,x10,x11,lsl#8
1861 orr x4,x4,x10,lsl#48
1864 b.ne .Loop_gather_w7
1868 .size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
1872 foreach (split("\n",$code)) {
1873 s/\`([^\`]*)\`/eval $1/ge;
1877 close STDOUT or die "error closing STDOUT: $!"; # enforce flush
projects / openssl.git / blob