2 # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # ECP_NISTZ256 module for ARMv8.
21 # Original ECP_NISTZ256 submission targeting x86_64 is detailed in
22 # http://eprint.iacr.org/2013/816.
24 # with/without -DECP_NISTZ256_ASM
26 # Cortex-A53 +190-400%
27 # Cortex-A57 +190-350%
30 # Ranges denote minimum and maximum improvement coefficients depending
31 # on benchmark. Lower coefficients are for ECDSA sign, server-side
32 # operation. Keep in mind that +400% means 5x improvement.
34 # $output is the last argument if it looks like a file (it has an extension)
35 # $flavour is the first argument if it doesn't look like a file
36 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
37 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
39 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
40 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
41 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
42 die "can't locate arm-xlate.pl";
44 open OUT,"| \"$^X\" $xlate $flavour \"$output\""
45 or die "can't call $xlate: $!";
49 my ($rp,$ap,$bp,$bi,$a0,$a1,$a2,$a3,$t0,$t1,$t2,$t3,$poly1,$poly3,
50 $acc0,$acc1,$acc2,$acc3,$acc4,$acc5) =
51 map("x$_",(0..17,19,20));
53 my ($acc6,$acc7)=($ap,$bp); # used in __ecp_nistz256_sqr_mont
60 ########################################################################
61 # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7
63 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
64 open TABLE,"<ecp_nistz256_table.c" or
65 open TABLE,"<${dir}../ecp_nistz256_table.c" or
66 die "failed to open ecp_nistz256_table.c:",$!;
71 s/TOBN\(\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*\)/push @arr,hex($2),hex($1)/geo;
75 # See ecp_nistz256_table.c for explanation for why it's 64*16*37.
76 # 64*16*37-1 is because $#arr returns last valid index or @arr, not
78 die "insane number of elements" if ($#arr != 64*16*37-1);
81 .globl ecp_nistz256_precomputed
82 .type ecp_nistz256_precomputed,%object
84 ecp_nistz256_precomputed:
86 ########################################################################
87 # this conversion smashes P256_POINT_AFFINE by individual bytes with
88 # 64 byte interval, similar to
92 @tbl = splice(@arr,0,64*16);
93 for($i=0;$i<64;$i++) {
95 for($j=0;$j<64;$j++) {
96 push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff;
99 $code.=join(',',map { sprintf "0x%02x",$_} @line);
104 .size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed
107 .quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001
108 .LRR: // 2^512 mod P precomputed for NIST P256 polynomial
109 .quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd
111 .quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe
115 .quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000
117 .quad 0xccd1c8aaee00bc4f
118 .asciz "ECP_NISTZ256 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
120 // void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
121 .globl ecp_nistz256_to_mont
122 .type ecp_nistz256_to_mont,%function
124 ecp_nistz256_to_mont:
125 .inst 0xd503233f // paciasp
126 stp x29,x30,[sp,#-32]!
130 ldr $bi,.LRR // bp[0]
132 ldp $a2,$a3,[$ap,#16]
135 adr $bp,.LRR // &bp[0]
137 bl __ecp_nistz256_mul_mont
141 .inst 0xd50323bf // autiasp
143 .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
145 // void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
146 .globl ecp_nistz256_from_mont
147 .type ecp_nistz256_from_mont,%function
149 ecp_nistz256_from_mont:
150 .inst 0xd503233f // paciasp
151 stp x29,x30,[sp,#-32]!
157 ldp $a2,$a3,[$ap,#16]
160 adr $bp,.Lone // &bp[0]
162 bl __ecp_nistz256_mul_mont
166 .inst 0xd50323bf // autiasp
168 .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
170 // void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
171 // const BN_ULONG x2[4]);
172 .globl ecp_nistz256_mul_mont
173 .type ecp_nistz256_mul_mont,%function
175 ecp_nistz256_mul_mont:
176 .inst 0xd503233f // paciasp
177 stp x29,x30,[sp,#-32]!
181 ldr $bi,[$bp] // bp[0]
183 ldp $a2,$a3,[$ap,#16]
187 bl __ecp_nistz256_mul_mont
191 .inst 0xd50323bf // autiasp
193 .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
195 // void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
196 .globl ecp_nistz256_sqr_mont
197 .type ecp_nistz256_sqr_mont,%function
199 ecp_nistz256_sqr_mont:
200 .inst 0xd503233f // paciasp
201 stp x29,x30,[sp,#-32]!
206 ldp $a2,$a3,[$ap,#16]
210 bl __ecp_nistz256_sqr_mont
214 .inst 0xd50323bf // autiasp
216 .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
218 // void ecp_nistz256_add(BN_ULONG x0[4],const BN_ULONG x1[4],
219 // const BN_ULONG x2[4]);
220 .globl ecp_nistz256_add
221 .type ecp_nistz256_add,%function
224 .inst 0xd503233f // paciasp
225 stp x29,x30,[sp,#-16]!
228 ldp $acc0,$acc1,[$ap]
230 ldp $acc2,$acc3,[$ap,#16]
231 ldp $t2,$t3,[$bp,#16]
235 bl __ecp_nistz256_add
238 .inst 0xd50323bf // autiasp
240 .size ecp_nistz256_add,.-ecp_nistz256_add
242 // void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
243 .globl ecp_nistz256_div_by_2
244 .type ecp_nistz256_div_by_2,%function
246 ecp_nistz256_div_by_2:
247 .inst 0xd503233f // paciasp
248 stp x29,x30,[sp,#-16]!
251 ldp $acc0,$acc1,[$ap]
252 ldp $acc2,$acc3,[$ap,#16]
256 bl __ecp_nistz256_div_by_2
259 .inst 0xd50323bf // autiasp
261 .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
263 // void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
264 .globl ecp_nistz256_mul_by_2
265 .type ecp_nistz256_mul_by_2,%function
267 ecp_nistz256_mul_by_2:
268 .inst 0xd503233f // paciasp
269 stp x29,x30,[sp,#-16]!
272 ldp $acc0,$acc1,[$ap]
273 ldp $acc2,$acc3,[$ap,#16]
281 bl __ecp_nistz256_add // ret = a+a // 2*a
284 .inst 0xd50323bf // autiasp
286 .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
288 // void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
289 .globl ecp_nistz256_mul_by_3
290 .type ecp_nistz256_mul_by_3,%function
292 ecp_nistz256_mul_by_3:
293 .inst 0xd503233f // paciasp
294 stp x29,x30,[sp,#-16]!
297 ldp $acc0,$acc1,[$ap]
298 ldp $acc2,$acc3,[$ap,#16]
310 bl __ecp_nistz256_add // ret = a+a // 2*a
317 bl __ecp_nistz256_add // ret += a // 2*a+a=3*a
320 .inst 0xd50323bf // autiasp
322 .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
324 // void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
325 // const BN_ULONG x2[4]);
326 .globl ecp_nistz256_sub
327 .type ecp_nistz256_sub,%function
330 .inst 0xd503233f // paciasp
331 stp x29,x30,[sp,#-16]!
334 ldp $acc0,$acc1,[$ap]
335 ldp $acc2,$acc3,[$ap,#16]
339 bl __ecp_nistz256_sub_from
342 .inst 0xd50323bf // autiasp
344 .size ecp_nistz256_sub,.-ecp_nistz256_sub
346 // void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
347 .globl ecp_nistz256_neg
348 .type ecp_nistz256_neg,%function
351 .inst 0xd503233f // paciasp
352 stp x29,x30,[sp,#-16]!
356 mov $acc0,xzr // a = 0
363 bl __ecp_nistz256_sub_from
366 .inst 0xd50323bf // autiasp
368 .size ecp_nistz256_neg,.-ecp_nistz256_neg
370 // note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
371 // to $a0-$a3 and b[0] - to $bi
372 .type __ecp_nistz256_mul_mont,%function
374 __ecp_nistz256_mul_mont:
375 mul $acc0,$a0,$bi // a[0]*b[0]
378 mul $acc1,$a1,$bi // a[1]*b[0]
381 mul $acc2,$a2,$bi // a[2]*b[0]
384 mul $acc3,$a3,$bi // a[3]*b[0]
386 ldr $bi,[$bp,#8] // b[1]
388 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
396 for($i=1;$i<4;$i++) {
397 # Reduction iteration is normally performed by accumulating
398 # result of multiplication of modulus by "magic" digit [and
399 # omitting least significant word, which is guaranteed to
400 # be 0], but thanks to special form of modulus and "magic"
401 # digit being equal to least significant word, it can be
402 # performed with additions and subtractions alone. Indeed:
404 # ffff0001.00000000.0000ffff.ffffffff
406 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
408 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
411 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
412 # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000
413 # - 0000abcd.efgh0000.00000000.00000000.abcdefgh
415 # or marking redundant operations:
417 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.--------
418 # + abcdefgh.abcdefgh.0000abcd.efgh0000.--------
419 # - 0000abcd.efgh0000.--------.--------.--------
422 subs $t2,$acc0,$t0 // "*0xffff0001"
424 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
425 mul $t0,$a0,$bi // lo(a[0]*b[i])
427 mul $t1,$a1,$bi // lo(a[1]*b[i])
428 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
429 mul $t2,$a2,$bi // lo(a[2]*b[i])
431 mul $t3,$a3,$bi // lo(a[3]*b[i])
434 adds $acc0,$acc0,$t0 // accumulate low parts of multiplication
435 umulh $t0,$a0,$bi // hi(a[0]*b[i])
437 umulh $t1,$a1,$bi // hi(a[1]*b[i])
439 umulh $t2,$a2,$bi // hi(a[2]*b[i])
441 umulh $t3,$a3,$bi // hi(a[3]*b[i])
444 $code.=<<___ if ($i<3);
445 ldr $bi,[$bp,#8*($i+1)] // b[$i+1]
448 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
459 subs $t2,$acc0,$t0 // "*0xffff0001"
461 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
463 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
467 adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
468 sbcs $t1,$acc1,$poly1
470 sbcs $t3,$acc3,$poly3
471 sbcs xzr,$acc4,xzr // did it borrow?
473 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
474 csel $acc1,$acc1,$t1,lo
475 csel $acc2,$acc2,$t2,lo
476 stp $acc0,$acc1,[$rp]
477 csel $acc3,$acc3,$t3,lo
478 stp $acc2,$acc3,[$rp,#16]
481 .size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
483 // note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
485 .type __ecp_nistz256_sqr_mont,%function
487 __ecp_nistz256_sqr_mont:
488 // | | | | | |a1*a0| |
489 // | | | | |a2*a0| | |
490 // | |a3*a2|a3*a0| | | |
491 // | | | |a2*a1| | | |
492 // | | |a3*a1| | | | |
493 // *| | | | | | | | 2|
494 // +|a3*a3|a2*a2|a1*a1|a0*a0|
495 // |--+--+--+--+--+--+--+--|
496 // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
498 // "can't overflow" below mark carrying into high part of
499 // multiplication result, which can't overflow, because it
500 // can never be all ones.
502 mul $acc1,$a1,$a0 // a[1]*a[0]
504 mul $acc2,$a2,$a0 // a[2]*a[0]
506 mul $acc3,$a3,$a0 // a[3]*a[0]
509 adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
510 mul $t0,$a2,$a1 // a[2]*a[1]
513 mul $t2,$a3,$a1 // a[3]*a[1]
515 adc $acc4,$acc4,xzr // can't overflow
517 mul $acc5,$a3,$a2 // a[3]*a[2]
520 adds $t1,$t1,$t2 // accumulate high parts of multiplication
521 mul $acc0,$a0,$a0 // a[0]*a[0]
522 adc $t2,$t3,xzr // can't overflow
524 adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
527 mul $t1,$a1,$a1 // a[1]*a[1]
530 adc $acc6,$acc6,xzr // can't overflow
532 adds $acc1,$acc1,$acc1 // acc[1-6]*=2
533 mul $t2,$a2,$a2 // a[2]*a[2]
534 adcs $acc2,$acc2,$acc2
536 adcs $acc3,$acc3,$acc3
537 mul $t3,$a3,$a3 // a[3]*a[3]
538 adcs $acc4,$acc4,$acc4
540 adcs $acc5,$acc5,$acc5
541 adcs $acc6,$acc6,$acc6
544 adds $acc1,$acc1,$a0 // +a[i]*a[i]
554 for($i=0;$i<3;$i++) { # reductions, see commentary in
555 # multiplication for details
557 subs $t2,$acc0,$t0 // "*0xffff0001"
559 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
562 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
564 adc $acc3,$t3,xzr // can't overflow
568 subs $t2,$acc0,$t0 // "*0xffff0001"
570 adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0]
572 adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001
573 adc $acc3,$t3,xzr // can't overflow
575 adds $acc0,$acc0,$acc4 // accumulate upper half
576 adcs $acc1,$acc1,$acc5
577 adcs $acc2,$acc2,$acc6
578 adcs $acc3,$acc3,$acc7
581 adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus
582 sbcs $t1,$acc1,$poly1
584 sbcs $t3,$acc3,$poly3
585 sbcs xzr,$acc4,xzr // did it borrow?
587 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
588 csel $acc1,$acc1,$t1,lo
589 csel $acc2,$acc2,$t2,lo
590 stp $acc0,$acc1,[$rp]
591 csel $acc3,$acc3,$t3,lo
592 stp $acc2,$acc3,[$rp,#16]
595 .size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont
597 // Note that __ecp_nistz256_add expects both input vectors pre-loaded to
598 // $a0-$a3 and $t0-$t3. This is done because it's used in multiple
599 // contexts, e.g. in multiplication by 2 and 3...
600 .type __ecp_nistz256_add,%function
603 adds $acc0,$acc0,$t0 // ret = a+b
607 adc $ap,xzr,xzr // zap $ap
609 adds $t0,$acc0,#1 // subs $t0,$a0,#-1 // tmp = ret-modulus
610 sbcs $t1,$acc1,$poly1
612 sbcs $t3,$acc3,$poly3
613 sbcs xzr,$ap,xzr // did subtraction borrow?
615 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
616 csel $acc1,$acc1,$t1,lo
617 csel $acc2,$acc2,$t2,lo
618 stp $acc0,$acc1,[$rp]
619 csel $acc3,$acc3,$t3,lo
620 stp $acc2,$acc3,[$rp,#16]
623 .size __ecp_nistz256_add,.-__ecp_nistz256_add
625 .type __ecp_nistz256_sub_from,%function
627 __ecp_nistz256_sub_from:
629 ldp $t2,$t3,[$bp,#16]
630 subs $acc0,$acc0,$t0 // ret = a-b
634 sbc $ap,xzr,xzr // zap $ap
636 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
637 adcs $t1,$acc1,$poly1
640 cmp $ap,xzr // did subtraction borrow?
642 csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
643 csel $acc1,$acc1,$t1,eq
644 csel $acc2,$acc2,$t2,eq
645 stp $acc0,$acc1,[$rp]
646 csel $acc3,$acc3,$t3,eq
647 stp $acc2,$acc3,[$rp,#16]
650 .size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
652 .type __ecp_nistz256_sub_morf,%function
654 __ecp_nistz256_sub_morf:
656 ldp $t2,$t3,[$bp,#16]
657 subs $acc0,$t0,$acc0 // ret = b-a
661 sbc $ap,xzr,xzr // zap $ap
663 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus
664 adcs $t1,$acc1,$poly1
667 cmp $ap,xzr // did subtraction borrow?
669 csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret
670 csel $acc1,$acc1,$t1,eq
671 csel $acc2,$acc2,$t2,eq
672 stp $acc0,$acc1,[$rp]
673 csel $acc3,$acc3,$t3,eq
674 stp $acc2,$acc3,[$rp,#16]
677 .size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
679 .type __ecp_nistz256_div_by_2,%function
681 __ecp_nistz256_div_by_2:
682 subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = a+modulus
683 adcs $t1,$acc1,$poly1
685 adcs $t3,$acc3,$poly3
686 adc $ap,xzr,xzr // zap $ap
687 tst $acc0,#1 // is a even?
689 csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus
690 csel $acc1,$acc1,$t1,eq
691 csel $acc2,$acc2,$t2,eq
692 csel $acc3,$acc3,$t3,eq
695 lsr $acc0,$acc0,#1 // ret >>= 1
696 orr $acc0,$acc0,$acc1,lsl#63
698 orr $acc1,$acc1,$acc2,lsl#63
700 orr $acc2,$acc2,$acc3,lsl#63
702 stp $acc0,$acc1,[$rp]
703 orr $acc3,$acc3,$ap,lsl#63
704 stp $acc2,$acc3,[$rp,#16]
707 .size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
709 ########################################################################
710 # following subroutines are "literal" implementation of those found in
713 ########################################################################
714 # void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
717 my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3));
718 # above map() describes stack layout with 4 temporary
719 # 256-bit vectors on top.
720 my ($rp_real,$ap_real) = map("x$_",(21,22));
723 .globl ecp_nistz256_point_double
724 .type ecp_nistz256_point_double,%function
726 ecp_nistz256_point_double:
727 .inst 0xd503233f // paciasp
728 stp x29,x30,[sp,#-80]!
735 ldp $acc0,$acc1,[$ap,#32]
737 ldp $acc2,$acc3,[$ap,#48]
743 ldp $a0,$a1,[$ap_real,#64] // forward load for p256_sqr_mont
746 ldp $a2,$a3,[$ap_real,#64+16]
748 bl __ecp_nistz256_add // p256_mul_by_2(S, in_y);
751 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z);
753 ldp $t0,$t1,[$ap_real]
754 ldp $t2,$t3,[$ap_real,#16]
755 mov $a0,$acc0 // put Zsqr aside for p256_sub
760 bl __ecp_nistz256_add // p256_add(M, Zsqr, in_x);
763 mov $acc0,$a0 // restore Zsqr
765 ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
768 ldp $a2,$a3,[sp,#$S+16]
770 bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr);
773 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S);
775 ldr $bi,[$ap_real,#32]
776 ldp $a0,$a1,[$ap_real,#64]
777 ldp $a2,$a3,[$ap_real,#64+16]
780 bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y);
784 ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont
787 ldp $a2,$a3,[sp,#$S+16]
789 bl __ecp_nistz256_add // p256_mul_by_2(res_z, tmp0);
792 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S);
794 ldr $bi,[sp,#$Zsqr] // forward load for p256_mul_mont
796 ldp $a2,$a3,[sp,#$M+16]
798 bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0);
802 bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr);
804 mov $t0,$acc0 // duplicate M
808 mov $a0,$acc0 // put M aside
813 bl __ecp_nistz256_add
814 mov $t0,$a0 // restore M
816 ldr $bi,[$ap_real] // forward load for p256_mul_mont
820 ldp $a2,$a3,[sp,#$S+16]
821 bl __ecp_nistz256_add // p256_mul_by_3(M, M);
825 bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x);
829 ldp $a0,$a1,[sp,#$M] // forward load for p256_sqr_mont
832 ldp $a2,$a3,[sp,#$M+16]
834 bl __ecp_nistz256_add // p256_mul_by_2(tmp0, S);
837 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M);
840 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0);
844 bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x);
847 mov $a0,$acc0 // copy S
852 bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M);
856 bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y);
858 add sp,x29,#0 // destroy frame
859 ldp x19,x20,[x29,#16]
860 ldp x21,x22,[x29,#32]
862 .inst 0xd50323bf // autiasp
864 .size ecp_nistz256_point_double,.-ecp_nistz256_point_double
868 ########################################################################
869 # void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
870 # const P256_POINT *in2);
872 my ($res_x,$res_y,$res_z,
873 $H,$Hsqr,$R,$Rsqr,$Hcub,
874 $U1,$U2,$S1,$S2)=map(32*$_,(0..11));
875 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
876 # above map() describes stack layout with 12 temporary
877 # 256-bit vectors on top.
878 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
881 .globl ecp_nistz256_point_add
882 .type ecp_nistz256_point_add,%function
884 ecp_nistz256_point_add:
885 .inst 0xd503233f // paciasp
886 stp x29,x30,[sp,#-80]!
894 ldp $a0,$a1,[$bp,#64] // in2_z
895 ldp $a2,$a3,[$bp,#64+16]
903 orr $in2infty,$t0,$t2
905 csetm $in2infty,ne // !in2infty
907 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
909 ldp $a0,$a1,[$ap_real,#64] // in1_z
910 ldp $a2,$a3,[$ap_real,#64+16]
913 orr $in1infty,$t0,$t2
915 csetm $in1infty,ne // !in1infty
917 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
919 ldr $bi,[$bp_real,#64]
920 ldp $a0,$a1,[sp,#$Z2sqr]
921 ldp $a2,$a3,[sp,#$Z2sqr+16]
924 bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z);
926 ldr $bi,[$ap_real,#64]
927 ldp $a0,$a1,[sp,#$Z1sqr]
928 ldp $a2,$a3,[sp,#$Z1sqr+16]
931 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
933 ldr $bi,[$ap_real,#32]
934 ldp $a0,$a1,[sp,#$S1]
935 ldp $a2,$a3,[sp,#$S1+16]
938 bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y);
940 ldr $bi,[$bp_real,#32]
941 ldp $a0,$a1,[sp,#$S2]
942 ldp $a2,$a3,[sp,#$S2+16]
945 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
948 ldr $bi,[sp,#$Z2sqr] // forward load for p256_mul_mont
949 ldp $a0,$a1,[$ap_real]
950 ldp $a2,$a3,[$ap_real,#16]
952 bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1);
954 orr $acc0,$acc0,$acc1 // see if result is zero
955 orr $acc2,$acc2,$acc3
956 orr $temp,$acc0,$acc2
960 bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr);
963 ldp $a0,$a1,[$bp_real]
964 ldp $a2,$a3,[$bp_real,#16]
967 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr);
970 ldp $a0,$a1,[sp,#$R] // forward load for p256_sqr_mont
971 ldp $a2,$a3,[sp,#$R+16]
973 bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1);
975 orr $acc0,$acc0,$acc1 // see if result is zero
976 orr $acc2,$acc2,$acc3
977 orr $acc0,$acc0,$acc2
979 b.ne .Ladd_proceed // is_equal(U1,U2)?
981 tst $in1infty,$in2infty
982 b.eq .Ladd_proceed // (in1infty || in2infty)?
985 b.eq .Ladd_double // is_equal(S1,S2)?
989 stp $a0,$a1,[$rp_real]
990 stp $a0,$a1,[$rp_real,#16]
991 stp $a0,$a1,[$rp_real,#32]
992 stp $a0,$a1,[$rp_real,#48]
993 stp $a0,$a1,[$rp_real,#64]
994 stp $a0,$a1,[$rp_real,#80]
1001 ldp x23,x24,[x29,#48]
1002 ldp x25,x26,[x29,#64]
1003 add sp,sp,#32*(12-4) // difference in stack frames
1009 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
1011 ldr $bi,[$ap_real,#64]
1012 ldp $a0,$a1,[sp,#$H]
1013 ldp $a2,$a3,[sp,#$H+16]
1014 add $bp,$ap_real,#64
1016 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
1018 ldp $a0,$a1,[sp,#$H]
1019 ldp $a2,$a3,[sp,#$H+16]
1021 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
1023 ldr $bi,[$bp_real,#64]
1024 ldp $a0,$a1,[sp,#$res_z]
1025 ldp $a2,$a3,[sp,#$res_z+16]
1026 add $bp,$bp_real,#64
1028 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z);
1031 ldp $a0,$a1,[sp,#$Hsqr]
1032 ldp $a2,$a3,[sp,#$Hsqr+16]
1035 bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
1038 ldp $a0,$a1,[sp,#$U1]
1039 ldp $a2,$a3,[sp,#$U1+16]
1042 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr);
1049 bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2);
1053 bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
1056 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
1059 ldr $bi,[sp,#$Hcub] // forward load for p256_mul_mont
1060 ldp $a0,$a1,[sp,#$S1]
1061 ldp $a2,$a3,[sp,#$S1+16]
1063 bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
1067 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub);
1070 ldp $a0,$a1,[sp,#$res_y]
1071 ldp $a2,$a3,[sp,#$res_y+16]
1074 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
1077 bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
1079 ldp $a0,$a1,[sp,#$res_x] // res
1080 ldp $a2,$a3,[sp,#$res_x+16]
1081 ldp $t0,$t1,[$bp_real] // in2
1082 ldp $t2,$t3,[$bp_real,#16]
1084 for($i=0;$i<64;$i+=32) { # conditional moves
1086 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1087 cmp $in1infty,#0 // !$in1intfy, remember?
1088 ldp $acc2,$acc3,[$ap_real,#$i+16]
1091 ldp $a0,$a1,[sp,#$res_x+$i+32] // res
1094 cmp $in2infty,#0 // !$in2intfy, remember?
1095 ldp $a2,$a3,[sp,#$res_x+$i+48]
1096 csel $acc0,$t0,$acc0,ne
1097 csel $acc1,$t1,$acc1,ne
1098 ldp $t0,$t1,[$bp_real,#$i+32] // in2
1099 csel $acc2,$t2,$acc2,ne
1100 csel $acc3,$t3,$acc3,ne
1101 ldp $t2,$t3,[$bp_real,#$i+48]
1102 stp $acc0,$acc1,[$rp_real,#$i]
1103 stp $acc2,$acc3,[$rp_real,#$i+16]
1107 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1108 cmp $in1infty,#0 // !$in1intfy, remember?
1109 ldp $acc2,$acc3,[$ap_real,#$i+16]
1114 cmp $in2infty,#0 // !$in2intfy, remember?
1115 csel $acc0,$t0,$acc0,ne
1116 csel $acc1,$t1,$acc1,ne
1117 csel $acc2,$t2,$acc2,ne
1118 csel $acc3,$t3,$acc3,ne
1119 stp $acc0,$acc1,[$rp_real,#$i]
1120 stp $acc2,$acc3,[$rp_real,#$i+16]
1123 add sp,x29,#0 // destroy frame
1124 ldp x19,x20,[x29,#16]
1125 ldp x21,x22,[x29,#32]
1126 ldp x23,x24,[x29,#48]
1127 ldp x25,x26,[x29,#64]
1128 ldp x29,x30,[sp],#80
1129 .inst 0xd50323bf // autiasp
1131 .size ecp_nistz256_point_add,.-ecp_nistz256_point_add
1135 ########################################################################
1136 # void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
1137 # const P256_POINT_AFFINE *in2);
1139 my ($res_x,$res_y,$res_z,
1140 $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9));
1142 # above map() describes stack layout with 10 temporary
1143 # 256-bit vectors on top.
1144 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
1147 .globl ecp_nistz256_point_add_affine
1148 .type ecp_nistz256_point_add_affine,%function
1150 ecp_nistz256_point_add_affine:
1151 .inst 0xd503233f // paciasp
1152 stp x29,x30,[sp,#-80]!
1154 stp x19,x20,[sp,#16]
1155 stp x21,x22,[sp,#32]
1156 stp x23,x24,[sp,#48]
1157 stp x25,x26,[sp,#64]
1164 ldr $poly3,.Lpoly+24
1166 ldp $a0,$a1,[$ap,#64] // in1_z
1167 ldp $a2,$a3,[$ap,#64+16]
1170 orr $in1infty,$t0,$t2
1172 csetm $in1infty,ne // !in1infty
1174 ldp $acc0,$acc1,[$bp] // in2_x
1175 ldp $acc2,$acc3,[$bp,#16]
1176 ldp $t0,$t1,[$bp,#32] // in2_y
1177 ldp $t2,$t3,[$bp,#48]
1178 orr $acc0,$acc0,$acc1
1179 orr $acc2,$acc2,$acc3
1182 orr $acc0,$acc0,$acc2
1184 orr $in2infty,$acc0,$t0
1186 csetm $in2infty,ne // !in2infty
1189 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
1198 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x);
1201 ldr $bi,[$ap_real,#64] // forward load for p256_mul_mont
1202 ldp $a0,$a1,[sp,#$Z1sqr]
1203 ldp $a2,$a3,[sp,#$Z1sqr+16]
1205 bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x);
1207 add $bp,$ap_real,#64
1209 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z);
1211 ldr $bi,[$ap_real,#64]
1212 ldp $a0,$a1,[sp,#$H]
1213 ldp $a2,$a3,[sp,#$H+16]
1214 add $bp,$ap_real,#64
1216 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z);
1218 ldr $bi,[$bp_real,#32]
1219 ldp $a0,$a1,[sp,#$S2]
1220 ldp $a2,$a3,[sp,#$S2+16]
1221 add $bp,$bp_real,#32
1223 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y);
1225 add $bp,$ap_real,#32
1226 ldp $a0,$a1,[sp,#$H] // forward load for p256_sqr_mont
1227 ldp $a2,$a3,[sp,#$H+16]
1229 bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y);
1232 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H);
1234 ldp $a0,$a1,[sp,#$R]
1235 ldp $a2,$a3,[sp,#$R+16]
1237 bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R);
1240 ldp $a0,$a1,[sp,#$Hsqr]
1241 ldp $a2,$a3,[sp,#$Hsqr+16]
1244 bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H);
1247 ldp $a0,$a1,[sp,#$Hsqr]
1248 ldp $a2,$a3,[sp,#$Hsqr+16]
1251 bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr);
1258 bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2);
1262 bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr);
1265 bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub);
1268 ldr $bi,[$ap_real,#32] // forward load for p256_mul_mont
1269 ldp $a0,$a1,[sp,#$Hcub]
1270 ldp $a2,$a3,[sp,#$Hcub+16]
1272 bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x);
1274 add $bp,$ap_real,#32
1276 bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub);
1279 ldp $a0,$a1,[sp,#$res_y]
1280 ldp $a2,$a3,[sp,#$res_y+16]
1283 bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R);
1286 bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2);
1288 ldp $a0,$a1,[sp,#$res_x] // res
1289 ldp $a2,$a3,[sp,#$res_x+16]
1290 ldp $t0,$t1,[$bp_real] // in2
1291 ldp $t2,$t3,[$bp_real,#16]
1293 for($i=0;$i<64;$i+=32) { # conditional moves
1295 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1296 cmp $in1infty,#0 // !$in1intfy, remember?
1297 ldp $acc2,$acc3,[$ap_real,#$i+16]
1300 ldp $a0,$a1,[sp,#$res_x+$i+32] // res
1303 cmp $in2infty,#0 // !$in2intfy, remember?
1304 ldp $a2,$a3,[sp,#$res_x+$i+48]
1305 csel $acc0,$t0,$acc0,ne
1306 csel $acc1,$t1,$acc1,ne
1307 ldp $t0,$t1,[$bp_real,#$i+32] // in2
1308 csel $acc2,$t2,$acc2,ne
1309 csel $acc3,$t3,$acc3,ne
1310 ldp $t2,$t3,[$bp_real,#$i+48]
1311 stp $acc0,$acc1,[$rp_real,#$i]
1312 stp $acc2,$acc3,[$rp_real,#$i+16]
1314 $code.=<<___ if ($i == 0);
1315 adr $bp_real,.Lone_mont-64
1319 ldp $acc0,$acc1,[$ap_real,#$i] // in1
1320 cmp $in1infty,#0 // !$in1intfy, remember?
1321 ldp $acc2,$acc3,[$ap_real,#$i+16]
1326 cmp $in2infty,#0 // !$in2intfy, remember?
1327 csel $acc0,$t0,$acc0,ne
1328 csel $acc1,$t1,$acc1,ne
1329 csel $acc2,$t2,$acc2,ne
1330 csel $acc3,$t3,$acc3,ne
1331 stp $acc0,$acc1,[$rp_real,#$i]
1332 stp $acc2,$acc3,[$rp_real,#$i+16]
1334 add sp,x29,#0 // destroy frame
1335 ldp x19,x20,[x29,#16]
1336 ldp x21,x22,[x29,#32]
1337 ldp x23,x24,[x29,#48]
1338 ldp x25,x26,[x29,#64]
1339 ldp x29,x30,[sp],#80
1340 .inst 0xd50323bf // autiasp
1342 .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
1346 my ($ord0,$ord1) = ($poly1,$poly3);
1347 my ($ord2,$ord3,$ordk,$t4) = map("x$_",(21..24));
1351 ////////////////////////////////////////////////////////////////////////
1352 // void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
1354 .globl ecp_nistz256_ord_mul_mont
1355 .type ecp_nistz256_ord_mul_mont,%function
1357 ecp_nistz256_ord_mul_mont:
1358 stp x29,x30,[sp,#-64]!
1360 stp x19,x20,[sp,#16]
1361 stp x21,x22,[sp,#32]
1362 stp x23,x24,[sp,#48]
1365 ldr $bi,[$bp] // bp[0]
1367 ldp $a2,$a3,[$ap,#16]
1369 ldp $ord0,$ord1,[$ordk,#0]
1370 ldp $ord2,$ord3,[$ordk,#16]
1371 ldr $ordk,[$ordk,#32]
1373 mul $acc0,$a0,$bi // a[0]*b[0]
1376 mul $acc1,$a1,$bi // a[1]*b[0]
1379 mul $acc2,$a2,$bi // a[2]*b[0]
1382 mul $acc3,$a3,$bi // a[3]*b[0]
1387 adds $acc1,$acc1,$t0 // accumulate high parts of multiplication
1388 adcs $acc2,$acc2,$t1
1389 adcs $acc3,$acc3,$t2
1393 for ($i=1;$i<4;$i++) {
1394 ################################################################
1395 # ffff0000.ffffffff.yyyyyyyy.zzzzzzzz
1397 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
1399 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
1402 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
1403 # - 0000abcd.efgh0000.abcdefgh.00000000.00000000
1404 # + abcdefgh.abcdefgh.yzayzbyz.cyzdyzey.zfyzgyzh
1406 ldr $bi,[$bp,#8*$i] // b[i]
1409 subs $acc2,$acc2,$t4
1411 sbcs $acc3,$acc3,$t0
1412 sbcs $acc4,$acc4,$t1
1425 adds $acc0,$acc1,$t2
1427 adcs $acc1,$acc2,$t3
1429 adcs $acc2,$acc3,$t4
1430 adcs $acc3,$acc4,$t4
1433 adds $acc0,$acc0,$t0 // accumulate low parts
1435 adcs $acc1,$acc1,$t1
1437 adcs $acc2,$acc2,$t2
1439 adcs $acc3,$acc3,$t3
1443 adds $acc1,$acc1,$t0 // accumulate high parts
1444 adcs $acc2,$acc2,$t1
1445 adcs $acc3,$acc3,$t2
1446 adcs $acc4,$acc4,$t3
1451 lsl $t0,$t4,#32 // last reduction
1452 subs $acc2,$acc2,$t4
1454 sbcs $acc3,$acc3,$t0
1455 sbcs $acc4,$acc4,$t1
1466 adds $acc0,$acc1,$t2
1467 adcs $acc1,$acc2,$t3
1468 adcs $acc2,$acc3,$t4
1469 adcs $acc3,$acc4,$t4
1472 subs $t0,$acc0,$ord0 // ret -= modulus
1473 sbcs $t1,$acc1,$ord1
1474 sbcs $t2,$acc2,$ord2
1475 sbcs $t3,$acc3,$ord3
1478 csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
1479 csel $acc1,$acc1,$t1,lo
1480 csel $acc2,$acc2,$t2,lo
1481 stp $acc0,$acc1,[$rp]
1482 csel $acc3,$acc3,$t3,lo
1483 stp $acc2,$acc3,[$rp,#16]
1485 ldp x19,x20,[sp,#16]
1486 ldp x21,x22,[sp,#32]
1487 ldp x23,x24,[sp,#48]
1490 .size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont
1492 ////////////////////////////////////////////////////////////////////////
1493 // void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
1495 .globl ecp_nistz256_ord_sqr_mont
1496 .type ecp_nistz256_ord_sqr_mont,%function
1498 ecp_nistz256_ord_sqr_mont:
1499 stp x29,x30,[sp,#-64]!
1501 stp x19,x20,[sp,#16]
1502 stp x21,x22,[sp,#32]
1503 stp x23,x24,[sp,#48]
1507 ldp $a2,$a3,[$ap,#16]
1509 ldp $ord0,$ord1,[$ordk,#0]
1510 ldp $ord2,$ord3,[$ordk,#16]
1511 ldr $ordk,[$ordk,#32]
1517 ////////////////////////////////////////////////////////////////
1518 // | | | | | |a1*a0| |
1519 // | | | | |a2*a0| | |
1520 // | |a3*a2|a3*a0| | | |
1521 // | | | |a2*a1| | | |
1522 // | | |a3*a1| | | | |
1523 // *| | | | | | | | 2|
1524 // +|a3*a3|a2*a2|a1*a1|a0*a0|
1525 // |--+--+--+--+--+--+--+--|
1526 // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
1528 // "can't overflow" below mark carrying into high part of
1529 // multiplication result, which can't overflow, because it
1530 // can never be all ones.
1532 mul $acc1,$a1,$a0 // a[1]*a[0]
1534 mul $acc2,$a2,$a0 // a[2]*a[0]
1536 mul $acc3,$a3,$a0 // a[3]*a[0]
1539 adds $acc2,$acc2,$t1 // accumulate high parts of multiplication
1540 mul $t0,$a2,$a1 // a[2]*a[1]
1542 adcs $acc3,$acc3,$t2
1543 mul $t2,$a3,$a1 // a[3]*a[1]
1545 adc $acc4,$acc4,xzr // can't overflow
1547 mul $acc5,$a3,$a2 // a[3]*a[2]
1550 adds $t1,$t1,$t2 // accumulate high parts of multiplication
1551 mul $acc0,$a0,$a0 // a[0]*a[0]
1552 adc $t2,$t3,xzr // can't overflow
1554 adds $acc3,$acc3,$t0 // accumulate low parts of multiplication
1556 adcs $acc4,$acc4,$t1
1557 mul $t1,$a1,$a1 // a[1]*a[1]
1558 adcs $acc5,$acc5,$t2
1560 adc $acc6,$acc6,xzr // can't overflow
1562 adds $acc1,$acc1,$acc1 // acc[1-6]*=2
1563 mul $t2,$a2,$a2 // a[2]*a[2]
1564 adcs $acc2,$acc2,$acc2
1566 adcs $acc3,$acc3,$acc3
1567 mul $t3,$a3,$a3 // a[3]*a[3]
1568 adcs $acc4,$acc4,$acc4
1570 adcs $acc5,$acc5,$acc5
1571 adcs $acc6,$acc6,$acc6
1574 adds $acc1,$acc1,$a0 // +a[i]*a[i]
1576 adcs $acc2,$acc2,$t1
1577 adcs $acc3,$acc3,$a1
1578 adcs $acc4,$acc4,$t2
1579 adcs $acc5,$acc5,$a2
1580 adcs $acc6,$acc6,$t3
1583 for($i=0; $i<4; $i++) { # reductions
1593 adds $acc0,$acc1,$t2
1594 adcs $acc1,$acc2,$t3
1595 adcs $acc2,$acc3,$t4
1596 adc $acc3,xzr,$t4 // can't overflow
1598 $code.=<<___ if ($i<3);
1603 subs $acc1,$acc1,$t4
1605 sbcs $acc2,$acc2,$t0
1606 sbc $acc3,$acc3,$t1 // can't borrow
1608 ($t3,$t4) = ($t4,$t3);
1611 adds $acc0,$acc0,$acc4 // accumulate upper half
1612 adcs $acc1,$acc1,$acc5
1613 adcs $acc2,$acc2,$acc6
1614 adcs $acc3,$acc3,$acc7
1617 subs $t0,$acc0,$ord0 // ret -= modulus
1618 sbcs $t1,$acc1,$ord1
1619 sbcs $t2,$acc2,$ord2
1620 sbcs $t3,$acc3,$ord3
1623 csel $a0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus
1624 csel $a1,$acc1,$t1,lo
1625 csel $a2,$acc2,$t2,lo
1626 csel $a3,$acc3,$t3,lo
1628 cbnz $bp,.Loop_ord_sqr
1631 stp $a2,$a3,[$rp,#16]
1633 ldp x19,x20,[sp,#16]
1634 ldp x21,x22,[sp,#32]
1635 ldp x23,x24,[sp,#48]
1638 .size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont
1642 ########################################################################
1643 # scatter-gather subroutines
1645 my ($out,$inp,$index,$mask)=map("x$_",(0..3));
1647 // void ecp_nistz256_scatter_w5(void *x0,const P256_POINT *x1,
1649 .globl ecp_nistz256_scatter_w5
1650 .type ecp_nistz256_scatter_w5,%function
1652 ecp_nistz256_scatter_w5:
1653 stp x29,x30,[sp,#-16]!
1656 add $out,$out,$index,lsl#2
1658 ldp x4,x5,[$inp] // X
1659 ldp x6,x7,[$inp,#16]
1660 stur w4,[$out,#64*0-4]
1662 str w5,[$out,#64*1-4]
1664 str w6,[$out,#64*2-4]
1666 str w7,[$out,#64*3-4]
1668 str w4,[$out,#64*4-4]
1669 str w5,[$out,#64*5-4]
1670 str w6,[$out,#64*6-4]
1671 str w7,[$out,#64*7-4]
1674 ldp x4,x5,[$inp,#32] // Y
1675 ldp x6,x7,[$inp,#48]
1676 stur w4,[$out,#64*0-4]
1678 str w5,[$out,#64*1-4]
1680 str w6,[$out,#64*2-4]
1682 str w7,[$out,#64*3-4]
1684 str w4,[$out,#64*4-4]
1685 str w5,[$out,#64*5-4]
1686 str w6,[$out,#64*6-4]
1687 str w7,[$out,#64*7-4]
1690 ldp x4,x5,[$inp,#64] // Z
1691 ldp x6,x7,[$inp,#80]
1692 stur w4,[$out,#64*0-4]
1694 str w5,[$out,#64*1-4]
1696 str w6,[$out,#64*2-4]
1698 str w7,[$out,#64*3-4]
1700 str w4,[$out,#64*4-4]
1701 str w5,[$out,#64*5-4]
1702 str w6,[$out,#64*6-4]
1703 str w7,[$out,#64*7-4]
1707 .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
1709 // void ecp_nistz256_gather_w5(P256_POINT *x0,const void *x1,
1711 .globl ecp_nistz256_gather_w5
1712 .type ecp_nistz256_gather_w5,%function
1714 ecp_nistz256_gather_w5:
1715 stp x29,x30,[sp,#-16]!
1720 add $index,$index,x3
1721 add $inp,$inp,$index,lsl#2
1729 ldr w10,[$inp,#64*6]
1730 ldr w11,[$inp,#64*7]
1734 orr x6,x6,x10,lsl#32
1735 orr x7,x7,x11,lsl#32
1740 stp x4,x5,[$out] // X
1741 stp x6,x7,[$out,#16]
1749 ldr w10,[$inp,#64*6]
1750 ldr w11,[$inp,#64*7]
1754 orr x6,x6,x10,lsl#32
1755 orr x7,x7,x11,lsl#32
1760 stp x4,x5,[$out,#32] // Y
1761 stp x6,x7,[$out,#48]
1769 ldr w10,[$inp,#64*6]
1770 ldr w11,[$inp,#64*7]
1773 orr x6,x6,x10,lsl#32
1774 orr x7,x7,x11,lsl#32
1779 stp x4,x5,[$out,#64] // Z
1780 stp x6,x7,[$out,#80]
1784 .size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
1786 // void ecp_nistz256_scatter_w7(void *x0,const P256_POINT_AFFINE *x1,
1788 .globl ecp_nistz256_scatter_w7
1789 .type ecp_nistz256_scatter_w7,%function
1791 ecp_nistz256_scatter_w7:
1792 stp x29,x30,[sp,#-16]!
1795 add $out,$out,$index
1799 subs $index,$index,#1
1800 prfm pstl1strm,[$out,#4096+64*0]
1801 prfm pstl1strm,[$out,#4096+64*1]
1802 prfm pstl1strm,[$out,#4096+64*2]
1803 prfm pstl1strm,[$out,#4096+64*3]
1804 prfm pstl1strm,[$out,#4096+64*4]
1805 prfm pstl1strm,[$out,#4096+64*5]
1806 prfm pstl1strm,[$out,#4096+64*6]
1807 prfm pstl1strm,[$out,#4096+64*7]
1808 strb w3,[$out,#64*0]
1810 strb w3,[$out,#64*1]
1812 strb w3,[$out,#64*2]
1814 strb w3,[$out,#64*3]
1816 strb w3,[$out,#64*4]
1818 strb w3,[$out,#64*5]
1820 strb w3,[$out,#64*6]
1822 strb w3,[$out,#64*7]
1824 b.ne .Loop_scatter_w7
1828 .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
1830 // void ecp_nistz256_gather_w7(P256_POINT_AFFINE *x0,const void *x1,
1832 .globl ecp_nistz256_gather_w7
1833 .type ecp_nistz256_gather_w7,%function
1835 ecp_nistz256_gather_w7:
1836 stp x29,x30,[sp,#-16]!
1841 add $index,$index,x3
1842 add $inp,$inp,$index
1846 ldrb w4,[$inp,#64*0]
1847 prfm pldl1strm,[$inp,#4096+64*0]
1848 subs $index,$index,#1
1849 ldrb w5,[$inp,#64*1]
1850 prfm pldl1strm,[$inp,#4096+64*1]
1851 ldrb w6,[$inp,#64*2]
1852 prfm pldl1strm,[$inp,#4096+64*2]
1853 ldrb w7,[$inp,#64*3]
1854 prfm pldl1strm,[$inp,#4096+64*3]
1855 ldrb w8,[$inp,#64*4]
1856 prfm pldl1strm,[$inp,#4096+64*4]
1857 ldrb w9,[$inp,#64*5]
1858 prfm pldl1strm,[$inp,#4096+64*5]
1859 ldrb w10,[$inp,#64*6]
1860 prfm pldl1strm,[$inp,#4096+64*6]
1861 ldrb w11,[$inp,#64*7]
1862 prfm pldl1strm,[$inp,#4096+64*7]
1868 orr x10,x10,x11,lsl#8
1870 orr x4,x4,x10,lsl#48
1873 b.ne .Loop_gather_w7
1877 .size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
1881 foreach (split("\n",$code)) {
1882 s/\`([^\`]*)\`/eval $1/ge;
1886 close STDOUT; # enforce flush