1
0
mirror of https://github.com/henrydcase/nobs.git synced 2024-11-25 08:31:21 +00:00
nobs/dh/sidh/internal/p434/arith_amd64.s

1233 lines
31 KiB
ArmAsm

// +build amd64,!noasm
#include "textflag.h"
// p434
#define P434_0 $0xFFFFFFFFFFFFFFFF
#define P434_3 $0xFDC1767AE2FFFFFF
#define P434_4 $0x7BC65C783158AEA3
#define P434_5 $0x6CFC5FD681C52056
#define P434_6 $0x0002341F27177344
// p434 x 2
#define P434X2_0 $0xFFFFFFFFFFFFFFFE
#define P434X2_1 $0xFFFFFFFFFFFFFFFF
#define P434X2_3 $0xFB82ECF5C5FFFFFF
#define P434X2_4 $0xF78CB8F062B15D47
#define P434X2_5 $0xD9F8BFAD038A40AC
#define P434X2_6 $0x0004683E4E2EE688
// Redefine P434p1Zeros
#define P434_P1_ZEROS 3
// Performs schoolbook multiplication of 128-bit with 256-bit
// number. Uses MULX, ADOX, ADCX instruction.
#define MULX128x256(IDX, M0, M1, T0, T1, T2, T3, T4, T5, T6) \
XORQ AX, AX \
MOVQ (IDX)(M0), DX \
MULXQ M1+ 0(SB), T0, T1 \ // T0 <- C0
MULXQ M1+ 8(SB), T4, T2 \
MULXQ M1+16(SB), T5, T3 \
ADOXQ T4, T1 \ // T1: interm1
ADOXQ T5, T2 \ // T2: interm2
\
MULXQ M1+24(SB), T5, T4 \
ADOXQ T5, T3 \ // T3: interm3
ADOXQ AX, T4 \ // T4: interm4
\
XORQ AX, AX \
MOVQ (IDX+8)(M0), DX \
MULXQ M1+ 0(SB), T5, T6 \
ADCXQ T5, T1 \ // T1 <- C1
ADCXQ T6, T2 \
\
MULXQ M1+ 8(SB), T6, T5 \
ADCXQ T5, T3 \
ADOXQ T6, T2 \ // T2 <- C2
\
MULXQ M1+16(SB), T6, T5 \
ADCXQ T5, T4 \
ADOXQ T6, T3 \ // T3 <- C3
\
MULXQ M1+24(SB), T6, T5 \
ADCXQ AX, T5 \
ADOXQ T6, T4 \ // T4 <- C4
ADOXQ AX, T5 // T5 <- C5
// Performs schoolbook multiplication of 64-bit with 256-bit
// number. Uses MULX and ADOX instructions.
//
// Uses registers: DX,AX
#define MULX64x256(IDX, M0, M1, T0, T1, T2, T3, T4, T5) \
XORQ AX, AX \
MOVQ (IDX)(M0), DX \
MULXQ M1+ 0(SB), T0, T1 \ // T0 <- C0
MULXQ M1+ 8(SB), T4, T2 \
MULXQ M1+16(SB), T5, T3 \
\
ADOXQ T4, T1 \ // T1 <- C1
ADOXQ T5, T2 \ // T2 <- C2
\
MULXQ M1+24(SB), T5, T4 \
ADOXQ T5, T3 \ // T3 <- C3
ADOXQ AX, T4 // T4 <- C4
// Performs schoolbook multiplication of two 192-bit numbers
// number. Uses MULX and ADOX instructions.
//
// Uses registers: DX,AX
#define MULX192(IM0,M0,IM1,M1,ID,MDST,T0,T1,T2,T3,T4,T5,T6) \
MOVQ (0+IM0)(M0), DX \
MULXQ (0+IM1)(M1), T1, T0 \ // T0:T1 = A0*B0
MOVQ T1,(ID+0)(MDST) \ // MDST0
MULXQ (IM1+ 8)(M1), T2, T1 \ // T1:T2 = A0*B1
XORQ AX, AX \
ADOXQ T2, T0 \
MULXQ (IM1+16)(M1),T3, T2 \ // T2:T3 = A0*B2
ADOXQ T3, T1 \
\
MOVQ (IM0+8)(M0), DX \
MULXQ (IM1+0)(M1), T4, T3 \ // T3:T4 = A1*B0
ADOXQ AX, T2 \
XORQ AX, AX \
\
MULXQ (IM1+8)(M1), T6, T5 \ // T6:T7 = A1*B1
ADOXQ T0, T4 \
MOVQ T4,(ID+8)(MDST) \ // MDST1
ADCXQ T6, T3 \
\
MULXQ (IM1+16)(M1),T0, T6 \ // T6:T0 = A1*B2
ADOXQ T1, T3 \
ADCXQ T0, T5 \
ADCXQ AX, T6 \
ADOXQ T2, T5 \
\
MOVQ (IM0+16)(M0),DX \
MULXQ (IM1+ 0)(M1), T0, T1 \ // T1:T0 = A2*B0
ADOXQ AX, T6 \
XORQ AX, AX \
\
MULXQ (IM1+ 8)(M1), T2, T4 \ // T4:T2 = A2*B1
ADOXQ T3, T0 \
MOVQ T0, (ID+16)(MDST) \ // MDST2
ADCXQ T5, T1 \
\
MULXQ (IM1+16)(M1),T3, T0 \ // T0:T3 = A2*B2
ADCXQ T6, T4 \
ADCXQ AX, T0 \
ADOXQ T2, T1 \
ADOXQ T4, T3 \
ADOXQ AX, T0 \
MOVQ T1, (ID+24)(MDST) \ // MDST3
MOVQ T3, (ID+32)(MDST) \ // MDST4
MOVQ T0, (ID+40)(MDST) // MDST5
// Performs schoolbook multiplication of 2 256-bit numbers. Uses
// MULX instruction. Result is stored in 256 bits pointed by $DST.
//
// Uses registers: DX,AX
#define MULX256(IM0,M0,IM1,M1,ID,MDST,T0,T1,T2,T3,T4,T5,T6,T7,T8,T9) \
MOVQ (IM0+0)(M0), DX \
MULXQ (IM1+0)(M1), T1, T0 \ // A0*B[0-3]
MOVQ T1, (ID+0)(MDST) \
MULXQ (IM1+8)(M1), T2, T1 \
XORQ AX, AX \
ADOXQ T2, T0 \
MULXQ (IM1+16)(M1),T3, T2 \
ADOXQ T3, T1 \
MULXQ (IM1+24)(M1),T4, T3 \
ADOXQ T4, T2 \
\
MOVQ (IM0+8)(M0), DX \
MULXQ (IM1+0)(M1), T4, T5 \ // A1*B[0-3]
ADOXQ AX, T3 \
XORQ AX, AX \
MULXQ (IM1+8)(M1), T7, T6 \
ADOXQ T0, T4 \
MOVQ T4, (ID+8)(MDST) \
ADCXQ T7, T5 \
MULXQ (IM1+16)(M1),T8, T7 \
ADCXQ T8, T6 \
ADOXQ T1, T5 \
MULXQ (IM1+24)(M1),T9, T8 \
ADCXQ T9, T7 \
ADCXQ AX, T8 \
ADOXQ T2, T6 \
\
MOVQ (IM0+16)(M0),DX \ // A2*B[0-3]
MULXQ (IM1+ 0)(M1), T0, T1 \
ADOXQ T3, T7 \
ADOXQ AX, T8 \
XORQ AX, AX \
MULXQ (IM1+8)(M1), T3, T2 \
ADOXQ T5, T0 \
MOVQ T0, (ID+16)(MDST) \
ADCXQ T3, T1 \
MULXQ (IM1+16)(M1),T4, T3 \
ADCXQ T4, T2 \
ADOXQ T6, T1 \
MULXQ (IM1+24)(M1),T9, T4 \
ADCXQ T9, T3 \
ADCXQ AX, T4 \
\
ADOXQ T7, T2 \
ADOXQ T8, T3 \
ADOXQ AX, T4 \
\
MOVQ (IM0+24)(M0),DX \
MULXQ (IM1+ 0)(M1), T0, T5\ // A3*B[0-3]
XORQ AX, AX \
MULXQ (IM1+ 8)(M1), T7, T6\
ADCXQ T7, T5 \
ADOXQ T0, T1 \
MULXQ (IM1+16)(M1), T8, T7 \
ADCXQ T8, T6 \
ADOXQ T5, T2 \
MULXQ (IM1+24)(M1), T9, T8 \
ADCXQ T9, T7 \
ADCXQ AX, T8 \
ADOXQ T6, T3 \
ADOXQ T7, T4 \
ADOXQ AX, T8 \
MOVQ T1, (ID+24)(MDST) \
MOVQ T2, (ID+32)(MDST) \
MOVQ T3, (ID+40)(MDST) \
MOVQ T4, (ID+48)(MDST) \
MOVQ T8, (ID+56)(MDST)
// Performs schoolbook multiplication of 64-bit with 256-bit
// number.
//
// Uses registers: DX, AX
#define MUL64x256(IDX,M0,M1,C0,C1,C2,C3,C4,T0) \
MOVQ (IDX)(M0), T0 \
\
XORQ C2, C2 \
MOVQ M1+0(SB), AX \
MULQ T0 \
MOVQ AX, C0 \
MOVQ DX, C1 \
\
XORQ C3, C3 \
MOVQ M1+8(SB), AX \
MULQ T0 \
ADDQ AX, C1 \
ADCQ DX, C2 \
\
XORQ C4, C4 \
MOVQ M1+16(SB), AX \
MULQ T0 \
ADDQ AX, C2 \
ADCQ DX, C3 \
\
MOVQ M1+24(SB), AX \
MULQ T0 \
ADDQ AX, C3 \
ADCQ DX, C4
// Performs schoolbook multiplication of 128-bit with 256-bit
// number. Destroys RAX and RDX
//
// Uses registers: DX, AX
#define MUL128x256(IDX,M0,M1,C0,C1,C2,C3,C4,C5,T0,T1) \
\ // A0 x B0
MOVQ (IDX+0)(M0), T0 \
MOVQ M1+0(SB), AX \
MULQ T0 \
XORQ C2, C2 \
MOVQ AX, C0 \
MOVQ DX, C1 \
\ // A0 x B1
MOVQ M1+8(SB), AX \
MULQ T0 \
XORQ C3, C3 \
ADDQ AX, C1 \
ADCQ DX, C2 \
\ // A1 x B0
MOVQ (IDX+8)(M0), T1 \
MOVQ M1+0(SB), AX \
MULQ T1 \
ADDQ AX, C1 \
ADCQ DX, C2 \
ADCQ $0, C3 \
\ // A0 x B2
XORQ C4, C4 \
MOVQ M1+16(SB), AX \
MULQ T0 \
ADDQ AX, C2 \
ADCQ DX, C3 \
ADCQ $0, C4 \
\ // A1 x B1
MOVQ M1+8(SB), AX \
MULQ T1 \
ADDQ AX, C2 \
ADCQ DX, C3 \
ADCQ $0, C4 \
\ // A0 x B3
MOVQ M1+24(SB), AX \
MULQ T0 \
XORQ C5, C5 \
ADDQ AX, C3 \
ADCQ DX, C4 \
ADCQ $0, C5 \
\ // A1 x B2
MOVQ M1+16(SB), AX \
MULQ T1 \
ADDQ AX, C3 \
ADCQ DX, C4 \
ADCQ $0, C5 \
\ // A1 x B3
MOVQ M1+24(SB), AX \
MULQ T1 \
ADDQ AX, C4 \
ADCQ DX, C5
#define REDC_COMMON(MUL01, MUL23, MUL45, MUL67) \
MUL01 \
XORQ CX, CX \
ADDQ 0x18(DI), R8 \
ADCQ 0x20(DI), R9 \
ADCQ 0x28(DI), R10 \
ADCQ 0x30(DI), R11 \
ADCQ 0x38(DI), R12 \
ADCQ 0x40(DI), R13 \
ADCQ 0x48(DI), CX \
MOVQ R8, 0x18(DI) \
MOVQ R9, 0x20(DI) \
MOVQ R10, 0x28(DI) \
MOVQ R11, 0x30(DI) \
MOVQ R12, 0x38(DI) \
MOVQ R13, 0x40(DI) \
MOVQ CX, 0x48(DI) \
MOVQ 0x50(DI), R8 \
MOVQ 0x58(DI), R9 \
MOVQ 0x60(DI), R10 \
MOVQ 0x68(DI), R11 \
ADCQ $0, R8 \
ADCQ $0, R9 \
ADCQ $0, R10 \
ADCQ $0, R11 \
MOVQ R8, 0x50(DI) \
MOVQ R9, 0x58(DI) \
MOVQ R10, 0x60(DI) \
MOVQ R11, 0x68(DI) \
\
MUL23 \
XORQ CX, CX \
ADDQ 0x28(DI), R8 \
ADCQ 0x30(DI), R9 \
ADCQ 0x38(DI), R10 \
ADCQ 0x40(DI), R11 \
ADCQ 0x48(DI), R12 \
ADCQ 0x50(DI), R13 \
ADCQ 0x58(DI), CX \
MOVQ R8, 0x28(DI) \
MOVQ R9, 0x30(DI) \
MOVQ R10, 0x38(DI) \
MOVQ R11, 0x40(DI) \
MOVQ R12, 0x48(DI) \
MOVQ R13, 0x50(DI) \
MOVQ CX, 0x58(DI) \
MOVQ 0x60(DI), R8 \
MOVQ 0x68(DI), R9 \
ADCQ $0, R8 \
ADCQ $0, R9 \
MOVQ R8, 0x60(DI) \
MOVQ R9, 0x68(DI) \
\
MUL45 \
XORQ CX, CX \
ADDQ 0x38(DI), R8 \
ADCQ 0x40(DI), R9 \
ADCQ 0x48(DI), R10 \
ADCQ 0x50(DI), R11 \
ADCQ 0x58(DI), R12 \
ADCQ 0x60(DI), R13 \
ADCQ 0x68(DI), CX \
MOVQ R8, 0x0(SI) \ // OUT0
MOVQ R9, 0x8(SI) \ // OUT1
MOVQ R10, 0x48(DI) \
MOVQ R11, 0x50(DI) \
MOVQ R12, 0x58(DI) \
MOVQ R13, 0x60(DI) \
MOVQ CX, 0x68(DI) \
\
MUL67 \
ADDQ 0x48(DI), R8 \
ADCQ 0x50(DI), R9 \
ADCQ 0x58(DI), R10 \
ADCQ 0x60(DI), R11 \
ADCQ 0x68(DI), R12 \
MOVQ R8, 0x10(SI) \ // OUT2
MOVQ R9, 0x18(SI) \ // OUT3
MOVQ R10, 0x20(SI) \ // OUT4
MOVQ R11, 0x28(SI) \ // OUT5
MOVQ R12, 0x30(SI) // OUT6
TEXT ·cswapP434(SB),NOSPLIT,$0-17
MOVQ x+0(FP), DI
MOVQ y+8(FP), SI
MOVB choice+16(FP), AL // AL = 0 or 1
MOVBLZX AL, AX // AX = 0 or 1
NEGQ AX // AX = 0x00..00 or 0xff..ff
#ifndef CSWAP_BLOCK
#define CSWAP_BLOCK(idx) \
MOVQ (idx*8)(DI), BX \ // BX = x[idx]
MOVQ (idx*8)(SI), CX \ // CX = y[idx]
MOVQ CX, DX \ // DX = y[idx]
XORQ BX, DX \ // DX = y[idx] ^ x[idx]
ANDQ AX, DX \ // DX = (y[idx] ^ x[idx]) & mask
XORQ DX, BX \ // BX = (y[idx] ^ x[idx]) & mask) ^ x[idx] = x[idx] or y[idx]
XORQ DX, CX \ // CX = (y[idx] ^ x[idx]) & mask) ^ y[idx] = y[idx] or x[idx]
MOVQ BX, (idx*8)(DI) \
MOVQ CX, (idx*8)(SI)
#endif
CSWAP_BLOCK(0)
CSWAP_BLOCK(1)
CSWAP_BLOCK(2)
CSWAP_BLOCK(3)
CSWAP_BLOCK(4)
CSWAP_BLOCK(5)
CSWAP_BLOCK(6)
#ifdef CSWAP_BLOCK
#undef CSWAP_BLOCK
#endif
RET
TEXT ·addP434(SB),NOSPLIT,$0-24
MOVQ z+0(FP), DX
MOVQ x+8(FP), DI
MOVQ y+16(FP), SI
// Used later to calculate a mask
XORQ CX, CX
// [R8-R14]: z = x + y
MOVQ ( 0)(DI), R8; ADDQ ( 0)(SI), R8
MOVQ ( 8)(DI), R9; ADCQ ( 8)(SI), R9
MOVQ (16)(DI), R10; ADCQ (16)(SI), R10
MOVQ (24)(DI), R11; ADCQ (24)(SI), R11
MOVQ (32)(DI), R12; ADCQ (32)(SI), R12
MOVQ (40)(DI), R13; ADCQ (40)(SI), R13
MOVQ (48)(DI), R14; ADCQ (48)(SI), R14
XORQ DI, DI
MOVQ P434X2_0, AX; SUBQ AX, R8
MOVQ P434X2_1, AX; SBBQ AX, R9
SBBQ AX, R10
MOVQ P434X2_3, AX; SBBQ AX, R11
MOVQ P434X2_4, AX; SBBQ AX, R12
MOVQ P434X2_5, AX; SBBQ AX, R13
MOVQ P434X2_6, AX; SBBQ AX, R14
// mask
SBBQ $0, CX
// if z<0 add P434x2 back
MOVQ P434X2_0, R15; ANDQ CX, R15;
MOVQ P434X2_1, AX; ANDQ CX, AX;
ADDQ R8, R15; MOVQ R15, ( 0)(DX)
ADCQ AX, R9; MOVQ R9, ( 8)(DX)
ADCQ AX, R10; MOVQ R10, (16)(DX)
ADCQ $0, DI
MOVQ P434X2_3, R15; ANDQ CX, R15;
MOVQ P434X2_4, R8; ANDQ CX, R8;
MOVQ P434X2_5, R9; ANDQ CX, R9;
MOVQ P434X2_6, R10; ANDQ CX, R10;
BTQ $0, DI
ADCQ R11, R15; MOVQ R15, (24)(DX)
ADCQ R12, R8; MOVQ R8, (32)(DX)
ADCQ R13, R9; MOVQ R9, (40)(DX)
ADCQ R14, R10; MOVQ R10, (48)(DX)
RET
TEXT ·adlP434(SB),NOSPLIT,$0-24
MOVQ z+0(FP), DX
MOVQ x+8(FP), DI
MOVQ y+16(FP),SI
MOVQ ( 0)(DI), R8
ADDQ ( 0)(SI), R8
MOVQ ( 8)(DI), R9
ADCQ ( 8)(SI), R9
MOVQ (16)(DI), R10
ADCQ (16)(SI), R10
MOVQ (24)(DI), R11
ADCQ (24)(SI), R11
MOVQ (32)(DI), R12
ADCQ (32)(SI), R12
MOVQ (40)(DI), R13
ADCQ (40)(SI), R13
MOVQ (48)(DI), R14
ADCQ (48)(SI), R14
MOVQ (56)(DI), R15
ADCQ (56)(SI), R15
MOVQ (64)(DI), AX
ADCQ (64)(SI), AX
MOVQ (72)(DI), BX
ADCQ (72)(SI), BX
MOVQ (80)(DI), CX
ADCQ (80)(SI), CX
MOVQ R8, ( 0)(DX)
MOVQ R9, ( 8)(DX)
MOVQ R10,(16)(DX)
MOVQ R11,(24)(DX)
MOVQ R12,(32)(DX)
MOVQ R13,(40)(DX)
MOVQ R14,(48)(DX)
MOVQ R15,(56)(DX)
MOVQ AX, (64)(DX)
MOVQ BX, (72)(DX)
MOVQ CX, (80)(DX)
MOVQ (88)(DI), R8
ADCQ (88)(SI), R8
MOVQ (96)(DI), R9
ADCQ (96)(SI), R9
MOVQ (104)(DI), R10
ADCQ (104)(SI), R10
MOVQ R8, (88)(DX)
MOVQ R9, (96)(DX)
MOVQ R10,(104)(DX)
RET
TEXT ·subP434(SB),NOSPLIT,$0-24
MOVQ z+0(FP), DX
MOVQ x+8(FP), DI
MOVQ y+16(FP), SI
// Used later to calculate a mask
XORQ CX, CX
MOVQ ( 0)(DI), R8; SUBQ ( 0)(SI), R8
MOVQ ( 8)(DI), R9; SBBQ ( 8)(SI), R9
MOVQ (16)(DI), R10; SBBQ (16)(SI), R10
MOVQ (24)(DI), R11; SBBQ (24)(SI), R11
MOVQ (32)(DI), R12; SBBQ (32)(SI), R12
MOVQ (40)(DI), R13; SBBQ (40)(SI), R13
MOVQ (48)(DI), R14; SBBQ (48)(SI), R14
// mask
SBBQ $0, CX
XORQ R15, R15
// if z<0 add p434x2 back
MOVQ P434X2_0, DI; ANDQ CX, DI
MOVQ P434X2_1, SI; ANDQ CX, SI
MOVQ P434X2_3, AX; ANDQ CX, AX
ADDQ DI, R8; MOVQ R8, ( 0)(DX)
ADCQ SI, R9; MOVQ R9, ( 8)(DX)
ADCQ SI, R10; MOVQ R10, (16)(DX)
ADCQ AX, R11; MOVQ R11, (24)(DX)
ADCQ $0, R15
MOVQ P434X2_4, R8; ANDQ CX, R8;
MOVQ P434X2_5, R9; ANDQ CX, R9;
MOVQ P434X2_6, R10; ANDQ CX, R10
BTQ $0, R15
ADCQ R8, R12; MOVQ R12, (32)(DX)
ADCQ R9, R13; MOVQ R13, (40)(DX)
ADCQ R10, R14; MOVQ R14, (48)(DX)
RET
TEXT ·sulP434(SB),NOSPLIT,$0-24
MOVQ z+0(FP), DX
MOVQ x+8(FP), DI
MOVQ y+16(FP), SI
// Used later to store result of 0-borrow
XORQ CX, CX
// SUBC for first 10 limbs
MOVQ ( 0)(DI), R8; SUBQ ( 0)(SI), R8
MOVQ ( 8)(DI), R9; SBBQ ( 8)(SI), R9
MOVQ (16)(DI), R10; SBBQ (16)(SI), R10
MOVQ (24)(DI), R11; SBBQ (24)(SI), R11
MOVQ (32)(DI), R12; SBBQ (32)(SI), R12
MOVQ (40)(DI), R13; SBBQ (40)(SI), R13
MOVQ (48)(DI), R14; SBBQ (48)(SI), R14
MOVQ (56)(DI), R15; SBBQ (56)(SI), R15
MOVQ (64)(DI), AX; SBBQ (64)(SI), AX
MOVQ (72)(DI), BX; SBBQ (72)(SI), BX
MOVQ R8, ( 0)(DX)
MOVQ R9, ( 8)(DX)
MOVQ R10, (16)(DX)
MOVQ R11, (24)(DX)
MOVQ R12, (32)(DX)
MOVQ R13, (40)(DX)
MOVQ R14, (48)(DX)
MOVQ R15, (56)(DX)
MOVQ AX, (64)(DX)
MOVQ BX, (72)(DX)
// SUBC for last 4 limbs
MOVQ ( 80)(DI), R8; SBBQ ( 80)(SI), R8
MOVQ ( 88)(DI), R9; SBBQ ( 88)(SI), R9
MOVQ ( 96)(DI), R10; SBBQ ( 96)(SI), R10
MOVQ (104)(DI), R11; SBBQ (104)(SI), R11
// Store carry flag
SBBQ $0, CX
MOVQ R8, ( 80)(DX)
MOVQ R9, ( 88)(DX)
MOVQ R10, ( 96)(DX)
MOVQ R11, (104)(DX)
// Load p into registers:
MOVQ P434_0, R8; ANDQ CX, R8
// P434_{1,2} = P434_0, so reuse R8
MOVQ P434_3, R9; ANDQ CX, R9
MOVQ P434_4, R10; ANDQ CX, R10
MOVQ P434_5, R11; ANDQ CX, R11
MOVQ P434_6, R12; ANDQ CX, R12
MOVQ (56 )(DX), AX; ADDQ R8, AX; MOVQ AX, (56 )(DX)
MOVQ (56+ 8)(DX), AX; ADCQ R8, AX; MOVQ AX, (56+ 8)(DX)
MOVQ (56+16)(DX), AX; ADCQ R8, AX; MOVQ AX, (56+16)(DX)
MOVQ (56+24)(DX), AX; ADCQ R9, AX; MOVQ AX, (56+24)(DX)
MOVQ (56+32)(DX), AX; ADCQ R10, AX; MOVQ AX, (56+32)(DX)
MOVQ (56+40)(DX), AX; ADCQ R11, AX; MOVQ AX, (56+40)(DX)
MOVQ (56+48)(DX), AX; ADCQ R12, AX; MOVQ AX, (56+48)(DX)
RET
TEXT ·modP434(SB),NOSPLIT,$0-8
MOVQ x+0(FP), DI
// Zero AX for later use:
XORQ AX, AX
// Set x <- x - p
MOVQ P434_0, R8
SUBQ R8, ( 0)(DI)
// P434_{1,2} = P434_0, so reuse R8
MOVQ P434_3, R9
SBBQ R8, ( 8)(DI)
SBBQ R8, (16)(DI)
MOVQ P434_4, R10
SBBQ R9, (24)(DI)
MOVQ P434_5, R11
SBBQ R10, (32)(DI)
MOVQ P434_6, R12
SBBQ R11, (40)(DI)
SBBQ R12, (48)(DI)
// save carry
SBBQ $0, AX
// Conditionally add p to x if x-p < 0
ANDQ AX, R8
ANDQ AX, R9
ANDQ AX, R10
ANDQ AX, R11
ANDQ AX, R12
ADDQ R8, ( 0)(DI)
ADCQ R8, ( 8)(DI)
ADCQ R8, (16)(DI)
ADCQ R9, (24)(DI)
ADCQ R10,(32)(DI)
ADCQ R11,(40)(DI)
ADCQ R12,(48)(DI)
RET
// 434-bit multiplication using Karatsuba (one level),
// schoolbook (one level).
TEXT ·mulP434(SB),NOSPLIT,$112-24
MOVQ z+0(FP), CX
MOVQ x+8(FP), DI
MOVQ y+16(FP), SI
// Check wether to use optimized implementation
CMPB ·HasADXandBMI2(SB), $1
JE mul_with_mulx_adcx_adox
// rcx[0-3] <- AH+AL
XORQ AX, AX
MOVQ 0x20(DI), R8
MOVQ 0x28(DI), R9
MOVQ 0x30(DI), R10
XORQ R11, R11
ADDQ 0x0(DI), R8
ADCQ 0x8(DI), R9
ADCQ 0x10(DI), R10
ADCQ 0x18(DI), R11
// store AH+AL mask
SBBQ $0, AX
MOVQ AX, 0x40(SP)
// store AH+AL in 0-0x18(rcx)
MOVQ R8, 0x0(CX)
MOVQ R9, 0x8(CX)
MOVQ R10, 0x10(CX)
MOVQ R11, 0x18(CX)
// r12-r15 <- BH+BL
XORQ DX, DX
MOVQ 0x20(SI), R12
MOVQ 0x28(SI), R13
MOVQ 0x30(SI), R14
XORQ R15, R15
ADDQ 0x0(SI), R12
ADCQ 0x8(SI), R13
ADCQ 0x10(SI), R14
ADCQ 0x18(SI), R15
SBBQ $0, DX
// store BH+BL mask
MOVQ DX, 0x48(SP)
// (rsp[0-0x38]) <- (AH+AL)*(BH+BL)
MOVQ (CX), AX
MULQ R12
MOVQ AX, (SP)
MOVQ DX, R8
XORQ R9, R9
MOVQ (CX), AX
MULQ R13
ADDQ AX, R8
ADCQ DX, R9
XORQ R10, R10
MOVQ 0x8(CX), AX
MULQ R12
ADDQ AX, R8
MOVQ R8, 0x8(SP)
ADCQ DX, R9
ADCQ $0, R10
XORQ R8, R8
MOVQ (CX), AX
MULQ R14
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x10(CX), AX
MULQ R12
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x8(CX), AX
MULQ R13
ADDQ AX, R9
MOVQ R9, 0x10(SP)
ADCQ DX, R10
ADCQ $0, R8
XORQ R9, R9
MOVQ (CX),AX
MULQ R15
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R9
MOVQ 0x18(CX), AX
MULQ R12
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R9
MOVQ 0x8(CX), AX
MULQ R14
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R9
MOVQ 0x10(CX), AX
MULQ R13
ADDQ AX, R10
MOVQ R10, 0x18(SP)
ADCQ DX, R8
ADCQ $0, R9
XORQ R10, R10
MOVQ 0x8(CX), AX
MULQ R15
ADDQ AX, R8
ADCQ DX, R9
ADCQ $0, R10
MOVQ 0x18(CX), AX
MULQ R13
ADDQ AX, R8
ADCQ DX, R9
ADCQ $0, R10
MOVQ 0x10(CX), AX
MULQ R14
ADDQ AX, R8
MOVQ R8, 0x20(SP)
ADCQ DX, R9
ADCQ $0, R10
XORQ R11, R11
MOVQ 0x10(CX), AX
MULQ R15
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R11
MOVQ 0x18(CX), AX
MULQ R14
ADDQ AX, R9
MOVQ R9, 0x28(SP)
ADCQ DX, R10
ADCQ $0, R11
MOVQ 0x18(CX), AX
MULQ R15
ADDQ AX, R10
MOVQ R10, 0x30(SP)
ADCQ DX, R11
MOVQ R11,0x38(SP)
// r12-r15 <- masked (BH + BL)
MOVQ 0x40(SP), AX
ANDQ AX, R12
ANDQ AX, R13
ANDQ AX, R14
ANDQ AX, R15
// r8-r11 <- masked (AH + AL)
MOVQ 0x48(SP), AX
MOVQ 0x00(CX), R8
ANDQ AX, R8
MOVQ 0x08(CX), R9
ANDQ AX, R9
MOVQ 0x10(CX), R10
ANDQ AX, R10
MOVQ 0x18(CX), R11
ANDQ AX, R11
// r12-r15 <- masked (AH + AL) + masked (BH + BL)
ADDQ R8, R12
ADCQ R9, R13
ADCQ R10, R14
ADCQ R11, R15
// rsp[0x20-0x38] <- (AH+AL) x (BH+BL) high
MOVQ 0x20(SP), AX
ADDQ AX, R12
MOVQ 0x28(SP), AX
ADCQ AX, R13
MOVQ 0x30(SP), AX
ADCQ AX, R14
MOVQ 0x38(SP), AX
ADCQ AX, R15
MOVQ R12, 0x50(SP)
MOVQ R13, 0x58(SP)
MOVQ R14, 0x60(SP)
MOVQ R15, 0x68(SP)
// [rcx] <- CL = AL x BL
MOVQ (DI), R11
MOVQ (SI), AX
MULQ R11
XORQ R9, R9
MOVQ AX, (CX)
MOVQ DX, R8
MOVQ 0x10(DI), R14
MOVQ 0x8(SI), AX
MULQ R11
XORQ R10, R10
ADDQ AX, R8
ADCQ DX, R9
MOVQ 0x8(DI), R12
MOVQ (SI), AX
MULQ R12
ADDQ AX, R8
MOVQ R8, 0x8(CX)
ADCQ DX, R9
ADCQ $0, R10
XORQ R8, R8
MOVQ 0x10(SI), AX
MULQ R11
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ (SI), R13
MOVQ R14, AX
MULQ R13
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x8(SI), AX
MULQ R12
ADDQ AX, R9
MOVQ R9, 0x10(CX)
ADCQ DX, R10
ADCQ $0, R8
XORQ R9, R9
MOVQ 0x18(SI), AX
MULQ R11
MOVQ 0x18(DI), R15
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R9
MOVQ R15, AX
MULQ R13
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R9
MOVQ 0x10(SI), AX
MULQ R12
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R9
MOVQ 0x8(SI), AX
MULQ R14
ADDQ AX, R10
MOVQ R10, 0x18(CX)
ADCQ DX, R8
ADCQ $0, R9
XORQ R10, R10
MOVQ 0x18(SI), AX
MULQ R12
ADDQ AX, R8
ADCQ DX, R9
ADCQ $0, R10
MOVQ 0x8(SI), AX
MULQ R15
ADDQ AX, R8
ADCQ DX, R9
ADCQ $0, R10
MOVQ 0x10(SI), AX
MULQ R14
ADDQ AX, R8
MOVQ R8, 0x20(CX)
ADCQ DX, R9
ADCQ $0, R10
XORQ R8, R8
MOVQ 0x18(SI), AX
MULQ R14
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x10(SI), AX
MULQ R15
ADDQ AX, R9
MOVQ R9, 0x28(CX)
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x18(SI), AX
MULQ R15
ADDQ AX, R10
MOVQ R10, 0x30(CX)
ADCQ DX, R8
MOVQ R8, 0x38(CX)
// rcx[0x40-0x68] <- AH*BH
// multiplies 2 192-bit numbers A,B
MOVQ 0x20(DI), R11
MOVQ 0x20(SI), AX
MULQ R11
XORQ R9, R9
MOVQ AX, 0x40(CX)
MOVQ DX, R8
MOVQ 0x30(DI), R14
MOVQ 0x28(SI), AX
MULQ R11
XORQ R10, R10
ADDQ AX, R8
ADCQ DX, R9
MOVQ 0x28(DI), R12
MOVQ 0x20(SI), AX
MULQ R12
ADDQ AX, R8
MOVQ R8, 0x48(CX)
ADCQ DX, R9
ADCQ $0, R10
XORQ R8, R8
MOVQ 0x30(SI), AX
MULQ R11
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x20(SI), R13
MOVQ R14, AX
MULQ R13
ADDQ AX, R9
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x28(SI), AX
MULQ R12
ADDQ AX, R9
MOVQ R9, 0x50(CX)
ADCQ DX, R10
ADCQ $0, R8
MOVQ 0x30(SI), AX
MULQ R12
XORQ R12, R12
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R12
MOVQ 0x28(SI), AX
MULQ R14
ADDQ AX, R10
ADCQ DX, R8
ADCQ $0, R12
MOVQ R10, 0x58(CX)
MOVQ 0x30(SI), AX
MULQ R14
ADDQ AX, R8
ADCQ $0, R12
MOVQ R8, 0x60(CX)
ADDQ R12, DX
// [r8-r15] <- (AH+AL)x(BH+BL) - ALxBL
MOVQ 0x0(SP), R8
SUBQ 0x0(CX), R8
MOVQ 0x8(SP), R9
SBBQ 0x8(CX), R9
MOVQ 0x10(SP), R10
SBBQ 0x10(CX), R10
MOVQ 0x18(SP), R11
SBBQ 0x18(CX), R11
MOVQ 0x50(SP), R12
SBBQ 0x20(CX), R12
MOVQ 0x58(SP), R13
SBBQ 0x28(CX), R13
MOVQ 0x60(SP), R14
SBBQ 0x30(CX), R14
MOVQ 0x68(SP), R15
SBBQ 0x38(CX), R15
// [r8-r15] <- (AH+AL) x (BH+BL) - ALxBL - AHxBH
MOVQ 0x40(CX), AX
SUBQ AX, R8
MOVQ 0x48(CX), AX
SBBQ AX, R9
MOVQ 0x50(CX), AX
SBBQ AX, R10
MOVQ 0x58(CX), AX
SBBQ AX, R11
MOVQ 0x60(CX), AX
SBBQ AX, R12
SBBQ DX, R13
SBBQ $0, R14
SBBQ $0, R15
// Final result
ADDQ 0x20(CX), R8
MOVQ R8, 0x20(CX) // OUT4
ADCQ 0x28(CX), R9
MOVQ R9, 0x28(CX) // OUT5
ADCQ 0x30(CX), R10
MOVQ R10, 0x30(CX) // OUT6
ADCQ 0x38(CX), R11
MOVQ R11, 0x38(CX) // OUT7
ADCQ 0x40(CX), R12
MOVQ R12, 0x40(CX) // OUT8
ADCQ 0x48(CX), R13
MOVQ R13, 0x48(CX) // OUT9
ADCQ 0x50(CX), R14
MOVQ R14, 0x50(CX) // OUT10
ADCQ 0x58(CX), R15
MOVQ R15, 0x58(CX) // OUT11
MOVQ 0x60(CX), R12
ADCQ $0, R12
MOVQ R12, 0x60(CX) // OUT12
ADCQ $0, DX
MOVQ DX, 0x68(CX) // OUT13
RET
mul_with_mulx_adcx_adox:
// Mul implementation for CPUs supporting two independent carry chain
// (ADOX/ADCX) instructions and carry-less MULX multiplier
XORQ AX, AX
MOVQ 0x0(DI), R8
MOVQ 0x8(DI), R9
MOVQ 0x10(DI), R10
MOVQ 0x18(DI), R11
MOVQ BP, 0x70(SP)
ADDQ 0x20(DI), R8
ADCQ 0x28(DI), R9
ADCQ 0x30(DI), R10
ADCQ $0, R11
SBBQ $0, AX
MOVQ R8, 0x0(SP)
MOVQ R9, 0x8(SP)
MOVQ R10, 0x10(SP)
MOVQ R11, 0x18(SP)
// r12-r15 <- BH + BL, rbx <- mask
XORQ BX, BX
MOVQ 0x0(SI), R12
MOVQ 0x8(SI), R13
MOVQ 0x10(SI), R14
MOVQ 0x18(SI), R15
ADDQ 0x20(SI), R12
ADCQ 0x28(SI), R13
ADCQ 0x30(SI), R14
ADCQ $0, R15
SBBQ $0, BX
MOVQ R12, 0x20(SP)
MOVQ R13, 0x28(SP)
MOVQ R14, 0x30(SP)
MOVQ R15, 0x38(SP)
// r12-r15 <- masked (BH + BL)
ANDQ AX, R12
ANDQ AX, R13
ANDQ AX, R14
ANDQ AX, R15
// r8-r11 <- masked (AH + AL)
ANDQ BX, R8
ANDQ BX, R9
ANDQ BX, R10
ANDQ BX, R11
// r8-r11 <- masked (AH + AL) + masked (BH + BL)
ADDQ R12, R8
ADCQ R13, R9
ADCQ R14, R10
ADCQ R15, R11
MOVQ R8, 0x40(SP)
MOVQ R9, 0x48(SP)
MOVQ R10, 0x50(SP)
MOVQ R11, 0x58(SP)
// [rsp] <- CM = (AH+AL) x (BH+BL)
MULX256(0,SP,32,SP,0,SP,R8,R9,R10,R11,R12,R13,R14,R15,BX,BP)
// [rcx] <- CL = AL x BL (Result c0-c3)
MULX256(0,DI,0,SI,0,CX,R8,R9,R10,R11,R12,R13,R14,R15,BX,BP)
// [rcx+64] <- CH = AH x BH
MULX192(32,DI,32,SI,64,CX,R8,R9,R10,R11,R12,R13,R14)
// r8-r11 <- (AH+AL) x (BH+BL), final step
MOVQ 0x40(SP), R8
MOVQ 0x48(SP), R9
MOVQ 0x50(SP), R10
MOVQ 0x58(SP), R11
MOVQ 0x20(SP), AX
ADDQ AX, R8
MOVQ 0x28(SP), AX
ADCQ AX, R9
MOVQ 0x30(SP), AX
ADCQ AX, R10
MOVQ 0x38(SP), AX
ADCQ AX, R11
// [rsp], x3-x5 <- (AH+AL) x (BH+BL) - ALxBL
MOVQ 0x0(SP), R12
MOVQ 0x8(SP), R13
MOVQ 0x10(SP), R14
MOVQ 0x18(SP), R15
SUBQ 0x0(CX), R12
SBBQ 0x8(CX), R13
SBBQ 0x10(CX), R14
SBBQ 0x18(CX), R15
SBBQ 0x20(CX), R8
SBBQ 0x28(CX), R9
SBBQ 0x30(CX), R10
SBBQ 0x38(CX), R11
// r8-r15 <- (AH+AL) x (BH+BL) - ALxBL - AHxBH
SUBQ 0x40(CX), R12
SBBQ 0x48(CX), R13
SBBQ 0x50(CX), R14
SBBQ 0x58(CX), R15
SBBQ 0x60(CX), R8
SBBQ 0x68(CX), R9
SBBQ $0, R10
SBBQ $0, R11
ADDQ 0x20(CX), R12
MOVQ R12, 0x20(CX) // OUT4
ADCQ 0x28(CX), R13
MOVQ R13, 0x28(CX) // OUT5
ADCQ 0x30(CX), R14
MOVQ R14, 0x30(CX) // OUT6
ADCQ 0x38(CX), R15
MOVQ R15, 0x38(CX) // OUT7
ADCQ 0x40(CX), R8
MOVQ R8, 0x40(CX) // OUT8
ADCQ 0x48(CX), R9
MOVQ R9, 0x48(CX) // OUT9
ADCQ 0x50(CX), R10
MOVQ R10, 0x50(CX) // OUT10
ADCQ 0x58(CX), R11
MOVQ R11, 0x58(CX) // OUT11
MOVQ 0x60(CX), R12
ADCQ $0, R12
MOVQ R12, 0x60(CX) // OUT12
MOVQ 0x68(CX), R13
ADCQ $0, R13
MOVQ R13, 0x68(CX) // OUT13
MOVQ 0x70(SP), BP
RET
TEXT ·rdcP434(SB),$0-16
MOVQ z+0(FP), SI
MOVQ x+8(FP), DI
CMPB ·HasADXandBMI2(SB), $1
JE redc_bdw
#define MUL01 MUL128x256( 0,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13,R14,CX)
#define MUL23 MUL128x256(16,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13,R14,CX)
#define MUL45 MUL128x256(32,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13,R14,CX)
#define MUL67 MUL64x256(48,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13)
REDC_COMMON(MUL01, MUL23, MUL45, MUL67)
#undef MUL01
#undef MUL23
#undef MUL45
#undef MUL67
RET
// 434-bit montgomery reduction Uses MULX/ADOX/ADCX instructions
// available on Broadwell micro-architectures and newer.
redc_bdw:
#define MULX01 MULX128x256( 0,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13,CX)
#define MULX23 MULX128x256(16,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13,CX)
#define MULX45 MULX128x256(32,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13,CX)
#define MULX67 MULX64x256(48,DI,·P434p1+(8*P434_P1_ZEROS),R8,R9,R10,R11,R12,R13)
REDC_COMMON(MULX01, MULX23, MULX45, MULX67)
#undef MULX01
#undef MULX23
#undef MULX45
#undef MULX67
RET