2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2020, Intel Corporation. All Rights Reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 * Originally written by Ilya Albrekht, Sergey Kirillov and Andrey Matyukov
16 #include <openssl/opensslconf.h>
20 NON_EMPTY_TRANSLATION_UNIT
25 # if defined(__GNUC__)
26 # define ALIGN64 __attribute__((aligned(64)))
27 # elif defined(_MSC_VER)
28 # define ALIGN64 __declspec(align(64))
33 # define ALIGN_OF(ptr, boundary) \
34 ((unsigned char *)(ptr) + (boundary - (((size_t)(ptr)) & (boundary - 1))))
37 # define DIGIT_SIZE (52)
39 # define DIGIT_MASK ((uint64_t)0xFFFFFFFFFFFFF)
41 # define BITS2WORD8_SIZE(x) (((x) + 7) >> 3)
42 # define BITS2WORD64_SIZE(x) (((x) + 63) >> 6)
44 static ossl_inline
uint64_t get_digit52(const uint8_t *in
, int in_len
);
45 static ossl_inline
void put_digit52(uint8_t *out
, int out_len
, uint64_t digit
);
46 static void to_words52(BN_ULONG
*out
, int out_len
, const BN_ULONG
*in
,
48 static void from_words52(BN_ULONG
*bn_out
, int out_bitsize
, const BN_ULONG
*in
);
49 static ossl_inline
void set_bit(BN_ULONG
*a
, int idx
);
51 /* Number of |digit_size|-bit digits in |bitsize|-bit value */
52 static ossl_inline
int number_of_digits(int bitsize
, int digit_size
)
54 return (bitsize
+ digit_size
- 1) / digit_size
;
57 typedef void (*AMM52
)(BN_ULONG
*res
, const BN_ULONG
*base
,
58 const BN_ULONG
*exp
, const BN_ULONG
*m
, BN_ULONG k0
);
59 typedef void (*EXP52_x2
)(BN_ULONG
*res
, const BN_ULONG
*base
,
60 const BN_ULONG
*exp
[2], const BN_ULONG
*m
,
61 const BN_ULONG
*rr
, const BN_ULONG k0
[2]);
64 * For details of the methods declared below please refer to
65 * crypto/bn/asm/rsaz-avx512.pl
68 * amm = Almost Montgomery Multiplication
69 * ams = Almost Montgomery Squaring
70 * 52x20 - data represented as array of 20 digits in 52-bit radix
71 * _x1_/_x2_ - 1 or 2 independent inputs/outputs
72 * _256 suffix - uses 256-bit (AVX512VL) registers
75 /*AMM = Almost Montgomery Multiplication. */
76 void RSAZ_amm52x20_x1_256(BN_ULONG
*res
, const BN_ULONG
*base
,
77 const BN_ULONG
*exp
, const BN_ULONG
*m
,
79 void RSAZ_exp52x20_x2_256(BN_ULONG
*res
, const BN_ULONG
*base
,
80 const BN_ULONG
*exp
[2], const BN_ULONG
*m
,
81 const BN_ULONG
*rr
, const BN_ULONG k0
[2]);
82 void RSAZ_amm52x20_x2_256(BN_ULONG
*out
, const BN_ULONG
*a
,
83 const BN_ULONG
*b
, const BN_ULONG
*m
,
84 const BN_ULONG k0
[2]);
85 void extract_multiplier_2x20_win5(BN_ULONG
*red_Y
,
86 const BN_ULONG
*red_table
,
87 int red_table_idx
, int tbl_idx
);
90 * Dual Montgomery modular exponentiation using prime moduli of the
91 * same bit size, optimized with AVX512 ISA.
93 * Input and output parameters for each exponentiation are independent and
94 * denoted here by index |i|, i = 1..2.
96 * Input and output are all in regular 2^64 radix.
98 * Each moduli shall be |factor_size| bit size.
100 * NOTE: currently only 2x1024 case is supported.
102 * [out] res|i| - result of modular exponentiation: array of qword values
103 * in regular (2^64) radix. Size of array shall be enough
104 * to hold |factor_size| bits.
105 * [in] base|i| - base
106 * [in] exp|i| - exponent
108 * [in] rr|i| - Montgomery parameter RR = R^2 mod m|i|
109 * [in] k0_|i| - Montgomery parameter k0 = -1/m|i| mod 2^64
110 * [in] factor_size - moduli bit size
112 * \return 0 in case of failure,
113 * 1 in case of success.
115 int RSAZ_mod_exp_avx512_x2(BN_ULONG
*res1
,
116 const BN_ULONG
*base1
,
117 const BN_ULONG
*exp1
,
122 const BN_ULONG
*base2
,
123 const BN_ULONG
*exp2
,
132 * Number of word-size (BN_ULONG) digits to store exponent in redundant
135 int exp_digits
= number_of_digits(factor_size
+ 2, DIGIT_SIZE
);
136 int coeff_pow
= 4 * (DIGIT_SIZE
* exp_digits
- factor_size
);
137 BN_ULONG
*base1_red
, *m1_red
, *rr1_red
;
138 BN_ULONG
*base2_red
, *m2_red
, *rr2_red
;
140 BN_ULONG
*storage
= NULL
;
141 BN_ULONG
*storage_aligned
= NULL
;
142 BN_ULONG storage_len_bytes
= 7 * exp_digits
* sizeof(BN_ULONG
);
144 /* AMM = Almost Montgomery Multiplication */
146 /* Dual (2-exps in parallel) exponentiation */
147 EXP52_x2 exp_x2
= NULL
;
149 const BN_ULONG
*exp
[2] = {0};
150 BN_ULONG k0
[2] = {0};
152 /* Only 1024-bit factor size is supported now */
153 switch (factor_size
) {
155 amm
= RSAZ_amm52x20_x1_256
;
156 exp_x2
= RSAZ_exp52x20_x2_256
;
162 storage
= (BN_ULONG
*)OPENSSL_malloc(storage_len_bytes
+ 64);
165 storage_aligned
= (BN_ULONG
*)ALIGN_OF(storage
, 64);
167 /* Memory layout for red(undant) representations */
168 base1_red
= storage_aligned
;
169 base2_red
= storage_aligned
+ 1 * exp_digits
;
170 m1_red
= storage_aligned
+ 2 * exp_digits
;
171 m2_red
= storage_aligned
+ 3 * exp_digits
;
172 rr1_red
= storage_aligned
+ 4 * exp_digits
;
173 rr2_red
= storage_aligned
+ 5 * exp_digits
;
174 coeff_red
= storage_aligned
+ 6 * exp_digits
;
176 /* Convert base_i, m_i, rr_i, from regular to 52-bit radix */
177 to_words52(base1_red
, exp_digits
, base1
, factor_size
);
178 to_words52(base2_red
, exp_digits
, base2
, factor_size
);
179 to_words52(m1_red
, exp_digits
, m1
, factor_size
);
180 to_words52(m2_red
, exp_digits
, m2
, factor_size
);
181 to_words52(rr1_red
, exp_digits
, rr1
, factor_size
);
182 to_words52(rr2_red
, exp_digits
, rr2
, factor_size
);
185 * Compute target domain Montgomery converters RR' for each modulus
186 * based on precomputed original domain's RR.
188 * RR -> RR' transformation steps:
190 * (2) t = AMM(RR,RR) = RR^2 / R' mod m
191 * (3) RR' = AMM(t, coeff) = RR^2 * 2^k / R'^2 mod m
193 * k = 4 * (52 * digits52 - modlen)
194 * R = 2^(64 * ceil(modlen/64)) mod m
196 * R' = 2^(52 * ceil(modlen/52)) mod m
198 * modlen = 1024: k = 64, RR = 2^2048 mod m, RR' = 2^2080 mod m
200 memset(coeff_red
, 0, exp_digits
* sizeof(BN_ULONG
));
201 /* (1) in reduced domain representation */
202 set_bit(coeff_red
, 64 * (int)(coeff_pow
/ 52) + coeff_pow
% 52);
204 amm(rr1_red
, rr1_red
, rr1_red
, m1_red
, k0_1
); /* (2) for m1 */
205 amm(rr1_red
, rr1_red
, coeff_red
, m1_red
, k0_1
); /* (3) for m1 */
207 amm(rr2_red
, rr2_red
, rr2_red
, m2_red
, k0_2
); /* (2) for m2 */
208 amm(rr2_red
, rr2_red
, coeff_red
, m2_red
, k0_2
); /* (3) for m2 */
216 exp_x2(rr1_red
, base1_red
, exp
, m1_red
, rr1_red
, k0
);
218 /* Convert rr_i back to regular radix */
219 from_words52(res1
, factor_size
, rr1_red
);
220 from_words52(res2
, factor_size
, rr2_red
);
224 if (storage
!= NULL
) {
225 OPENSSL_cleanse(storage
, storage_len_bytes
);
226 OPENSSL_free(storage
);
232 * Dual 1024-bit w-ary modular exponentiation using prime moduli of the same
233 * bit size using Almost Montgomery Multiplication, optimized with AVX512_IFMA
236 * The parameter w (window size) = 5.
238 * [out] res - result of modular exponentiation: 2x20 qword
239 * values in 2^52 radix.
240 * [in] base - base (2x20 qword values in 2^52 radix)
241 * [in] exp - array of 2 pointers to 16 qword values in 2^64 radix.
242 * Exponent is not converted to redundant representation.
243 * [in] m - moduli (2x20 qword values in 2^52 radix)
244 * [in] rr - Montgomery parameter for 2 moduli: RR = 2^2080 mod m.
245 * (2x20 qword values in 2^52 radix)
246 * [in] k0 - Montgomery parameter for 2 moduli: k0 = -1/m mod 2^64
250 void RSAZ_exp52x20_x2_256(BN_ULONG
*out
, /* [2][20] */
251 const BN_ULONG
*base
, /* [2][20] */
252 const BN_ULONG
*exp
[2], /* 2x16 */
253 const BN_ULONG
*m
, /* [2][20] */
254 const BN_ULONG
*rr
, /* [2][20] */
255 const BN_ULONG k0
[2])
257 # define BITSIZE_MODULUS (1024)
258 # define EXP_WIN_SIZE (5)
259 # define EXP_WIN_MASK ((1U << EXP_WIN_SIZE) - 1)
261 * Number of digits (64-bit words) in redundant representation to handle
264 # define RED_DIGITS (20)
265 # define EXP_DIGITS (16)
266 # define DAMM RSAZ_amm52x20_x2_256
268 * Squaring is done using multiplication now. That can be a subject of
269 * optimization in future.
271 # define DAMS(r,a,m,k0) \
272 RSAZ_amm52x20_x2_256((r),(a),(a),(m),(k0))
274 /* Allocate stack for red(undant) result Y and multiplier X */
275 ALIGN64 BN_ULONG red_Y
[2][RED_DIGITS
];
276 ALIGN64 BN_ULONG red_X
[2][RED_DIGITS
];
278 /* Allocate expanded exponent */
279 ALIGN64 BN_ULONG expz
[2][EXP_DIGITS
+ 1];
281 /* Pre-computed table of base powers */
282 ALIGN64 BN_ULONG red_table
[1U << EXP_WIN_SIZE
][2][RED_DIGITS
];
286 memset(red_Y
, 0, sizeof(red_Y
));
287 memset(red_table
, 0, sizeof(red_table
));
288 memset(red_X
, 0, sizeof(red_X
));
291 * Compute table of powers base^i, i = 0, ..., (2^EXP_WIN_SIZE) - 1
292 * table[0] = mont(x^0) = mont(1)
293 * table[1] = mont(x^1) = mont(x)
297 DAMM(red_table
[0][0], (const BN_ULONG
*)red_X
, rr
, m
, k0
);
298 DAMM(red_table
[1][0], base
, rr
, m
, k0
);
300 for (idx
= 1; idx
< (int)((1U << EXP_WIN_SIZE
) / 2); idx
++) {
301 DAMS(red_table
[2 * idx
+ 0][0], red_table
[1 * idx
][0], m
, k0
);
302 DAMM(red_table
[2 * idx
+ 1][0], red_table
[2 * idx
][0], red_table
[1][0], m
, k0
);
305 /* Copy and expand exponents */
306 memcpy(expz
[0], exp
[0], EXP_DIGITS
* sizeof(BN_ULONG
));
307 expz
[0][EXP_DIGITS
] = 0;
308 memcpy(expz
[1], exp
[1], EXP_DIGITS
* sizeof(BN_ULONG
));
309 expz
[1][EXP_DIGITS
] = 0;
313 int rem
= BITSIZE_MODULUS
% EXP_WIN_SIZE
;
314 int delta
= rem
? rem
: EXP_WIN_SIZE
;
315 BN_ULONG table_idx_mask
= EXP_WIN_MASK
;
317 int exp_bit_no
= BITSIZE_MODULUS
- delta
;
318 int exp_chunk_no
= exp_bit_no
/ 64;
319 int exp_chunk_shift
= exp_bit_no
% 64;
321 /* Process 1-st exp window - just init result */
322 BN_ULONG red_table_idx_0
= expz
[0][exp_chunk_no
];
323 BN_ULONG red_table_idx_1
= expz
[1][exp_chunk_no
];
325 * The function operates with fixed moduli sizes divisible by 64,
326 * thus table index here is always in supported range [0, EXP_WIN_SIZE).
328 red_table_idx_0
>>= exp_chunk_shift
;
329 red_table_idx_1
>>= exp_chunk_shift
;
331 extract_multiplier_2x20_win5(red_Y
[0], (const BN_ULONG
*)red_table
, (int)red_table_idx_0
, 0);
332 extract_multiplier_2x20_win5(red_Y
[1], (const BN_ULONG
*)red_table
, (int)red_table_idx_1
, 1);
334 /* Process other exp windows */
335 for (exp_bit_no
-= EXP_WIN_SIZE
; exp_bit_no
>= 0; exp_bit_no
-= EXP_WIN_SIZE
) {
336 /* Extract pre-computed multiplier from the table */
340 exp_chunk_no
= exp_bit_no
/ 64;
341 exp_chunk_shift
= exp_bit_no
% 64;
343 red_table_idx_0
= expz
[0][exp_chunk_no
];
344 T
= expz
[0][exp_chunk_no
+ 1];
346 red_table_idx_0
>>= exp_chunk_shift
;
348 * Get additional bits from then next quadword
349 * when 64-bit boundaries are crossed.
351 if (exp_chunk_shift
> 64 - EXP_WIN_SIZE
) {
352 T
<<= (64 - exp_chunk_shift
);
353 red_table_idx_0
^= T
;
355 red_table_idx_0
&= table_idx_mask
;
357 extract_multiplier_2x20_win5(red_X
[0], (const BN_ULONG
*)red_table
, (int)red_table_idx_0
, 0);
360 red_table_idx_1
= expz
[1][exp_chunk_no
];
361 T
= expz
[1][exp_chunk_no
+ 1];
363 red_table_idx_1
>>= exp_chunk_shift
;
365 * Get additional bits from then next quadword
366 * when 64-bit boundaries are crossed.
368 if (exp_chunk_shift
> 64 - EXP_WIN_SIZE
) {
369 T
<<= (64 - exp_chunk_shift
);
370 red_table_idx_1
^= T
;
372 red_table_idx_1
&= table_idx_mask
;
374 extract_multiplier_2x20_win5(red_X
[1], (const BN_ULONG
*)red_table
, (int)red_table_idx_1
, 1);
378 /* Series of squaring */
379 DAMS((BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_Y
, m
, k0
);
380 DAMS((BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_Y
, m
, k0
);
381 DAMS((BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_Y
, m
, k0
);
382 DAMS((BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_Y
, m
, k0
);
383 DAMS((BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_Y
, m
, k0
);
385 DAMM((BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_X
, m
, k0
);
391 * NB: After the last AMM of exponentiation in Montgomery domain, the result
392 * may be 1025-bit, but the conversion out of Montgomery domain performs an
393 * AMM(x,1) which guarantees that the final result is less than |m|, so no
394 * conditional subtraction is needed here. See "Efficient Software
395 * Implementations of Modular Exponentiation" (by Shay Gueron) paper for details.
398 /* Convert result back in regular 2^52 domain */
399 memset(red_X
, 0, sizeof(red_X
));
402 DAMM(out
, (const BN_ULONG
*)red_Y
, (const BN_ULONG
*)red_X
, m
, k0
);
404 /* Clear exponents */
405 OPENSSL_cleanse(expz
, sizeof(expz
));
406 OPENSSL_cleanse(red_Y
, sizeof(red_Y
));
414 # undef BITSIZE_MODULUS
417 static ossl_inline
uint64_t get_digit52(const uint8_t *in
, int in_len
)
423 for (; in_len
> 0; in_len
--) {
425 digit
+= (uint64_t)(in
[in_len
- 1]);
431 * Convert array of words in regular (base=2^64) representation to array of
432 * words in redundant (base=2^52) one.
434 static void to_words52(BN_ULONG
*out
, int out_len
,
435 const BN_ULONG
*in
, int in_bitsize
)
437 uint8_t *in_str
= NULL
;
441 /* Check destination buffer capacity */
442 assert(out_len
>= number_of_digits(in_bitsize
, DIGIT_SIZE
));
444 in_str
= (uint8_t *)in
;
446 for (; in_bitsize
>= (2 * DIGIT_SIZE
); in_bitsize
-= (2 * DIGIT_SIZE
), out
+= 2) {
447 out
[0] = (*(uint64_t *)in_str
) & DIGIT_MASK
;
449 out
[1] = ((*(uint64_t *)in_str
) >> 4) & DIGIT_MASK
;
454 if (in_bitsize
> DIGIT_SIZE
) {
455 uint64_t digit
= get_digit52(in_str
, 7);
457 out
[0] = digit
& DIGIT_MASK
;
459 in_bitsize
-= DIGIT_SIZE
;
460 digit
= get_digit52(in_str
, BITS2WORD8_SIZE(in_bitsize
));
464 } else if (in_bitsize
> 0) {
465 out
[0] = get_digit52(in_str
, BITS2WORD8_SIZE(in_bitsize
));
470 while (out_len
> 0) {
477 static ossl_inline
void put_digit52(uint8_t *pStr
, int strLen
, uint64_t digit
)
479 assert(pStr
!= NULL
);
481 for (; strLen
> 0; strLen
--) {
482 *pStr
++ = (uint8_t)(digit
& 0xFF);
488 * Convert array of words in redundant (base=2^52) representation to array of
489 * words in regular (base=2^64) one.
491 static void from_words52(BN_ULONG
*out
, int out_bitsize
, const BN_ULONG
*in
)
494 int out_len
= BITS2WORD64_SIZE(out_bitsize
);
499 for (i
= 0; i
< out_len
; i
++)
503 uint8_t *out_str
= (uint8_t *)out
;
505 for (; out_bitsize
>= (2 * DIGIT_SIZE
); out_bitsize
-= (2 * DIGIT_SIZE
), in
+= 2) {
506 (*(uint64_t *)out_str
) = in
[0];
508 (*(uint64_t *)out_str
) ^= in
[1] << 4;
512 if (out_bitsize
> DIGIT_SIZE
) {
513 put_digit52(out_str
, 7, in
[0]);
515 out_bitsize
-= DIGIT_SIZE
;
516 put_digit52(out_str
, BITS2WORD8_SIZE(out_bitsize
),
517 (in
[1] << 4 | in
[0] >> 48));
518 } else if (out_bitsize
) {
519 put_digit52(out_str
, BITS2WORD8_SIZE(out_bitsize
), in
[0]);
525 * Set bit at index |idx| in the words array |a|.
526 * It does not do any boundaries checks, make sure the index is valid before
527 * calling the function.
529 static ossl_inline
void set_bit(BN_ULONG
*a
, int idx
)
538 a
[i
] |= (((BN_ULONG
)1) << j
);