]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/bn/asm/via-mont.pl
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Also check for errors in x86_64-xlate.pl.
[thirdparty/openssl.git] / crypto / bn / asm / via-mont.pl
1 #! /usr/bin/env perl
2 # Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 #
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
16 #
17 # Wrapper around 'rep montmul', VIA-specific instruction accessing
18 # PadLock Montgomery Multiplier. The wrapper is designed as drop-in
19 # replacement for OpenSSL bn_mul_mont [first implemented in 0.9.9].
20 #
21 # Below are interleaved outputs from 'openssl speed rsa dsa' for 4
22 # different software configurations on 1.5GHz VIA Esther processor.
23 # Lines marked with "software integer" denote performance of hand-
24 # coded integer-only assembler found in OpenSSL 0.9.7. "Software SSE2"
25 # refers to hand-coded SSE2 Montgomery multiplication procedure found
26 # OpenSSL 0.9.9. "Hardware VIA SDK" refers to padlock_pmm routine from
27 # Padlock SDK 2.0.1 available for download from VIA, which naturally
28 # utilizes the magic 'repz montmul' instruction. And finally "hardware
29 # this" refers to *this* implementation which also uses 'repz montmul'
30 #
31 # sign verify sign/s verify/s
32 # rsa 512 bits 0.001720s 0.000140s 581.4 7149.7 software integer
33 # rsa 512 bits 0.000690s 0.000086s 1450.3 11606.0 software SSE2
34 # rsa 512 bits 0.006136s 0.000201s 163.0 4974.5 hardware VIA SDK
35 # rsa 512 bits 0.000712s 0.000050s 1404.9 19858.5 hardware this
36 #
37 # rsa 1024 bits 0.008518s 0.000413s 117.4 2420.8 software integer
38 # rsa 1024 bits 0.004275s 0.000277s 233.9 3609.7 software SSE2
39 # rsa 1024 bits 0.012136s 0.000260s 82.4 3844.5 hardware VIA SDK
40 # rsa 1024 bits 0.002522s 0.000116s 396.5 8650.9 hardware this
41 #
42 # rsa 2048 bits 0.050101s 0.001371s 20.0 729.6 software integer
43 # rsa 2048 bits 0.030273s 0.001008s 33.0 991.9 software SSE2
44 # rsa 2048 bits 0.030833s 0.000976s 32.4 1025.1 hardware VIA SDK
45 # rsa 2048 bits 0.011879s 0.000342s 84.2 2921.7 hardware this
46 #
47 # rsa 4096 bits 0.327097s 0.004859s 3.1 205.8 software integer
48 # rsa 4096 bits 0.229318s 0.003859s 4.4 259.2 software SSE2
49 # rsa 4096 bits 0.233953s 0.003274s 4.3 305.4 hardware VIA SDK
50 # rsa 4096 bits 0.070493s 0.001166s 14.2 857.6 hardware this
51 #
52 # dsa 512 bits 0.001342s 0.001651s 745.2 605.7 software integer
53 # dsa 512 bits 0.000844s 0.000987s 1185.3 1013.1 software SSE2
54 # dsa 512 bits 0.001902s 0.002247s 525.6 444.9 hardware VIA SDK
55 # dsa 512 bits 0.000458s 0.000524s 2182.2 1909.1 hardware this
56 #
57 # dsa 1024 bits 0.003964s 0.004926s 252.3 203.0 software integer
58 # dsa 1024 bits 0.002686s 0.003166s 372.3 315.8 software SSE2
59 # dsa 1024 bits 0.002397s 0.002823s 417.1 354.3 hardware VIA SDK
60 # dsa 1024 bits 0.000978s 0.001170s 1022.2 855.0 hardware this
61 #
62 # dsa 2048 bits 0.013280s 0.016518s 75.3 60.5 software integer
63 # dsa 2048 bits 0.009911s 0.011522s 100.9 86.8 software SSE2
64 # dsa 2048 bits 0.009542s 0.011763s 104.8 85.0 hardware VIA SDK
65 # dsa 2048 bits 0.002884s 0.003352s 346.8 298.3 hardware this
66 #
67 # To give you some other reference point here is output for 2.4GHz P4
68 # running hand-coded SSE2 bn_mul_mont found in 0.9.9, i.e. "software
69 # SSE2" in above terms.
70 #
71 # rsa 512 bits 0.000407s 0.000047s 2454.2 21137.0
72 # rsa 1024 bits 0.002426s 0.000141s 412.1 7100.0
73 # rsa 2048 bits 0.015046s 0.000491s 66.5 2034.9
74 # rsa 4096 bits 0.109770s 0.002379s 9.1 420.3
75 # dsa 512 bits 0.000438s 0.000525s 2281.1 1904.1
76 # dsa 1024 bits 0.001346s 0.001595s 742.7 627.0
77 # dsa 2048 bits 0.004745s 0.005582s 210.7 179.1
78 #
79 # Conclusions:
80 # - VIA SDK leaves a *lot* of room for improvement (which this
81 # implementation successfully fills:-);
82 # - 'rep montmul' gives up to >3x performance improvement depending on
83 # key length;
84 # - in terms of absolute performance it delivers approximately as much
85 # as modern out-of-order 32-bit cores [again, for longer keys].
86
87 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
88 push(@INC,"${dir}","${dir}../../perlasm");
89 require "x86asm.pl";
90
91 $output = pop and open STDOUT,">$output";
92
93 &asm_init($ARGV[0]);
94
95 # int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np,const BN_ULONG *n0, int num);
96 $func="bn_mul_mont_padlock";
97
98 $pad=16*1; # amount of reserved bytes on top of every vector
99
100 # stack layout
101 $mZeroPrime=&DWP(0,"esp"); # these are specified by VIA
102 $A=&DWP(4,"esp");
103 $B=&DWP(8,"esp");
104 $T=&DWP(12,"esp");
105 $M=&DWP(16,"esp");
106 $scratch=&DWP(20,"esp");
107 $rp=&DWP(24,"esp"); # these are mine
108 $sp=&DWP(28,"esp");
109 # &DWP(32,"esp") # 32 byte scratch area
110 # &DWP(64+(4*$num+$pad)*0,"esp") # padded tp[num]
111 # &DWP(64+(4*$num+$pad)*1,"esp") # padded copy of ap[num]
112 # &DWP(64+(4*$num+$pad)*2,"esp") # padded copy of bp[num]
113 # &DWP(64+(4*$num+$pad)*3,"esp") # padded copy of np[num]
114 # Note that SDK suggests to unconditionally allocate 2K per vector. This
115 # has quite an impact on performance. It naturally depends on key length,
116 # but to give an example 1024 bit private RSA key operations suffer >30%
117 # penalty. I allocate only as much as actually required...
118
119 &function_begin($func);
120 &xor ("eax","eax");
121 &mov ("ecx",&wparam(5)); # num
122 # meet VIA's limitations for num [note that the specification
123 # expresses them in bits, while we work with amount of 32-bit words]
124 &test ("ecx",3);
125 &jnz (&label("leave")); # num % 4 != 0
126 &cmp ("ecx",8);
127 &jb (&label("leave")); # num < 8
128 &cmp ("ecx",1024);
129 &ja (&label("leave")); # num > 1024
130
131 &pushf ();
132 &cld ();
133
134 &mov ("edi",&wparam(0)); # rp
135 &mov ("eax",&wparam(1)); # ap
136 &mov ("ebx",&wparam(2)); # bp
137 &mov ("edx",&wparam(3)); # np
138 &mov ("esi",&wparam(4)); # n0
139 &mov ("esi",&DWP(0,"esi")); # *n0
140
141 &lea ("ecx",&DWP($pad,"","ecx",4)); # ecx becomes vector size in bytes
142 &lea ("ebp",&DWP(64,"","ecx",4)); # allocate 4 vectors + 64 bytes
143 &neg ("ebp");
144 &add ("ebp","esp");
145 &and ("ebp",-64); # align to cache-line
146 &xchg ("ebp","esp"); # alloca
147
148 &mov ($rp,"edi"); # save rp
149 &mov ($sp,"ebp"); # save esp
150
151 &mov ($mZeroPrime,"esi");
152 &lea ("esi",&DWP(64,"esp")); # tp
153 &mov ($T,"esi");
154 &lea ("edi",&DWP(32,"esp")); # scratch area
155 &mov ($scratch,"edi");
156 &mov ("esi","eax");
157
158 &lea ("ebp",&DWP(-$pad,"ecx"));
159 &shr ("ebp",2); # restore original num value in ebp
160
161 &xor ("eax","eax");
162
163 &mov ("ecx","ebp");
164 &lea ("ecx",&DWP((32+$pad)/4,"ecx"));# padded tp + scratch
165 &data_byte(0xf3,0xab); # rep stosl, bzero
166
167 &mov ("ecx","ebp");
168 &lea ("edi",&DWP(64+$pad,"esp","ecx",4));# pointer to ap copy
169 &mov ($A,"edi");
170 &data_byte(0xf3,0xa5); # rep movsl, memcpy
171 &mov ("ecx",$pad/4);
172 &data_byte(0xf3,0xab); # rep stosl, bzero pad
173 # edi points at the end of padded ap copy...
174
175 &mov ("ecx","ebp");
176 &mov ("esi","ebx");
177 &mov ($B,"edi");
178 &data_byte(0xf3,0xa5); # rep movsl, memcpy
179 &mov ("ecx",$pad/4);
180 &data_byte(0xf3,0xab); # rep stosl, bzero pad
181 # edi points at the end of padded bp copy...
182
183 &mov ("ecx","ebp");
184 &mov ("esi","edx");
185 &mov ($M,"edi");
186 &data_byte(0xf3,0xa5); # rep movsl, memcpy
187 &mov ("ecx",$pad/4);
188 &data_byte(0xf3,0xab); # rep stosl, bzero pad
189 # edi points at the end of padded np copy...
190
191 # let magic happen...
192 &mov ("ecx","ebp");
193 &mov ("esi","esp");
194 &shl ("ecx",5); # convert word counter to bit counter
195 &align (4);
196 &data_byte(0xf3,0x0f,0xa6,0xc0);# rep montmul
197
198 &mov ("ecx","ebp");
199 &lea ("esi",&DWP(64,"esp")); # tp
200 # edi still points at the end of padded np copy...
201 &neg ("ebp");
202 &lea ("ebp",&DWP(-$pad,"edi","ebp",4)); # so just "rewind"
203 &mov ("edi",$rp); # restore rp
204 &xor ("edx","edx"); # i=0 and clear CF
205
206 &set_label("sub",8);
207 &mov ("eax",&DWP(0,"esi","edx",4));
208 &sbb ("eax",&DWP(0,"ebp","edx",4));
209 &mov (&DWP(0,"edi","edx",4),"eax"); # rp[i]=tp[i]-np[i]
210 &lea ("edx",&DWP(1,"edx")); # i++
211 &loop (&label("sub")); # doesn't affect CF!
212
213 &mov ("eax",&DWP(0,"esi","edx",4)); # upmost overflow bit
214 &sbb ("eax",0);
215
216 &mov ("ecx","edx"); # num
217 &mov ("edx",0); # i=0
218
219 &set_label("copy",8);
220 &mov ("ebx",&DWP(0,"esi","edx",4));
221 &mov ("eax",&DWP(0,"edi","edx",4));
222 &mov (&DWP(0,"esi","edx",4),"ecx"); # zap tp
223 &cmovc ("eax","ebx");
224 &mov (&DWP(0,"edi","edx",4),"eax");
225 &lea ("edx",&DWP(1,"edx")); # i++
226 &loop (&label("copy"));
227
228 &mov ("ebp",$sp);
229 &xor ("eax","eax");
230
231 &mov ("ecx",64/4);
232 &mov ("edi","esp"); # zap frame including scratch area
233 &data_byte(0xf3,0xab); # rep stosl, bzero
234
235 # zap copies of ap, bp and np
236 &lea ("edi",&DWP(64+$pad,"esp","edx",4));# pointer to ap
237 &lea ("ecx",&DWP(3*$pad/4,"edx","edx",2));
238 &data_byte(0xf3,0xab); # rep stosl, bzero
239
240 &mov ("esp","ebp");
241 &inc ("eax"); # signal "done"
242 &popf ();
243 &set_label("leave");
244 &function_end($func);
245
246 &asciz("Padlock Montgomery Multiplication, CRYPTOGAMS by <appro\@openssl.org>");
247
248 &asm_finish();
249
250 close STDOUT or die "error closing STDOUT: $!";
A mirror of the official openssl repository