]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ec/asm/ecp_nistz256-ppc64.pl
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright year
[thirdparty/openssl.git] / crypto / ec / asm / ecp_nistz256-ppc64.pl
1 #! /usr/bin/env perl
2 # Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 #
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
16 #
17 # ECP_NISTZ256 module for PPC64.
18 #
19 # August 2016.
20 #
21 # Original ECP_NISTZ256 submission targeting x86_64 is detailed in
22 # http://eprint.iacr.org/2013/816.
23 #
24 # with/without -DECP_NISTZ256_ASM
25 # POWER7 +260-530%
26 # POWER8 +220-340%
27
28 # $output is the last argument if it looks like a file (it has an extension)
29 # $flavour is the first argument if it doesn't look like a file
30 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
31 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
32
33 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
34 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
35 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
36 die "can't locate ppc-xlate.pl";
37
38 open OUT,"| \"$^X\" $xlate $flavour \"$output\""
39 or die "can't call $xlate: $!";
40 *STDOUT=*OUT;
41
42 my $sp="r1";
43
44 {
45 my ($rp,$ap,$bp,$bi,$acc0,$acc1,$acc2,$acc3,$poly1,$poly3,
46 $acc4,$acc5,$a0,$a1,$a2,$a3,$t0,$t1,$t2,$t3) =
47 map("r$_",(3..12,22..31));
48
49 my ($acc6,$acc7)=($bp,$bi); # used in __ecp_nistz256_sqr_mont
50
51 $code.=<<___;
52 .machine "any"
53 .text
54 ___
55 ########################################################################
56 # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7
57 #
58 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
59 open TABLE,"<ecp_nistz256_table.c" or
60 open TABLE,"<${dir}../ecp_nistz256_table.c" or
61 die "failed to open ecp_nistz256_table.c:",$!;
62
63 use integer;
64
65 foreach(<TABLE>) {
66 s/TOBN\(\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*\)/push @arr,hex($2),hex($1)/geo;
67 }
68 close TABLE;
69
70 # See ecp_nistz256_table.c for explanation for why it's 64*16*37.
71 # 64*16*37-1 is because $#arr returns last valid index or @arr, not
72 # amount of elements.
73 die "insane number of elements" if ($#arr != 64*16*37-1);
74
75 $code.=<<___;
76 .type ecp_nistz256_precomputed,\@object
77 .globl ecp_nistz256_precomputed
78 .align 12
79 ecp_nistz256_precomputed:
80 ___
81 ########################################################################
82 # this conversion smashes P256_POINT_AFFINE by individual bytes with
83 # 64 byte interval, similar to
84 # 1111222233334444
85 # 1234123412341234
86 for(1..37) {
87 @tbl = splice(@arr,0,64*16);
88 for($i=0;$i<64;$i++) {
89 undef @line;
90 for($j=0;$j<64;$j++) {
91 push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff;
92 }
93 $code.=".byte\t";
94 $code.=join(',',map { sprintf "0x%02x",$_} @line);
95 $code.="\n";
96 }
97 }
98
99 $code.=<<___;
100 .size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed
101 .asciz "ECP_NISTZ256 for PPC64, CRYPTOGAMS by <appro\@openssl.org>"
102
103 # void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],
104 # const BN_ULONG x2[4]);
105 .globl ecp_nistz256_mul_mont
106 .align 5
107 ecp_nistz256_mul_mont:
108 stdu $sp,-128($sp)
109 mflr r0
110 std r22,48($sp)
111 std r23,56($sp)
112 std r24,64($sp)
113 std r25,72($sp)
114 std r26,80($sp)
115 std r27,88($sp)
116 std r28,96($sp)
117 std r29,104($sp)
118 std r30,112($sp)
119 std r31,120($sp)
120
121 ld $a0,0($ap)
122 ld $bi,0($bp)
123 ld $a1,8($ap)
124 ld $a2,16($ap)
125 ld $a3,24($ap)
126
127 li $poly1,-1
128 srdi $poly1,$poly1,32 # 0x00000000ffffffff
129 li $poly3,1
130 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
131
132 bl __ecp_nistz256_mul_mont
133
134 mtlr r0
135 ld r22,48($sp)
136 ld r23,56($sp)
137 ld r24,64($sp)
138 ld r25,72($sp)
139 ld r26,80($sp)
140 ld r27,88($sp)
141 ld r28,96($sp)
142 ld r29,104($sp)
143 ld r30,112($sp)
144 ld r31,120($sp)
145 addi $sp,$sp,128
146 blr
147 .long 0
148 .byte 0,12,4,0,0x80,10,3,0
149 .long 0
150 .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
151
152 # void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);
153 .globl ecp_nistz256_sqr_mont
154 .align 4
155 ecp_nistz256_sqr_mont:
156 stdu $sp,-128($sp)
157 mflr r0
158 std r22,48($sp)
159 std r23,56($sp)
160 std r24,64($sp)
161 std r25,72($sp)
162 std r26,80($sp)
163 std r27,88($sp)
164 std r28,96($sp)
165 std r29,104($sp)
166 std r30,112($sp)
167 std r31,120($sp)
168
169 ld $a0,0($ap)
170 ld $a1,8($ap)
171 ld $a2,16($ap)
172 ld $a3,24($ap)
173
174 li $poly1,-1
175 srdi $poly1,$poly1,32 # 0x00000000ffffffff
176 li $poly3,1
177 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
178
179 bl __ecp_nistz256_sqr_mont
180
181 mtlr r0
182 ld r22,48($sp)
183 ld r23,56($sp)
184 ld r24,64($sp)
185 ld r25,72($sp)
186 ld r26,80($sp)
187 ld r27,88($sp)
188 ld r28,96($sp)
189 ld r29,104($sp)
190 ld r30,112($sp)
191 ld r31,120($sp)
192 addi $sp,$sp,128
193 blr
194 .long 0
195 .byte 0,12,4,0,0x80,10,2,0
196 .long 0
197 .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
198
199 # void ecp_nistz256_add(BN_ULONG x0[4],const BN_ULONG x1[4],
200 # const BN_ULONG x2[4]);
201 .globl ecp_nistz256_add
202 .align 4
203 ecp_nistz256_add:
204 stdu $sp,-128($sp)
205 mflr r0
206 std r28,96($sp)
207 std r29,104($sp)
208 std r30,112($sp)
209 std r31,120($sp)
210
211 ld $acc0,0($ap)
212 ld $t0, 0($bp)
213 ld $acc1,8($ap)
214 ld $t1, 8($bp)
215 ld $acc2,16($ap)
216 ld $t2, 16($bp)
217 ld $acc3,24($ap)
218 ld $t3, 24($bp)
219
220 li $poly1,-1
221 srdi $poly1,$poly1,32 # 0x00000000ffffffff
222 li $poly3,1
223 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
224
225 bl __ecp_nistz256_add
226
227 mtlr r0
228 ld r28,96($sp)
229 ld r29,104($sp)
230 ld r30,112($sp)
231 ld r31,120($sp)
232 addi $sp,$sp,128
233 blr
234 .long 0
235 .byte 0,12,4,0,0x80,4,3,0
236 .long 0
237 .size ecp_nistz256_add,.-ecp_nistz256_add
238
239 # void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
240 .globl ecp_nistz256_div_by_2
241 .align 4
242 ecp_nistz256_div_by_2:
243 stdu $sp,-128($sp)
244 mflr r0
245 std r28,96($sp)
246 std r29,104($sp)
247 std r30,112($sp)
248 std r31,120($sp)
249
250 ld $acc0,0($ap)
251 ld $acc1,8($ap)
252 ld $acc2,16($ap)
253 ld $acc3,24($ap)
254
255 li $poly1,-1
256 srdi $poly1,$poly1,32 # 0x00000000ffffffff
257 li $poly3,1
258 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
259
260 bl __ecp_nistz256_div_by_2
261
262 mtlr r0
263 ld r28,96($sp)
264 ld r29,104($sp)
265 ld r30,112($sp)
266 ld r31,120($sp)
267 addi $sp,$sp,128
268 blr
269 .long 0
270 .byte 0,12,4,0,0x80,4,2,0
271 .long 0
272 .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
273
274 # void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);
275 .globl ecp_nistz256_mul_by_2
276 .align 4
277 ecp_nistz256_mul_by_2:
278 stdu $sp,-128($sp)
279 mflr r0
280 std r28,96($sp)
281 std r29,104($sp)
282 std r30,112($sp)
283 std r31,120($sp)
284
285 ld $acc0,0($ap)
286 ld $acc1,8($ap)
287 ld $acc2,16($ap)
288 ld $acc3,24($ap)
289
290 mr $t0,$acc0
291 mr $t1,$acc1
292 mr $t2,$acc2
293 mr $t3,$acc3
294
295 li $poly1,-1
296 srdi $poly1,$poly1,32 # 0x00000000ffffffff
297 li $poly3,1
298 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
299
300 bl __ecp_nistz256_add # ret = a+a // 2*a
301
302 mtlr r0
303 ld r28,96($sp)
304 ld r29,104($sp)
305 ld r30,112($sp)
306 ld r31,120($sp)
307 addi $sp,$sp,128
308 blr
309 .long 0
310 .byte 0,12,4,0,0x80,4,3,0
311 .long 0
312 .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
313
314 # void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);
315 .globl ecp_nistz256_mul_by_3
316 .align 4
317 ecp_nistz256_mul_by_3:
318 stdu $sp,-128($sp)
319 mflr r0
320 std r28,96($sp)
321 std r29,104($sp)
322 std r30,112($sp)
323 std r31,120($sp)
324
325 ld $acc0,0($ap)
326 ld $acc1,8($ap)
327 ld $acc2,16($ap)
328 ld $acc3,24($ap)
329
330 mr $t0,$acc0
331 std $acc0,64($sp)
332 mr $t1,$acc1
333 std $acc1,72($sp)
334 mr $t2,$acc2
335 std $acc2,80($sp)
336 mr $t3,$acc3
337 std $acc3,88($sp)
338
339 li $poly1,-1
340 srdi $poly1,$poly1,32 # 0x00000000ffffffff
341 li $poly3,1
342 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
343
344 bl __ecp_nistz256_add # ret = a+a // 2*a
345
346 ld $t0,64($sp)
347 ld $t1,72($sp)
348 ld $t2,80($sp)
349 ld $t3,88($sp)
350
351 bl __ecp_nistz256_add # ret += a // 2*a+a=3*a
352
353 mtlr r0
354 ld r28,96($sp)
355 ld r29,104($sp)
356 ld r30,112($sp)
357 ld r31,120($sp)
358 addi $sp,$sp,128
359 blr
360 .long 0
361 .byte 0,12,4,0,0x80,4,2,0
362 .long 0
363 .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
364
365 # void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],
366 # const BN_ULONG x2[4]);
367 .globl ecp_nistz256_sub
368 .align 4
369 ecp_nistz256_sub:
370 stdu $sp,-128($sp)
371 mflr r0
372 std r28,96($sp)
373 std r29,104($sp)
374 std r30,112($sp)
375 std r31,120($sp)
376
377 ld $acc0,0($ap)
378 ld $acc1,8($ap)
379 ld $acc2,16($ap)
380 ld $acc3,24($ap)
381
382 li $poly1,-1
383 srdi $poly1,$poly1,32 # 0x00000000ffffffff
384 li $poly3,1
385 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
386
387 bl __ecp_nistz256_sub_from
388
389 mtlr r0
390 ld r28,96($sp)
391 ld r29,104($sp)
392 ld r30,112($sp)
393 ld r31,120($sp)
394 addi $sp,$sp,128
395 blr
396 .long 0
397 .byte 0,12,4,0,0x80,4,3,0
398 .long 0
399 .size ecp_nistz256_sub,.-ecp_nistz256_sub
400
401 # void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);
402 .globl ecp_nistz256_neg
403 .align 4
404 ecp_nistz256_neg:
405 stdu $sp,-128($sp)
406 mflr r0
407 std r28,96($sp)
408 std r29,104($sp)
409 std r30,112($sp)
410 std r31,120($sp)
411
412 mr $bp,$ap
413 li $acc0,0
414 li $acc1,0
415 li $acc2,0
416 li $acc3,0
417
418 li $poly1,-1
419 srdi $poly1,$poly1,32 # 0x00000000ffffffff
420 li $poly3,1
421 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
422
423 bl __ecp_nistz256_sub_from
424
425 mtlr r0
426 ld r28,96($sp)
427 ld r29,104($sp)
428 ld r30,112($sp)
429 ld r31,120($sp)
430 addi $sp,$sp,128
431 blr
432 .long 0
433 .byte 0,12,4,0,0x80,4,2,0
434 .long 0
435 .size ecp_nistz256_neg,.-ecp_nistz256_neg
436
437 # note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded
438 # to $a0-$a3 and b[0] - to $bi
439 .type __ecp_nistz256_mul_mont,\@function
440 .align 4
441 __ecp_nistz256_mul_mont:
442 mulld $acc0,$a0,$bi # a[0]*b[0]
443 mulhdu $t0,$a0,$bi
444
445 mulld $acc1,$a1,$bi # a[1]*b[0]
446 mulhdu $t1,$a1,$bi
447
448 mulld $acc2,$a2,$bi # a[2]*b[0]
449 mulhdu $t2,$a2,$bi
450
451 mulld $acc3,$a3,$bi # a[3]*b[0]
452 mulhdu $t3,$a3,$bi
453 ld $bi,8($bp) # b[1]
454
455 addc $acc1,$acc1,$t0 # accumulate high parts of multiplication
456 sldi $t0,$acc0,32
457 adde $acc2,$acc2,$t1
458 srdi $t1,$acc0,32
459 adde $acc3,$acc3,$t2
460 addze $acc4,$t3
461 li $acc5,0
462 ___
463 for($i=1;$i<4;$i++) {
464 ################################################################
465 # Reduction iteration is normally performed by accumulating
466 # result of multiplication of modulus by "magic" digit [and
467 # omitting least significant word, which is guaranteed to
468 # be 0], but thanks to special form of modulus and "magic"
469 # digit being equal to least significant word, it can be
470 # performed with additions and subtractions alone. Indeed:
471 #
472 # ffff0001.00000000.0000ffff.ffffffff
473 # * abcdefgh
474 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
475 #
476 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
477 # rewrite above as:
478 #
479 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh
480 # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000
481 # - 0000abcd.efgh0000.00000000.00000000.abcdefgh
482 #
483 # or marking redundant operations:
484 #
485 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.--------
486 # + abcdefgh.abcdefgh.0000abcd.efgh0000.--------
487 # - 0000abcd.efgh0000.--------.--------.--------
488
489 $code.=<<___;
490 subfc $t2,$t0,$acc0 # "*0xffff0001"
491 subfe $t3,$t1,$acc0
492 addc $acc0,$acc1,$t0 # +=acc[0]<<96 and omit acc[0]
493 adde $acc1,$acc2,$t1
494 adde $acc2,$acc3,$t2 # +=acc[0]*0xffff0001
495 adde $acc3,$acc4,$t3
496 addze $acc4,$acc5
497
498 mulld $t0,$a0,$bi # lo(a[0]*b[i])
499 mulld $t1,$a1,$bi # lo(a[1]*b[i])
500 mulld $t2,$a2,$bi # lo(a[2]*b[i])
501 mulld $t3,$a3,$bi # lo(a[3]*b[i])
502 addc $acc0,$acc0,$t0 # accumulate low parts of multiplication
503 mulhdu $t0,$a0,$bi # hi(a[0]*b[i])
504 adde $acc1,$acc1,$t1
505 mulhdu $t1,$a1,$bi # hi(a[1]*b[i])
506 adde $acc2,$acc2,$t2
507 mulhdu $t2,$a2,$bi # hi(a[2]*b[i])
508 adde $acc3,$acc3,$t3
509 mulhdu $t3,$a3,$bi # hi(a[3]*b[i])
510 addze $acc4,$acc4
511 ___
512 $code.=<<___ if ($i<3);
513 ld $bi,8*($i+1)($bp) # b[$i+1]
514 ___
515 $code.=<<___;
516 addc $acc1,$acc1,$t0 # accumulate high parts of multiplication
517 sldi $t0,$acc0,32
518 adde $acc2,$acc2,$t1
519 srdi $t1,$acc0,32
520 adde $acc3,$acc3,$t2
521 adde $acc4,$acc4,$t3
522 li $acc5,0
523 addze $acc5,$acc5
524 ___
525 }
526 $code.=<<___;
527 # last reduction
528 subfc $t2,$t0,$acc0 # "*0xffff0001"
529 subfe $t3,$t1,$acc0
530 addc $acc0,$acc1,$t0 # +=acc[0]<<96 and omit acc[0]
531 adde $acc1,$acc2,$t1
532 adde $acc2,$acc3,$t2 # +=acc[0]*0xffff0001
533 adde $acc3,$acc4,$t3
534 addze $acc4,$acc5
535
536 li $t2,0
537 addic $acc0,$acc0,1 # ret -= modulus
538 subfe $acc1,$poly1,$acc1
539 subfe $acc2,$t2,$acc2
540 subfe $acc3,$poly3,$acc3
541 subfe $acc4,$t2,$acc4
542
543 addc $acc0,$acc0,$acc4 # ret += modulus if borrow
544 and $t1,$poly1,$acc4
545 and $t3,$poly3,$acc4
546 adde $acc1,$acc1,$t1
547 addze $acc2,$acc2
548 adde $acc3,$acc3,$t3
549
550 std $acc0,0($rp)
551 std $acc1,8($rp)
552 std $acc2,16($rp)
553 std $acc3,24($rp)
554
555 blr
556 .long 0
557 .byte 0,12,0x14,0,0,0,1,0
558 .long 0
559 .size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont
560
561 # note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded
562 # to $a0-$a3
563 .type __ecp_nistz256_sqr_mont,\@function
564 .align 4
565 __ecp_nistz256_sqr_mont:
566 ################################################################
567 # | | | | | |a1*a0| |
568 # | | | | |a2*a0| | |
569 # | |a3*a2|a3*a0| | | |
570 # | | | |a2*a1| | | |
571 # | | |a3*a1| | | | |
572 # *| | | | | | | | 2|
573 # +|a3*a3|a2*a2|a1*a1|a0*a0|
574 # |--+--+--+--+--+--+--+--|
575 # |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
576 #
577 # "can't overflow" below mark carrying into high part of
578 # multiplication result, which can't overflow, because it
579 # can never be all ones.
580
581 mulld $acc1,$a1,$a0 # a[1]*a[0]
582 mulhdu $t1,$a1,$a0
583 mulld $acc2,$a2,$a0 # a[2]*a[0]
584 mulhdu $t2,$a2,$a0
585 mulld $acc3,$a3,$a0 # a[3]*a[0]
586 mulhdu $acc4,$a3,$a0
587
588 addc $acc2,$acc2,$t1 # accumulate high parts of multiplication
589 mulld $t0,$a2,$a1 # a[2]*a[1]
590 mulhdu $t1,$a2,$a1
591 adde $acc3,$acc3,$t2
592 mulld $t2,$a3,$a1 # a[3]*a[1]
593 mulhdu $t3,$a3,$a1
594 addze $acc4,$acc4 # can't overflow
595
596 mulld $acc5,$a3,$a2 # a[3]*a[2]
597 mulhdu $acc6,$a3,$a2
598
599 addc $t1,$t1,$t2 # accumulate high parts of multiplication
600 addze $t2,$t3 # can't overflow
601
602 addc $acc3,$acc3,$t0 # accumulate low parts of multiplication
603 adde $acc4,$acc4,$t1
604 adde $acc5,$acc5,$t2
605 addze $acc6,$acc6 # can't overflow
606
607 addc $acc1,$acc1,$acc1 # acc[1-6]*=2
608 adde $acc2,$acc2,$acc2
609 adde $acc3,$acc3,$acc3
610 adde $acc4,$acc4,$acc4
611 adde $acc5,$acc5,$acc5
612 adde $acc6,$acc6,$acc6
613 li $acc7,0
614 addze $acc7,$acc7
615
616 mulld $acc0,$a0,$a0 # a[0]*a[0]
617 mulhdu $a0,$a0,$a0
618 mulld $t1,$a1,$a1 # a[1]*a[1]
619 mulhdu $a1,$a1,$a1
620 mulld $t2,$a2,$a2 # a[2]*a[2]
621 mulhdu $a2,$a2,$a2
622 mulld $t3,$a3,$a3 # a[3]*a[3]
623 mulhdu $a3,$a3,$a3
624 addc $acc1,$acc1,$a0 # +a[i]*a[i]
625 sldi $t0,$acc0,32
626 adde $acc2,$acc2,$t1
627 srdi $t1,$acc0,32
628 adde $acc3,$acc3,$a1
629 adde $acc4,$acc4,$t2
630 adde $acc5,$acc5,$a2
631 adde $acc6,$acc6,$t3
632 adde $acc7,$acc7,$a3
633 ___
634 for($i=0;$i<3;$i++) { # reductions, see commentary in
635 # multiplication for details
636 $code.=<<___;
637 subfc $t2,$t0,$acc0 # "*0xffff0001"
638 subfe $t3,$t1,$acc0
639 addc $acc0,$acc1,$t0 # +=acc[0]<<96 and omit acc[0]
640 sldi $t0,$acc0,32
641 adde $acc1,$acc2,$t1
642 srdi $t1,$acc0,32
643 adde $acc2,$acc3,$t2 # +=acc[0]*0xffff0001
644 addze $acc3,$t3 # can't overflow
645 ___
646 }
647 $code.=<<___;
648 subfc $t2,$t0,$acc0 # "*0xffff0001"
649 subfe $t3,$t1,$acc0
650 addc $acc0,$acc1,$t0 # +=acc[0]<<96 and omit acc[0]
651 adde $acc1,$acc2,$t1
652 adde $acc2,$acc3,$t2 # +=acc[0]*0xffff0001
653 addze $acc3,$t3 # can't overflow
654
655 addc $acc0,$acc0,$acc4 # accumulate upper half
656 adde $acc1,$acc1,$acc5
657 adde $acc2,$acc2,$acc6
658 adde $acc3,$acc3,$acc7
659 li $t2,0
660 addze $acc4,$t2
661
662 addic $acc0,$acc0,1 # ret -= modulus
663 subfe $acc1,$poly1,$acc1
664 subfe $acc2,$t2,$acc2
665 subfe $acc3,$poly3,$acc3
666 subfe $acc4,$t2,$acc4
667
668 addc $acc0,$acc0,$acc4 # ret += modulus if borrow
669 and $t1,$poly1,$acc4
670 and $t3,$poly3,$acc4
671 adde $acc1,$acc1,$t1
672 addze $acc2,$acc2
673 adde $acc3,$acc3,$t3
674
675 std $acc0,0($rp)
676 std $acc1,8($rp)
677 std $acc2,16($rp)
678 std $acc3,24($rp)
679
680 blr
681 .long 0
682 .byte 0,12,0x14,0,0,0,1,0
683 .long 0
684 .size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont
685
686 # Note that __ecp_nistz256_add expects both input vectors pre-loaded to
687 # $a0-$a3 and $t0-$t3. This is done because it's used in multiple
688 # contexts, e.g. in multiplication by 2 and 3...
689 .type __ecp_nistz256_add,\@function
690 .align 4
691 __ecp_nistz256_add:
692 addc $acc0,$acc0,$t0 # ret = a+b
693 adde $acc1,$acc1,$t1
694 adde $acc2,$acc2,$t2
695 li $t2,0
696 adde $acc3,$acc3,$t3
697 addze $t0,$t2
698
699 # if a+b >= modulus, subtract modulus
700 #
701 # But since comparison implies subtraction, we subtract
702 # modulus and then add it back if subtraction borrowed.
703
704 subic $acc0,$acc0,-1
705 subfe $acc1,$poly1,$acc1
706 subfe $acc2,$t2,$acc2
707 subfe $acc3,$poly3,$acc3
708 subfe $t0,$t2,$t0
709
710 addc $acc0,$acc0,$t0
711 and $t1,$poly1,$t0
712 and $t3,$poly3,$t0
713 adde $acc1,$acc1,$t1
714 addze $acc2,$acc2
715 adde $acc3,$acc3,$t3
716
717 std $acc0,0($rp)
718 std $acc1,8($rp)
719 std $acc2,16($rp)
720 std $acc3,24($rp)
721
722 blr
723 .long 0
724 .byte 0,12,0x14,0,0,0,3,0
725 .long 0
726 .size __ecp_nistz256_add,.-__ecp_nistz256_add
727
728 .type __ecp_nistz256_sub_from,\@function
729 .align 4
730 __ecp_nistz256_sub_from:
731 ld $t0,0($bp)
732 ld $t1,8($bp)
733 ld $t2,16($bp)
734 ld $t3,24($bp)
735 subfc $acc0,$t0,$acc0 # ret = a-b
736 subfe $acc1,$t1,$acc1
737 subfe $acc2,$t2,$acc2
738 subfe $acc3,$t3,$acc3
739 subfe $t0,$t0,$t0 # t0 = borrow ? -1 : 0
740
741 # if a-b borrowed, add modulus
742
743 addc $acc0,$acc0,$t0 # ret -= modulus & t0
744 and $t1,$poly1,$t0
745 and $t3,$poly3,$t0
746 adde $acc1,$acc1,$t1
747 addze $acc2,$acc2
748 adde $acc3,$acc3,$t3
749
750 std $acc0,0($rp)
751 std $acc1,8($rp)
752 std $acc2,16($rp)
753 std $acc3,24($rp)
754
755 blr
756 .long 0
757 .byte 0,12,0x14,0,0,0,3,0
758 .long 0
759 .size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from
760
761 .type __ecp_nistz256_sub_morf,\@function
762 .align 4
763 __ecp_nistz256_sub_morf:
764 ld $t0,0($bp)
765 ld $t1,8($bp)
766 ld $t2,16($bp)
767 ld $t3,24($bp)
768 subfc $acc0,$acc0,$t0 # ret = b-a
769 subfe $acc1,$acc1,$t1
770 subfe $acc2,$acc2,$t2
771 subfe $acc3,$acc3,$t3
772 subfe $t0,$t0,$t0 # t0 = borrow ? -1 : 0
773
774 # if b-a borrowed, add modulus
775
776 addc $acc0,$acc0,$t0 # ret -= modulus & t0
777 and $t1,$poly1,$t0
778 and $t3,$poly3,$t0
779 adde $acc1,$acc1,$t1
780 addze $acc2,$acc2
781 adde $acc3,$acc3,$t3
782
783 std $acc0,0($rp)
784 std $acc1,8($rp)
785 std $acc2,16($rp)
786 std $acc3,24($rp)
787
788 blr
789 .long 0
790 .byte 0,12,0x14,0,0,0,3,0
791 .long 0
792 .size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf
793
794 .type __ecp_nistz256_div_by_2,\@function
795 .align 4
796 __ecp_nistz256_div_by_2:
797 andi. $t0,$acc0,1
798 addic $acc0,$acc0,-1 # a += modulus
799 neg $t0,$t0
800 adde $acc1,$acc1,$poly1
801 not $t0,$t0
802 addze $acc2,$acc2
803 li $t2,0
804 adde $acc3,$acc3,$poly3
805 and $t1,$poly1,$t0
806 addze $ap,$t2 # ap = carry
807 and $t3,$poly3,$t0
808
809 subfc $acc0,$t0,$acc0 # a -= modulus if a was even
810 subfe $acc1,$t1,$acc1
811 subfe $acc2,$t2,$acc2
812 subfe $acc3,$t3,$acc3
813 subfe $ap, $t2,$ap
814
815 srdi $acc0,$acc0,1
816 sldi $t0,$acc1,63
817 srdi $acc1,$acc1,1
818 sldi $t1,$acc2,63
819 srdi $acc2,$acc2,1
820 sldi $t2,$acc3,63
821 srdi $acc3,$acc3,1
822 sldi $t3,$ap,63
823 or $acc0,$acc0,$t0
824 or $acc1,$acc1,$t1
825 or $acc2,$acc2,$t2
826 or $acc3,$acc3,$t3
827
828 std $acc0,0($rp)
829 std $acc1,8($rp)
830 std $acc2,16($rp)
831 std $acc3,24($rp)
832
833 blr
834 .long 0
835 .byte 0,12,0x14,0,0,0,1,0
836 .long 0
837 .size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2
838 ___
839 ########################################################################
840 # following subroutines are "literal" implementation of those found in
841 # ecp_nistz256.c
842 #
843 ########################################################################
844 # void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp);
845 #
846 if (1) {
847 my $FRAME=64+32*4+12*8;
848 my ($S,$M,$Zsqr,$tmp0)=map(64+32*$_,(0..3));
849 # above map() describes stack layout with 4 temporary
850 # 256-bit vectors on top.
851 my ($rp_real,$ap_real) = map("r$_",(20,21));
852
853 $code.=<<___;
854 .globl ecp_nistz256_point_double
855 .align 5
856 ecp_nistz256_point_double:
857 stdu $sp,-$FRAME($sp)
858 mflr r0
859 std r20,$FRAME-8*12($sp)
860 std r21,$FRAME-8*11($sp)
861 std r22,$FRAME-8*10($sp)
862 std r23,$FRAME-8*9($sp)
863 std r24,$FRAME-8*8($sp)
864 std r25,$FRAME-8*7($sp)
865 std r26,$FRAME-8*6($sp)
866 std r27,$FRAME-8*5($sp)
867 std r28,$FRAME-8*4($sp)
868 std r29,$FRAME-8*3($sp)
869 std r30,$FRAME-8*2($sp)
870 std r31,$FRAME-8*1($sp)
871
872 li $poly1,-1
873 srdi $poly1,$poly1,32 # 0x00000000ffffffff
874 li $poly3,1
875 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
876 .Ldouble_shortcut:
877 ld $acc0,32($ap)
878 ld $acc1,40($ap)
879 ld $acc2,48($ap)
880 ld $acc3,56($ap)
881 mr $t0,$acc0
882 mr $t1,$acc1
883 mr $t2,$acc2
884 mr $t3,$acc3
885 ld $a0,64($ap) # forward load for p256_sqr_mont
886 ld $a1,72($ap)
887 ld $a2,80($ap)
888 ld $a3,88($ap)
889 mr $rp_real,$rp
890 mr $ap_real,$ap
891 addi $rp,$sp,$S
892 bl __ecp_nistz256_add # p256_mul_by_2(S, in_y);
893
894 addi $rp,$sp,$Zsqr
895 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Zsqr, in_z);
896
897 ld $t0,0($ap_real)
898 ld $t1,8($ap_real)
899 ld $t2,16($ap_real)
900 ld $t3,24($ap_real)
901 mr $a0,$acc0 # put Zsqr aside for p256_sub
902 mr $a1,$acc1
903 mr $a2,$acc2
904 mr $a3,$acc3
905 addi $rp,$sp,$M
906 bl __ecp_nistz256_add # p256_add(M, Zsqr, in_x);
907
908 addi $bp,$ap_real,0
909 mr $acc0,$a0 # restore Zsqr
910 mr $acc1,$a1
911 mr $acc2,$a2
912 mr $acc3,$a3
913 ld $a0,$S+0($sp) # forward load for p256_sqr_mont
914 ld $a1,$S+8($sp)
915 ld $a2,$S+16($sp)
916 ld $a3,$S+24($sp)
917 addi $rp,$sp,$Zsqr
918 bl __ecp_nistz256_sub_morf # p256_sub(Zsqr, in_x, Zsqr);
919
920 addi $rp,$sp,$S
921 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(S, S);
922
923 ld $bi,32($ap_real)
924 ld $a0,64($ap_real)
925 ld $a1,72($ap_real)
926 ld $a2,80($ap_real)
927 ld $a3,88($ap_real)
928 addi $bp,$ap_real,32
929 addi $rp,$sp,$tmp0
930 bl __ecp_nistz256_mul_mont # p256_mul_mont(tmp0, in_z, in_y);
931
932 mr $t0,$acc0
933 mr $t1,$acc1
934 mr $t2,$acc2
935 mr $t3,$acc3
936 ld $a0,$S+0($sp) # forward load for p256_sqr_mont
937 ld $a1,$S+8($sp)
938 ld $a2,$S+16($sp)
939 ld $a3,$S+24($sp)
940 addi $rp,$rp_real,64
941 bl __ecp_nistz256_add # p256_mul_by_2(res_z, tmp0);
942
943 addi $rp,$sp,$tmp0
944 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(tmp0, S);
945
946 ld $bi,$Zsqr($sp) # forward load for p256_mul_mont
947 ld $a0,$M+0($sp)
948 ld $a1,$M+8($sp)
949 ld $a2,$M+16($sp)
950 ld $a3,$M+24($sp)
951 addi $rp,$rp_real,32
952 bl __ecp_nistz256_div_by_2 # p256_div_by_2(res_y, tmp0);
953
954 addi $bp,$sp,$Zsqr
955 addi $rp,$sp,$M
956 bl __ecp_nistz256_mul_mont # p256_mul_mont(M, M, Zsqr);
957
958 mr $t0,$acc0 # duplicate M
959 mr $t1,$acc1
960 mr $t2,$acc2
961 mr $t3,$acc3
962 mr $a0,$acc0 # put M aside
963 mr $a1,$acc1
964 mr $a2,$acc2
965 mr $a3,$acc3
966 addi $rp,$sp,$M
967 bl __ecp_nistz256_add
968 mr $t0,$a0 # restore M
969 mr $t1,$a1
970 mr $t2,$a2
971 mr $t3,$a3
972 ld $bi,0($ap_real) # forward load for p256_mul_mont
973 ld $a0,$S+0($sp)
974 ld $a1,$S+8($sp)
975 ld $a2,$S+16($sp)
976 ld $a3,$S+24($sp)
977 bl __ecp_nistz256_add # p256_mul_by_3(M, M);
978
979 addi $bp,$ap_real,0
980 addi $rp,$sp,$S
981 bl __ecp_nistz256_mul_mont # p256_mul_mont(S, S, in_x);
982
983 mr $t0,$acc0
984 mr $t1,$acc1
985 mr $t2,$acc2
986 mr $t3,$acc3
987 ld $a0,$M+0($sp) # forward load for p256_sqr_mont
988 ld $a1,$M+8($sp)
989 ld $a2,$M+16($sp)
990 ld $a3,$M+24($sp)
991 addi $rp,$sp,$tmp0
992 bl __ecp_nistz256_add # p256_mul_by_2(tmp0, S);
993
994 addi $rp,$rp_real,0
995 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(res_x, M);
996
997 addi $bp,$sp,$tmp0
998 bl __ecp_nistz256_sub_from # p256_sub(res_x, res_x, tmp0);
999
1000 addi $bp,$sp,$S
1001 addi $rp,$sp,$S
1002 bl __ecp_nistz256_sub_morf # p256_sub(S, S, res_x);
1003
1004 ld $bi,$M($sp)
1005 mr $a0,$acc0 # copy S
1006 mr $a1,$acc1
1007 mr $a2,$acc2
1008 mr $a3,$acc3
1009 addi $bp,$sp,$M
1010 bl __ecp_nistz256_mul_mont # p256_mul_mont(S, S, M);
1011
1012 addi $bp,$rp_real,32
1013 addi $rp,$rp_real,32
1014 bl __ecp_nistz256_sub_from # p256_sub(res_y, S, res_y);
1015
1016 mtlr r0
1017 ld r20,$FRAME-8*12($sp)
1018 ld r21,$FRAME-8*11($sp)
1019 ld r22,$FRAME-8*10($sp)
1020 ld r23,$FRAME-8*9($sp)
1021 ld r24,$FRAME-8*8($sp)
1022 ld r25,$FRAME-8*7($sp)
1023 ld r26,$FRAME-8*6($sp)
1024 ld r27,$FRAME-8*5($sp)
1025 ld r28,$FRAME-8*4($sp)
1026 ld r29,$FRAME-8*3($sp)
1027 ld r30,$FRAME-8*2($sp)
1028 ld r31,$FRAME-8*1($sp)
1029 addi $sp,$sp,$FRAME
1030 blr
1031 .long 0
1032 .byte 0,12,4,0,0x80,12,2,0
1033 .long 0
1034 .size ecp_nistz256_point_double,.-ecp_nistz256_point_double
1035 ___
1036 }
1037
1038 ########################################################################
1039 # void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1,
1040 # const P256_POINT *in2);
1041 if (1) {
1042 my $FRAME = 64 + 32*12 + 16*8;
1043 my ($res_x,$res_y,$res_z,
1044 $H,$Hsqr,$R,$Rsqr,$Hcub,
1045 $U1,$U2,$S1,$S2)=map(64+32*$_,(0..11));
1046 my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
1047 # above map() describes stack layout with 12 temporary
1048 # 256-bit vectors on top.
1049 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("r$_",(16..21));
1050
1051 $code.=<<___;
1052 .globl ecp_nistz256_point_add
1053 .align 5
1054 ecp_nistz256_point_add:
1055 stdu $sp,-$FRAME($sp)
1056 mflr r0
1057 std r16,$FRAME-8*16($sp)
1058 std r17,$FRAME-8*15($sp)
1059 std r18,$FRAME-8*14($sp)
1060 std r19,$FRAME-8*13($sp)
1061 std r20,$FRAME-8*12($sp)
1062 std r21,$FRAME-8*11($sp)
1063 std r22,$FRAME-8*10($sp)
1064 std r23,$FRAME-8*9($sp)
1065 std r24,$FRAME-8*8($sp)
1066 std r25,$FRAME-8*7($sp)
1067 std r26,$FRAME-8*6($sp)
1068 std r27,$FRAME-8*5($sp)
1069 std r28,$FRAME-8*4($sp)
1070 std r29,$FRAME-8*3($sp)
1071 std r30,$FRAME-8*2($sp)
1072 std r31,$FRAME-8*1($sp)
1073
1074 li $poly1,-1
1075 srdi $poly1,$poly1,32 # 0x00000000ffffffff
1076 li $poly3,1
1077 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
1078
1079 ld $a0,64($bp) # in2_z
1080 ld $a1,72($bp)
1081 ld $a2,80($bp)
1082 ld $a3,88($bp)
1083 mr $rp_real,$rp
1084 mr $ap_real,$ap
1085 mr $bp_real,$bp
1086 or $t0,$a0,$a1
1087 or $t2,$a2,$a3
1088 or $in2infty,$t0,$t2
1089 neg $t0,$in2infty
1090 or $in2infty,$in2infty,$t0
1091 sradi $in2infty,$in2infty,63 # !in2infty
1092 addi $rp,$sp,$Z2sqr
1093 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Z2sqr, in2_z);
1094
1095 ld $a0,64($ap_real) # in1_z
1096 ld $a1,72($ap_real)
1097 ld $a2,80($ap_real)
1098 ld $a3,88($ap_real)
1099 or $t0,$a0,$a1
1100 or $t2,$a2,$a3
1101 or $in1infty,$t0,$t2
1102 neg $t0,$in1infty
1103 or $in1infty,$in1infty,$t0
1104 sradi $in1infty,$in1infty,63 # !in1infty
1105 addi $rp,$sp,$Z1sqr
1106 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Z1sqr, in1_z);
1107
1108 ld $bi,64($bp_real)
1109 ld $a0,$Z2sqr+0($sp)
1110 ld $a1,$Z2sqr+8($sp)
1111 ld $a2,$Z2sqr+16($sp)
1112 ld $a3,$Z2sqr+24($sp)
1113 addi $bp,$bp_real,64
1114 addi $rp,$sp,$S1
1115 bl __ecp_nistz256_mul_mont # p256_mul_mont(S1, Z2sqr, in2_z);
1116
1117 ld $bi,64($ap_real)
1118 ld $a0,$Z1sqr+0($sp)
1119 ld $a1,$Z1sqr+8($sp)
1120 ld $a2,$Z1sqr+16($sp)
1121 ld $a3,$Z1sqr+24($sp)
1122 addi $bp,$ap_real,64
1123 addi $rp,$sp,$S2
1124 bl __ecp_nistz256_mul_mont # p256_mul_mont(S2, Z1sqr, in1_z);
1125
1126 ld $bi,32($ap_real)
1127 ld $a0,$S1+0($sp)
1128 ld $a1,$S1+8($sp)
1129 ld $a2,$S1+16($sp)
1130 ld $a3,$S1+24($sp)
1131 addi $bp,$ap_real,32
1132 addi $rp,$sp,$S1
1133 bl __ecp_nistz256_mul_mont # p256_mul_mont(S1, S1, in1_y);
1134
1135 ld $bi,32($bp_real)
1136 ld $a0,$S2+0($sp)
1137 ld $a1,$S2+8($sp)
1138 ld $a2,$S2+16($sp)
1139 ld $a3,$S2+24($sp)
1140 addi $bp,$bp_real,32
1141 addi $rp,$sp,$S2
1142 bl __ecp_nistz256_mul_mont # p256_mul_mont(S2, S2, in2_y);
1143
1144 addi $bp,$sp,$S1
1145 ld $bi,$Z2sqr($sp) # forward load for p256_mul_mont
1146 ld $a0,0($ap_real)
1147 ld $a1,8($ap_real)
1148 ld $a2,16($ap_real)
1149 ld $a3,24($ap_real)
1150 addi $rp,$sp,$R
1151 bl __ecp_nistz256_sub_from # p256_sub(R, S2, S1);
1152
1153 or $acc0,$acc0,$acc1 # see if result is zero
1154 or $acc2,$acc2,$acc3
1155 or $temp,$acc0,$acc2
1156
1157 addi $bp,$sp,$Z2sqr
1158 addi $rp,$sp,$U1
1159 bl __ecp_nistz256_mul_mont # p256_mul_mont(U1, in1_x, Z2sqr);
1160
1161 ld $bi,$Z1sqr($sp)
1162 ld $a0,0($bp_real)
1163 ld $a1,8($bp_real)
1164 ld $a2,16($bp_real)
1165 ld $a3,24($bp_real)
1166 addi $bp,$sp,$Z1sqr
1167 addi $rp,$sp,$U2
1168 bl __ecp_nistz256_mul_mont # p256_mul_mont(U2, in2_x, Z1sqr);
1169
1170 addi $bp,$sp,$U1
1171 ld $a0,$R+0($sp) # forward load for p256_sqr_mont
1172 ld $a1,$R+8($sp)
1173 ld $a2,$R+16($sp)
1174 ld $a3,$R+24($sp)
1175 addi $rp,$sp,$H
1176 bl __ecp_nistz256_sub_from # p256_sub(H, U2, U1);
1177
1178 or $acc0,$acc0,$acc1 # see if result is zero
1179 or $acc2,$acc2,$acc3
1180 or. $acc0,$acc0,$acc2
1181 bne .Ladd_proceed # is_equal(U1,U2)?
1182
1183 and. $t0,$in1infty,$in2infty
1184 beq .Ladd_proceed # (in1infty || in2infty)?
1185
1186 cmpldi $temp,0
1187 beq .Ladd_double # is_equal(S1,S2)?
1188
1189 xor $a0,$a0,$a0
1190 std $a0,0($rp_real)
1191 std $a0,8($rp_real)
1192 std $a0,16($rp_real)
1193 std $a0,24($rp_real)
1194 std $a0,32($rp_real)
1195 std $a0,40($rp_real)
1196 std $a0,48($rp_real)
1197 std $a0,56($rp_real)
1198 std $a0,64($rp_real)
1199 std $a0,72($rp_real)
1200 std $a0,80($rp_real)
1201 std $a0,88($rp_real)
1202 b .Ladd_done
1203
1204 .align 4
1205 .Ladd_double:
1206 ld $bp,0($sp) # back-link
1207 mr $ap,$ap_real
1208 mr $rp,$rp_real
1209 ld r16,$FRAME-8*16($sp)
1210 ld r17,$FRAME-8*15($sp)
1211 ld r18,$FRAME-8*14($sp)
1212 ld r19,$FRAME-8*13($sp)
1213 stdu $bp,$FRAME-288($sp) # difference in stack frame sizes
1214 b .Ldouble_shortcut
1215
1216 .align 4
1217 .Ladd_proceed:
1218 addi $rp,$sp,$Rsqr
1219 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Rsqr, R);
1220
1221 ld $bi,64($ap_real)
1222 ld $a0,$H+0($sp)
1223 ld $a1,$H+8($sp)
1224 ld $a2,$H+16($sp)
1225 ld $a3,$H+24($sp)
1226 addi $bp,$ap_real,64
1227 addi $rp,$sp,$res_z
1228 bl __ecp_nistz256_mul_mont # p256_mul_mont(res_z, H, in1_z);
1229
1230 ld $a0,$H+0($sp)
1231 ld $a1,$H+8($sp)
1232 ld $a2,$H+16($sp)
1233 ld $a3,$H+24($sp)
1234 addi $rp,$sp,$Hsqr
1235 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Hsqr, H);
1236
1237 ld $bi,64($bp_real)
1238 ld $a0,$res_z+0($sp)
1239 ld $a1,$res_z+8($sp)
1240 ld $a2,$res_z+16($sp)
1241 ld $a3,$res_z+24($sp)
1242 addi $bp,$bp_real,64
1243 addi $rp,$sp,$res_z
1244 bl __ecp_nistz256_mul_mont # p256_mul_mont(res_z, res_z, in2_z);
1245
1246 ld $bi,$H($sp)
1247 ld $a0,$Hsqr+0($sp)
1248 ld $a1,$Hsqr+8($sp)
1249 ld $a2,$Hsqr+16($sp)
1250 ld $a3,$Hsqr+24($sp)
1251 addi $bp,$sp,$H
1252 addi $rp,$sp,$Hcub
1253 bl __ecp_nistz256_mul_mont # p256_mul_mont(Hcub, Hsqr, H);
1254
1255 ld $bi,$Hsqr($sp)
1256 ld $a0,$U1+0($sp)
1257 ld $a1,$U1+8($sp)
1258 ld $a2,$U1+16($sp)
1259 ld $a3,$U1+24($sp)
1260 addi $bp,$sp,$Hsqr
1261 addi $rp,$sp,$U2
1262 bl __ecp_nistz256_mul_mont # p256_mul_mont(U2, U1, Hsqr);
1263
1264 mr $t0,$acc0
1265 mr $t1,$acc1
1266 mr $t2,$acc2
1267 mr $t3,$acc3
1268 addi $rp,$sp,$Hsqr
1269 bl __ecp_nistz256_add # p256_mul_by_2(Hsqr, U2);
1270
1271 addi $bp,$sp,$Rsqr
1272 addi $rp,$sp,$res_x
1273 bl __ecp_nistz256_sub_morf # p256_sub(res_x, Rsqr, Hsqr);
1274
1275 addi $bp,$sp,$Hcub
1276 bl __ecp_nistz256_sub_from # p256_sub(res_x, res_x, Hcub);
1277
1278 addi $bp,$sp,$U2
1279 ld $bi,$Hcub($sp) # forward load for p256_mul_mont
1280 ld $a0,$S1+0($sp)
1281 ld $a1,$S1+8($sp)
1282 ld $a2,$S1+16($sp)
1283 ld $a3,$S1+24($sp)
1284 addi $rp,$sp,$res_y
1285 bl __ecp_nistz256_sub_morf # p256_sub(res_y, U2, res_x);
1286
1287 addi $bp,$sp,$Hcub
1288 addi $rp,$sp,$S2
1289 bl __ecp_nistz256_mul_mont # p256_mul_mont(S2, S1, Hcub);
1290
1291 ld $bi,$R($sp)
1292 ld $a0,$res_y+0($sp)
1293 ld $a1,$res_y+8($sp)
1294 ld $a2,$res_y+16($sp)
1295 ld $a3,$res_y+24($sp)
1296 addi $bp,$sp,$R
1297 addi $rp,$sp,$res_y
1298 bl __ecp_nistz256_mul_mont # p256_mul_mont(res_y, res_y, R);
1299
1300 addi $bp,$sp,$S2
1301 bl __ecp_nistz256_sub_from # p256_sub(res_y, res_y, S2);
1302
1303 ld $t0,0($bp_real) # in2
1304 ld $t1,8($bp_real)
1305 ld $t2,16($bp_real)
1306 ld $t3,24($bp_real)
1307 ld $a0,$res_x+0($sp) # res
1308 ld $a1,$res_x+8($sp)
1309 ld $a2,$res_x+16($sp)
1310 ld $a3,$res_x+24($sp)
1311 ___
1312 for($i=0;$i<64;$i+=32) { # conditional moves
1313 $code.=<<___;
1314 ld $acc0,$i+0($ap_real) # in1
1315 ld $acc1,$i+8($ap_real)
1316 ld $acc2,$i+16($ap_real)
1317 ld $acc3,$i+24($ap_real)
1318 andc $t0,$t0,$in1infty
1319 andc $t1,$t1,$in1infty
1320 andc $t2,$t2,$in1infty
1321 andc $t3,$t3,$in1infty
1322 and $a0,$a0,$in1infty
1323 and $a1,$a1,$in1infty
1324 and $a2,$a2,$in1infty
1325 and $a3,$a3,$in1infty
1326 or $t0,$t0,$a0
1327 or $t1,$t1,$a1
1328 or $t2,$t2,$a2
1329 or $t3,$t3,$a3
1330 andc $acc0,$acc0,$in2infty
1331 andc $acc1,$acc1,$in2infty
1332 andc $acc2,$acc2,$in2infty
1333 andc $acc3,$acc3,$in2infty
1334 and $t0,$t0,$in2infty
1335 and $t1,$t1,$in2infty
1336 and $t2,$t2,$in2infty
1337 and $t3,$t3,$in2infty
1338 or $acc0,$acc0,$t0
1339 or $acc1,$acc1,$t1
1340 or $acc2,$acc2,$t2
1341 or $acc3,$acc3,$t3
1342
1343 ld $t0,$i+32($bp_real) # in2
1344 ld $t1,$i+40($bp_real)
1345 ld $t2,$i+48($bp_real)
1346 ld $t3,$i+56($bp_real)
1347 ld $a0,$res_x+$i+32($sp)
1348 ld $a1,$res_x+$i+40($sp)
1349 ld $a2,$res_x+$i+48($sp)
1350 ld $a3,$res_x+$i+56($sp)
1351 std $acc0,$i+0($rp_real)
1352 std $acc1,$i+8($rp_real)
1353 std $acc2,$i+16($rp_real)
1354 std $acc3,$i+24($rp_real)
1355 ___
1356 }
1357 $code.=<<___;
1358 ld $acc0,$i+0($ap_real) # in1
1359 ld $acc1,$i+8($ap_real)
1360 ld $acc2,$i+16($ap_real)
1361 ld $acc3,$i+24($ap_real)
1362 andc $t0,$t0,$in1infty
1363 andc $t1,$t1,$in1infty
1364 andc $t2,$t2,$in1infty
1365 andc $t3,$t3,$in1infty
1366 and $a0,$a0,$in1infty
1367 and $a1,$a1,$in1infty
1368 and $a2,$a2,$in1infty
1369 and $a3,$a3,$in1infty
1370 or $t0,$t0,$a0
1371 or $t1,$t1,$a1
1372 or $t2,$t2,$a2
1373 or $t3,$t3,$a3
1374 andc $acc0,$acc0,$in2infty
1375 andc $acc1,$acc1,$in2infty
1376 andc $acc2,$acc2,$in2infty
1377 andc $acc3,$acc3,$in2infty
1378 and $t0,$t0,$in2infty
1379 and $t1,$t1,$in2infty
1380 and $t2,$t2,$in2infty
1381 and $t3,$t3,$in2infty
1382 or $acc0,$acc0,$t0
1383 or $acc1,$acc1,$t1
1384 or $acc2,$acc2,$t2
1385 or $acc3,$acc3,$t3
1386 std $acc0,$i+0($rp_real)
1387 std $acc1,$i+8($rp_real)
1388 std $acc2,$i+16($rp_real)
1389 std $acc3,$i+24($rp_real)
1390
1391 .Ladd_done:
1392 mtlr r0
1393 ld r16,$FRAME-8*16($sp)
1394 ld r17,$FRAME-8*15($sp)
1395 ld r18,$FRAME-8*14($sp)
1396 ld r19,$FRAME-8*13($sp)
1397 ld r20,$FRAME-8*12($sp)
1398 ld r21,$FRAME-8*11($sp)
1399 ld r22,$FRAME-8*10($sp)
1400 ld r23,$FRAME-8*9($sp)
1401 ld r24,$FRAME-8*8($sp)
1402 ld r25,$FRAME-8*7($sp)
1403 ld r26,$FRAME-8*6($sp)
1404 ld r27,$FRAME-8*5($sp)
1405 ld r28,$FRAME-8*4($sp)
1406 ld r29,$FRAME-8*3($sp)
1407 ld r30,$FRAME-8*2($sp)
1408 ld r31,$FRAME-8*1($sp)
1409 addi $sp,$sp,$FRAME
1410 blr
1411 .long 0
1412 .byte 0,12,4,0,0x80,16,3,0
1413 .long 0
1414 .size ecp_nistz256_point_add,.-ecp_nistz256_point_add
1415 ___
1416 }
1417
1418 ########################################################################
1419 # void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1,
1420 # const P256_POINT_AFFINE *in2);
1421 if (1) {
1422 my $FRAME = 64 + 32*10 + 16*8;
1423 my ($res_x,$res_y,$res_z,
1424 $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(64+32*$_,(0..9));
1425 my $Z1sqr = $S2;
1426 # above map() describes stack layout with 10 temporary
1427 # 256-bit vectors on top.
1428 my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("r$_",(16..21));
1429
1430 $code.=<<___;
1431 .globl ecp_nistz256_point_add_affine
1432 .align 5
1433 ecp_nistz256_point_add_affine:
1434 stdu $sp,-$FRAME($sp)
1435 mflr r0
1436 std r16,$FRAME-8*16($sp)
1437 std r17,$FRAME-8*15($sp)
1438 std r18,$FRAME-8*14($sp)
1439 std r19,$FRAME-8*13($sp)
1440 std r20,$FRAME-8*12($sp)
1441 std r21,$FRAME-8*11($sp)
1442 std r22,$FRAME-8*10($sp)
1443 std r23,$FRAME-8*9($sp)
1444 std r24,$FRAME-8*8($sp)
1445 std r25,$FRAME-8*7($sp)
1446 std r26,$FRAME-8*6($sp)
1447 std r27,$FRAME-8*5($sp)
1448 std r28,$FRAME-8*4($sp)
1449 std r29,$FRAME-8*3($sp)
1450 std r30,$FRAME-8*2($sp)
1451 std r31,$FRAME-8*1($sp)
1452
1453 li $poly1,-1
1454 srdi $poly1,$poly1,32 # 0x00000000ffffffff
1455 li $poly3,1
1456 orc $poly3,$poly3,$poly1 # 0xffffffff00000001
1457
1458 mr $rp_real,$rp
1459 mr $ap_real,$ap
1460 mr $bp_real,$bp
1461
1462 ld $a0,64($ap) # in1_z
1463 ld $a1,72($ap)
1464 ld $a2,80($ap)
1465 ld $a3,88($ap)
1466 or $t0,$a0,$a1
1467 or $t2,$a2,$a3
1468 or $in1infty,$t0,$t2
1469 neg $t0,$in1infty
1470 or $in1infty,$in1infty,$t0
1471 sradi $in1infty,$in1infty,63 # !in1infty
1472
1473 ld $acc0,0($bp) # in2_x
1474 ld $acc1,8($bp)
1475 ld $acc2,16($bp)
1476 ld $acc3,24($bp)
1477 ld $t0,32($bp) # in2_y
1478 ld $t1,40($bp)
1479 ld $t2,48($bp)
1480 ld $t3,56($bp)
1481 or $acc0,$acc0,$acc1
1482 or $acc2,$acc2,$acc3
1483 or $acc0,$acc0,$acc2
1484 or $t0,$t0,$t1
1485 or $t2,$t2,$t3
1486 or $t0,$t0,$t2
1487 or $in2infty,$acc0,$t0
1488 neg $t0,$in2infty
1489 or $in2infty,$in2infty,$t0
1490 sradi $in2infty,$in2infty,63 # !in2infty
1491
1492 addi $rp,$sp,$Z1sqr
1493 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Z1sqr, in1_z);
1494
1495 mr $a0,$acc0
1496 mr $a1,$acc1
1497 mr $a2,$acc2
1498 mr $a3,$acc3
1499 ld $bi,0($bp_real)
1500 addi $bp,$bp_real,0
1501 addi $rp,$sp,$U2
1502 bl __ecp_nistz256_mul_mont # p256_mul_mont(U2, Z1sqr, in2_x);
1503
1504 addi $bp,$ap_real,0
1505 ld $bi,64($ap_real) # forward load for p256_mul_mont
1506 ld $a0,$Z1sqr+0($sp)
1507 ld $a1,$Z1sqr+8($sp)
1508 ld $a2,$Z1sqr+16($sp)
1509 ld $a3,$Z1sqr+24($sp)
1510 addi $rp,$sp,$H
1511 bl __ecp_nistz256_sub_from # p256_sub(H, U2, in1_x);
1512
1513 addi $bp,$ap_real,64
1514 addi $rp,$sp,$S2
1515 bl __ecp_nistz256_mul_mont # p256_mul_mont(S2, Z1sqr, in1_z);
1516
1517 ld $bi,64($ap_real)
1518 ld $a0,$H+0($sp)
1519 ld $a1,$H+8($sp)
1520 ld $a2,$H+16($sp)
1521 ld $a3,$H+24($sp)
1522 addi $bp,$ap_real,64
1523 addi $rp,$sp,$res_z
1524 bl __ecp_nistz256_mul_mont # p256_mul_mont(res_z, H, in1_z);
1525
1526 ld $bi,32($bp_real)
1527 ld $a0,$S2+0($sp)
1528 ld $a1,$S2+8($sp)
1529 ld $a2,$S2+16($sp)
1530 ld $a3,$S2+24($sp)
1531 addi $bp,$bp_real,32
1532 addi $rp,$sp,$S2
1533 bl __ecp_nistz256_mul_mont # p256_mul_mont(S2, S2, in2_y);
1534
1535 addi $bp,$ap_real,32
1536 ld $a0,$H+0($sp) # forward load for p256_sqr_mont
1537 ld $a1,$H+8($sp)
1538 ld $a2,$H+16($sp)
1539 ld $a3,$H+24($sp)
1540 addi $rp,$sp,$R
1541 bl __ecp_nistz256_sub_from # p256_sub(R, S2, in1_y);
1542
1543 addi $rp,$sp,$Hsqr
1544 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Hsqr, H);
1545
1546 ld $a0,$R+0($sp)
1547 ld $a1,$R+8($sp)
1548 ld $a2,$R+16($sp)
1549 ld $a3,$R+24($sp)
1550 addi $rp,$sp,$Rsqr
1551 bl __ecp_nistz256_sqr_mont # p256_sqr_mont(Rsqr, R);
1552
1553 ld $bi,$H($sp)
1554 ld $a0,$Hsqr+0($sp)
1555 ld $a1,$Hsqr+8($sp)
1556 ld $a2,$Hsqr+16($sp)
1557 ld $a3,$Hsqr+24($sp)
1558 addi $bp,$sp,$H
1559 addi $rp,$sp,$Hcub
1560 bl __ecp_nistz256_mul_mont # p256_mul_mont(Hcub, Hsqr, H);
1561
1562 ld $bi,0($ap_real)
1563 ld $a0,$Hsqr+0($sp)
1564 ld $a1,$Hsqr+8($sp)
1565 ld $a2,$Hsqr+16($sp)
1566 ld $a3,$Hsqr+24($sp)
1567 addi $bp,$ap_real,0
1568 addi $rp,$sp,$U2
1569 bl __ecp_nistz256_mul_mont # p256_mul_mont(U2, in1_x, Hsqr);
1570
1571 mr $t0,$acc0
1572 mr $t1,$acc1
1573 mr $t2,$acc2
1574 mr $t3,$acc3
1575 addi $rp,$sp,$Hsqr
1576 bl __ecp_nistz256_add # p256_mul_by_2(Hsqr, U2);
1577
1578 addi $bp,$sp,$Rsqr
1579 addi $rp,$sp,$res_x
1580 bl __ecp_nistz256_sub_morf # p256_sub(res_x, Rsqr, Hsqr);
1581
1582 addi $bp,$sp,$Hcub
1583 bl __ecp_nistz256_sub_from # p256_sub(res_x, res_x, Hcub);
1584
1585 addi $bp,$sp,$U2
1586 ld $bi,32($ap_real) # forward load for p256_mul_mont
1587 ld $a0,$Hcub+0($sp)
1588 ld $a1,$Hcub+8($sp)
1589 ld $a2,$Hcub+16($sp)
1590 ld $a3,$Hcub+24($sp)
1591 addi $rp,$sp,$res_y
1592 bl __ecp_nistz256_sub_morf # p256_sub(res_y, U2, res_x);
1593
1594 addi $bp,$ap_real,32
1595 addi $rp,$sp,$S2
1596 bl __ecp_nistz256_mul_mont # p256_mul_mont(S2, in1_y, Hcub);
1597
1598 ld $bi,$R($sp)
1599 ld $a0,$res_y+0($sp)
1600 ld $a1,$res_y+8($sp)
1601 ld $a2,$res_y+16($sp)
1602 ld $a3,$res_y+24($sp)
1603 addi $bp,$sp,$R
1604 addi $rp,$sp,$res_y
1605 bl __ecp_nistz256_mul_mont # p256_mul_mont(res_y, res_y, R);
1606
1607 addi $bp,$sp,$S2
1608 bl __ecp_nistz256_sub_from # p256_sub(res_y, res_y, S2);
1609
1610 ld $t0,0($bp_real) # in2
1611 ld $t1,8($bp_real)
1612 ld $t2,16($bp_real)
1613 ld $t3,24($bp_real)
1614 ld $a0,$res_x+0($sp) # res
1615 ld $a1,$res_x+8($sp)
1616 ld $a2,$res_x+16($sp)
1617 ld $a3,$res_x+24($sp)
1618 ___
1619 for($i=0;$i<64;$i+=32) { # conditional moves
1620 $code.=<<___;
1621 ld $acc0,$i+0($ap_real) # in1
1622 ld $acc1,$i+8($ap_real)
1623 ld $acc2,$i+16($ap_real)
1624 ld $acc3,$i+24($ap_real)
1625 andc $t0,$t0,$in1infty
1626 andc $t1,$t1,$in1infty
1627 andc $t2,$t2,$in1infty
1628 andc $t3,$t3,$in1infty
1629 and $a0,$a0,$in1infty
1630 and $a1,$a1,$in1infty
1631 and $a2,$a2,$in1infty
1632 and $a3,$a3,$in1infty
1633 or $t0,$t0,$a0
1634 or $t1,$t1,$a1
1635 or $t2,$t2,$a2
1636 or $t3,$t3,$a3
1637 andc $acc0,$acc0,$in2infty
1638 andc $acc1,$acc1,$in2infty
1639 andc $acc2,$acc2,$in2infty
1640 andc $acc3,$acc3,$in2infty
1641 and $t0,$t0,$in2infty
1642 and $t1,$t1,$in2infty
1643 and $t2,$t2,$in2infty
1644 and $t3,$t3,$in2infty
1645 or $acc0,$acc0,$t0
1646 or $acc1,$acc1,$t1
1647 or $acc2,$acc2,$t2
1648 or $acc3,$acc3,$t3
1649 ___
1650 $code.=<<___ if ($i==0);
1651 ld $t0,32($bp_real) # in2
1652 ld $t1,40($bp_real)
1653 ld $t2,48($bp_real)
1654 ld $t3,56($bp_real)
1655 ___
1656 $code.=<<___ if ($i==32);
1657 li $t0,1 # Lone_mont
1658 not $t1,$poly1
1659 li $t2,-1
1660 not $t3,$poly3
1661 ___
1662 $code.=<<___;
1663 ld $a0,$res_x+$i+32($sp)
1664 ld $a1,$res_x+$i+40($sp)
1665 ld $a2,$res_x+$i+48($sp)
1666 ld $a3,$res_x+$i+56($sp)
1667 std $acc0,$i+0($rp_real)
1668 std $acc1,$i+8($rp_real)
1669 std $acc2,$i+16($rp_real)
1670 std $acc3,$i+24($rp_real)
1671 ___
1672 }
1673 $code.=<<___;
1674 ld $acc0,$i+0($ap_real) # in1
1675 ld $acc1,$i+8($ap_real)
1676 ld $acc2,$i+16($ap_real)
1677 ld $acc3,$i+24($ap_real)
1678 andc $t0,$t0,$in1infty
1679 andc $t1,$t1,$in1infty
1680 andc $t2,$t2,$in1infty
1681 andc $t3,$t3,$in1infty
1682 and $a0,$a0,$in1infty
1683 and $a1,$a1,$in1infty
1684 and $a2,$a2,$in1infty
1685 and $a3,$a3,$in1infty
1686 or $t0,$t0,$a0
1687 or $t1,$t1,$a1
1688 or $t2,$t2,$a2
1689 or $t3,$t3,$a3
1690 andc $acc0,$acc0,$in2infty
1691 andc $acc1,$acc1,$in2infty
1692 andc $acc2,$acc2,$in2infty
1693 andc $acc3,$acc3,$in2infty
1694 and $t0,$t0,$in2infty
1695 and $t1,$t1,$in2infty
1696 and $t2,$t2,$in2infty
1697 and $t3,$t3,$in2infty
1698 or $acc0,$acc0,$t0
1699 or $acc1,$acc1,$t1
1700 or $acc2,$acc2,$t2
1701 or $acc3,$acc3,$t3
1702 std $acc0,$i+0($rp_real)
1703 std $acc1,$i+8($rp_real)
1704 std $acc2,$i+16($rp_real)
1705 std $acc3,$i+24($rp_real)
1706
1707 mtlr r0
1708 ld r16,$FRAME-8*16($sp)
1709 ld r17,$FRAME-8*15($sp)
1710 ld r18,$FRAME-8*14($sp)
1711 ld r19,$FRAME-8*13($sp)
1712 ld r20,$FRAME-8*12($sp)
1713 ld r21,$FRAME-8*11($sp)
1714 ld r22,$FRAME-8*10($sp)
1715 ld r23,$FRAME-8*9($sp)
1716 ld r24,$FRAME-8*8($sp)
1717 ld r25,$FRAME-8*7($sp)
1718 ld r26,$FRAME-8*6($sp)
1719 ld r27,$FRAME-8*5($sp)
1720 ld r28,$FRAME-8*4($sp)
1721 ld r29,$FRAME-8*3($sp)
1722 ld r30,$FRAME-8*2($sp)
1723 ld r31,$FRAME-8*1($sp)
1724 addi $sp,$sp,$FRAME
1725 blr
1726 .long 0
1727 .byte 0,12,4,0,0x80,16,3,0
1728 .long 0
1729 .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
1730 ___
1731 }
1732 if (1) {
1733 my ($ordk,$ord0,$ord1,$t4) = map("r$_",(18..21));
1734 my ($ord2,$ord3,$zr) = ($poly1,$poly3,"r0");
1735
1736 $code.=<<___;
1737 ########################################################################
1738 # void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],
1739 # uint64_t b[4]);
1740 .globl ecp_nistz256_ord_mul_mont
1741 .align 5
1742 ecp_nistz256_ord_mul_mont:
1743 stdu $sp,-160($sp)
1744 std r18,48($sp)
1745 std r19,56($sp)
1746 std r20,64($sp)
1747 std r21,72($sp)
1748 std r22,80($sp)
1749 std r23,88($sp)
1750 std r24,96($sp)
1751 std r25,104($sp)
1752 std r26,112($sp)
1753 std r27,120($sp)
1754 std r28,128($sp)
1755 std r29,136($sp)
1756 std r30,144($sp)
1757 std r31,152($sp)
1758
1759 ld $a0,0($ap)
1760 ld $bi,0($bp)
1761 ld $a1,8($ap)
1762 ld $a2,16($ap)
1763 ld $a3,24($ap)
1764
1765 lis $ordk,0xccd1
1766 lis $ord0,0xf3b9
1767 lis $ord1,0xbce6
1768 ori $ordk,$ordk,0xc8aa
1769 ori $ord0,$ord0,0xcac2
1770 ori $ord1,$ord1,0xfaad
1771 sldi $ordk,$ordk,32
1772 sldi $ord0,$ord0,32
1773 sldi $ord1,$ord1,32
1774 oris $ordk,$ordk,0xee00
1775 oris $ord0,$ord0,0xfc63
1776 oris $ord1,$ord1,0xa717
1777 ori $ordk,$ordk,0xbc4f # 0xccd1c8aaee00bc4f
1778 ori $ord0,$ord0,0x2551 # 0xf3b9cac2fc632551
1779 ori $ord1,$ord1,0x9e84 # 0xbce6faada7179e84
1780 li $ord2,-1 # 0xffffffffffffffff
1781 sldi $ord3,$ord2,32 # 0xffffffff00000000
1782 li $zr,0
1783
1784 mulld $acc0,$a0,$bi # a[0]*b[0]
1785 mulhdu $t0,$a0,$bi
1786
1787 mulld $acc1,$a1,$bi # a[1]*b[0]
1788 mulhdu $t1,$a1,$bi
1789
1790 mulld $acc2,$a2,$bi # a[2]*b[0]
1791 mulhdu $t2,$a2,$bi
1792
1793 mulld $acc3,$a3,$bi # a[3]*b[0]
1794 mulhdu $acc4,$a3,$bi
1795
1796 mulld $t4,$acc0,$ordk
1797
1798 addc $acc1,$acc1,$t0 # accumulate high parts of multiplication
1799 adde $acc2,$acc2,$t1
1800 adde $acc3,$acc3,$t2
1801 addze $acc4,$acc4
1802 li $acc5,0
1803 ___
1804 for ($i=1;$i<4;$i++) {
1805 ################################################################
1806 # ffff0000.ffffffff.yyyyyyyy.zzzzzzzz
1807 # * abcdefgh
1808 # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
1809 #
1810 # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we
1811 # rewrite above as:
1812 #
1813 # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
1814 # - 0000abcd.efgh0000.abcdefgh.00000000.00000000
1815 # + abcdefgh.abcdefgh.yzayzbyz.cyzdyzey.zfyzgyzh
1816 $code.=<<___;
1817 ld $bi,8*$i($bp) # b[i]
1818
1819 sldi $t0,$t4,32
1820 subfc $acc2,$t4,$acc2
1821 srdi $t1,$t4,32
1822 subfe $acc3,$t0,$acc3
1823 subfe $acc4,$t1,$acc4
1824 subfe $acc5,$zr,$acc5
1825
1826 addic $t0,$acc0,-1 # discarded
1827 mulhdu $t1,$ord0,$t4
1828 mulld $t2,$ord1,$t4
1829 mulhdu $t3,$ord1,$t4
1830
1831 adde $t2,$t2,$t1
1832 mulld $t0,$a0,$bi
1833 addze $t3,$t3
1834 mulld $t1,$a1,$bi
1835
1836 addc $acc0,$acc1,$t2
1837 mulld $t2,$a2,$bi
1838 adde $acc1,$acc2,$t3
1839 mulld $t3,$a3,$bi
1840 adde $acc2,$acc3,$t4
1841 adde $acc3,$acc4,$t4
1842 addze $acc4,$acc5
1843
1844 addc $acc0,$acc0,$t0 # accumulate low parts
1845 mulhdu $t0,$a0,$bi
1846 adde $acc1,$acc1,$t1
1847 mulhdu $t1,$a1,$bi
1848 adde $acc2,$acc2,$t2
1849 mulhdu $t2,$a2,$bi
1850 adde $acc3,$acc3,$t3
1851 mulhdu $t3,$a3,$bi
1852 addze $acc4,$acc4
1853 mulld $t4,$acc0,$ordk
1854 addc $acc1,$acc1,$t0 # accumulate high parts
1855 adde $acc2,$acc2,$t1
1856 adde $acc3,$acc3,$t2
1857 adde $acc4,$acc4,$t3
1858 addze $acc5,$zr
1859 ___
1860 }
1861 $code.=<<___;
1862 sldi $t0,$t4,32 # last reduction
1863 subfc $acc2,$t4,$acc2
1864 srdi $t1,$t4,32
1865 subfe $acc3,$t0,$acc3
1866 subfe $acc4,$t1,$acc4
1867 subfe $acc5,$zr,$acc5
1868
1869 addic $t0,$acc0,-1 # discarded
1870 mulhdu $t1,$ord0,$t4
1871 mulld $t2,$ord1,$t4
1872 mulhdu $t3,$ord1,$t4
1873
1874 adde $t2,$t2,$t1
1875 addze $t3,$t3
1876
1877 addc $acc0,$acc1,$t2
1878 adde $acc1,$acc2,$t3
1879 adde $acc2,$acc3,$t4
1880 adde $acc3,$acc4,$t4
1881 addze $acc4,$acc5
1882
1883 subfc $acc0,$ord0,$acc0 # ret -= modulus
1884 subfe $acc1,$ord1,$acc1
1885 subfe $acc2,$ord2,$acc2
1886 subfe $acc3,$ord3,$acc3
1887 subfe $acc4,$zr,$acc4
1888
1889 and $t0,$ord0,$acc4
1890 and $t1,$ord1,$acc4
1891 addc $acc0,$acc0,$t0 # ret += modulus if borrow
1892 and $t3,$ord3,$acc4
1893 adde $acc1,$acc1,$t1
1894 adde $acc2,$acc2,$acc4
1895 adde $acc3,$acc3,$t3
1896
1897 std $acc0,0($rp)
1898 std $acc1,8($rp)
1899 std $acc2,16($rp)
1900 std $acc3,24($rp)
1901
1902 ld r18,48($sp)
1903 ld r19,56($sp)
1904 ld r20,64($sp)
1905 ld r21,72($sp)
1906 ld r22,80($sp)
1907 ld r23,88($sp)
1908 ld r24,96($sp)
1909 ld r25,104($sp)
1910 ld r26,112($sp)
1911 ld r27,120($sp)
1912 ld r28,128($sp)
1913 ld r29,136($sp)
1914 ld r30,144($sp)
1915 ld r31,152($sp)
1916 addi $sp,$sp,160
1917 blr
1918 .long 0
1919 .byte 0,12,4,0,0x80,14,3,0
1920 .long 0
1921 .size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont
1922
1923 ################################################################################
1924 # void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],
1925 # uint64_t rep);
1926 .globl ecp_nistz256_ord_sqr_mont
1927 .align 5
1928 ecp_nistz256_ord_sqr_mont:
1929 stdu $sp,-160($sp)
1930 std r18,48($sp)
1931 std r19,56($sp)
1932 std r20,64($sp)
1933 std r21,72($sp)
1934 std r22,80($sp)
1935 std r23,88($sp)
1936 std r24,96($sp)
1937 std r25,104($sp)
1938 std r26,112($sp)
1939 std r27,120($sp)
1940 std r28,128($sp)
1941 std r29,136($sp)
1942 std r30,144($sp)
1943 std r31,152($sp)
1944
1945 mtctr $bp
1946
1947 ld $a0,0($ap)
1948 ld $a1,8($ap)
1949 ld $a2,16($ap)
1950 ld $a3,24($ap)
1951
1952 lis $ordk,0xccd1
1953 lis $ord0,0xf3b9
1954 lis $ord1,0xbce6
1955 ori $ordk,$ordk,0xc8aa
1956 ori $ord0,$ord0,0xcac2
1957 ori $ord1,$ord1,0xfaad
1958 sldi $ordk,$ordk,32
1959 sldi $ord0,$ord0,32
1960 sldi $ord1,$ord1,32
1961 oris $ordk,$ordk,0xee00
1962 oris $ord0,$ord0,0xfc63
1963 oris $ord1,$ord1,0xa717
1964 ori $ordk,$ordk,0xbc4f # 0xccd1c8aaee00bc4f
1965 ori $ord0,$ord0,0x2551 # 0xf3b9cac2fc632551
1966 ori $ord1,$ord1,0x9e84 # 0xbce6faada7179e84
1967 li $ord2,-1 # 0xffffffffffffffff
1968 sldi $ord3,$ord2,32 # 0xffffffff00000000
1969 li $zr,0
1970 b .Loop_ord_sqr
1971
1972 .align 5
1973 .Loop_ord_sqr:
1974 ################################################################
1975 # | | | | | |a1*a0| |
1976 # | | | | |a2*a0| | |
1977 # | |a3*a2|a3*a0| | | |
1978 # | | | |a2*a1| | | |
1979 # | | |a3*a1| | | | |
1980 # *| | | | | | | | 2|
1981 # +|a3*a3|a2*a2|a1*a1|a0*a0|
1982 # |--+--+--+--+--+--+--+--|
1983 # |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx
1984 #
1985 # "can't overflow" below mark carrying into high part of
1986 # multiplication result, which can't overflow, because it
1987 # can never be all ones.
1988
1989 mulld $acc1,$a1,$a0 # a[1]*a[0]
1990 mulhdu $t1,$a1,$a0
1991 mulld $acc2,$a2,$a0 # a[2]*a[0]
1992 mulhdu $t2,$a2,$a0
1993 mulld $acc3,$a3,$a0 # a[3]*a[0]
1994 mulhdu $acc4,$a3,$a0
1995
1996 addc $acc2,$acc2,$t1 # accumulate high parts of multiplication
1997 mulld $t0,$a2,$a1 # a[2]*a[1]
1998 mulhdu $t1,$a2,$a1
1999 adde $acc3,$acc3,$t2
2000 mulld $t2,$a3,$a1 # a[3]*a[1]
2001 mulhdu $t3,$a3,$a1
2002 addze $acc4,$acc4 # can't overflow
2003
2004 mulld $acc5,$a3,$a2 # a[3]*a[2]
2005 mulhdu $acc6,$a3,$a2
2006
2007 addc $t1,$t1,$t2 # accumulate high parts of multiplication
2008 mulld $acc0,$a0,$a0 # a[0]*a[0]
2009 addze $t2,$t3 # can't overflow
2010
2011 addc $acc3,$acc3,$t0 # accumulate low parts of multiplication
2012 mulhdu $a0,$a0,$a0
2013 adde $acc4,$acc4,$t1
2014 mulld $t1,$a1,$a1 # a[1]*a[1]
2015 adde $acc5,$acc5,$t2
2016 mulhdu $a1,$a1,$a1
2017 addze $acc6,$acc6 # can't overflow
2018
2019 addc $acc1,$acc1,$acc1 # acc[1-6]*=2
2020 mulld $t2,$a2,$a2 # a[2]*a[2]
2021 adde $acc2,$acc2,$acc2
2022 mulhdu $a2,$a2,$a2
2023 adde $acc3,$acc3,$acc3
2024 mulld $t3,$a3,$a3 # a[3]*a[3]
2025 adde $acc4,$acc4,$acc4
2026 mulhdu $a3,$a3,$a3
2027 adde $acc5,$acc5,$acc5
2028 adde $acc6,$acc6,$acc6
2029 addze $acc7,$zr
2030
2031 addc $acc1,$acc1,$a0 # +a[i]*a[i]
2032 mulld $t4,$acc0,$ordk
2033 adde $acc2,$acc2,$t1
2034 adde $acc3,$acc3,$a1
2035 adde $acc4,$acc4,$t2
2036 adde $acc5,$acc5,$a2
2037 adde $acc6,$acc6,$t3
2038 adde $acc7,$acc7,$a3
2039 ___
2040 for($i=0; $i<4; $i++) { # reductions
2041 $code.=<<___;
2042 addic $t0,$acc0,-1 # discarded
2043 mulhdu $t1,$ord0,$t4
2044 mulld $t2,$ord1,$t4
2045 mulhdu $t3,$ord1,$t4
2046
2047 adde $t2,$t2,$t1
2048 addze $t3,$t3
2049
2050 addc $acc0,$acc1,$t2
2051 adde $acc1,$acc2,$t3
2052 adde $acc2,$acc3,$t4
2053 adde $acc3,$zr,$t4 # can't overflow
2054 ___
2055 $code.=<<___ if ($i<3);
2056 mulld $t3,$acc0,$ordk
2057 ___
2058 $code.=<<___;
2059 sldi $t0,$t4,32
2060 subfc $acc1,$t4,$acc1
2061 srdi $t1,$t4,32
2062 subfe $acc2,$t0,$acc2
2063 subfe $acc3,$t1,$acc3 # can't borrow
2064 ___
2065 ($t3,$t4) = ($t4,$t3);
2066 }
2067 $code.=<<___;
2068 addc $acc0,$acc0,$acc4 # accumulate upper half
2069 adde $acc1,$acc1,$acc5
2070 adde $acc2,$acc2,$acc6
2071 adde $acc3,$acc3,$acc7
2072 addze $acc4,$zr
2073
2074 subfc $acc0,$ord0,$acc0 # ret -= modulus
2075 subfe $acc1,$ord1,$acc1
2076 subfe $acc2,$ord2,$acc2
2077 subfe $acc3,$ord3,$acc3
2078 subfe $acc4,$zr,$acc4
2079
2080 and $t0,$ord0,$acc4
2081 and $t1,$ord1,$acc4
2082 addc $a0,$acc0,$t0 # ret += modulus if borrow
2083 and $t3,$ord3,$acc4
2084 adde $a1,$acc1,$t1
2085 adde $a2,$acc2,$acc4
2086 adde $a3,$acc3,$t3
2087
2088 bdnz .Loop_ord_sqr
2089
2090 std $a0,0($rp)
2091 std $a1,8($rp)
2092 std $a2,16($rp)
2093 std $a3,24($rp)
2094
2095 ld r18,48($sp)
2096 ld r19,56($sp)
2097 ld r20,64($sp)
2098 ld r21,72($sp)
2099 ld r22,80($sp)
2100 ld r23,88($sp)
2101 ld r24,96($sp)
2102 ld r25,104($sp)
2103 ld r26,112($sp)
2104 ld r27,120($sp)
2105 ld r28,128($sp)
2106 ld r29,136($sp)
2107 ld r30,144($sp)
2108 ld r31,152($sp)
2109 addi $sp,$sp,160
2110 blr
2111 .long 0
2112 .byte 0,12,4,0,0x80,14,3,0
2113 .long 0
2114 .size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont
2115 ___
2116 } }
2117
2118 ########################################################################
2119 # scatter-gather subroutines
2120 {
2121 my ($out,$inp,$index,$mask)=map("r$_",(3..7));
2122 $code.=<<___;
2123 ########################################################################
2124 # void ecp_nistz256_scatter_w5(void *out, const P256_POINT *inp,
2125 # int index);
2126 .globl ecp_nistz256_scatter_w5
2127 .align 4
2128 ecp_nistz256_scatter_w5:
2129 slwi $index,$index,2
2130 add $out,$out,$index
2131
2132 ld r8, 0($inp) # X
2133 ld r9, 8($inp)
2134 ld r10,16($inp)
2135 ld r11,24($inp)
2136
2137 stw r8, 64*0-4($out)
2138 srdi r8, r8, 32
2139 stw r9, 64*1-4($out)
2140 srdi r9, r9, 32
2141 stw r10,64*2-4($out)
2142 srdi r10,r10,32
2143 stw r11,64*3-4($out)
2144 srdi r11,r11,32
2145 stw r8, 64*4-4($out)
2146 stw r9, 64*5-4($out)
2147 stw r10,64*6-4($out)
2148 stw r11,64*7-4($out)
2149 addi $out,$out,64*8
2150
2151 ld r8, 32($inp) # Y
2152 ld r9, 40($inp)
2153 ld r10,48($inp)
2154 ld r11,56($inp)
2155
2156 stw r8, 64*0-4($out)
2157 srdi r8, r8, 32
2158 stw r9, 64*1-4($out)
2159 srdi r9, r9, 32
2160 stw r10,64*2-4($out)
2161 srdi r10,r10,32
2162 stw r11,64*3-4($out)
2163 srdi r11,r11,32
2164 stw r8, 64*4-4($out)
2165 stw r9, 64*5-4($out)
2166 stw r10,64*6-4($out)
2167 stw r11,64*7-4($out)
2168 addi $out,$out,64*8
2169
2170 ld r8, 64($inp) # Z
2171 ld r9, 72($inp)
2172 ld r10,80($inp)
2173 ld r11,88($inp)
2174
2175 stw r8, 64*0-4($out)
2176 srdi r8, r8, 32
2177 stw r9, 64*1-4($out)
2178 srdi r9, r9, 32
2179 stw r10,64*2-4($out)
2180 srdi r10,r10,32
2181 stw r11,64*3-4($out)
2182 srdi r11,r11,32
2183 stw r8, 64*4-4($out)
2184 stw r9, 64*5-4($out)
2185 stw r10,64*6-4($out)
2186 stw r11,64*7-4($out)
2187
2188 blr
2189 .long 0
2190 .byte 0,12,0x14,0,0,0,3,0
2191 .long 0
2192 .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
2193
2194 ########################################################################
2195 # void ecp_nistz256_gather_w5(P256_POINT *out, const void *inp,
2196 # int index);
2197 .globl ecp_nistz256_gather_w5
2198 .align 4
2199 ecp_nistz256_gather_w5:
2200 neg r0,$index
2201 sradi r0,r0,63
2202
2203 add $index,$index,r0
2204 slwi $index,$index,2
2205 add $inp,$inp,$index
2206
2207 lwz r5, 64*0($inp)
2208 lwz r6, 64*1($inp)
2209 lwz r7, 64*2($inp)
2210 lwz r8, 64*3($inp)
2211 lwz r9, 64*4($inp)
2212 lwz r10,64*5($inp)
2213 lwz r11,64*6($inp)
2214 lwz r12,64*7($inp)
2215 addi $inp,$inp,64*8
2216 sldi r9, r9, 32
2217 sldi r10,r10,32
2218 sldi r11,r11,32
2219 sldi r12,r12,32
2220 or r5,r5,r9
2221 or r6,r6,r10
2222 or r7,r7,r11
2223 or r8,r8,r12
2224 and r5,r5,r0
2225 and r6,r6,r0
2226 and r7,r7,r0
2227 and r8,r8,r0
2228 std r5,0($out) # X
2229 std r6,8($out)
2230 std r7,16($out)
2231 std r8,24($out)
2232
2233 lwz r5, 64*0($inp)
2234 lwz r6, 64*1($inp)
2235 lwz r7, 64*2($inp)
2236 lwz r8, 64*3($inp)
2237 lwz r9, 64*4($inp)
2238 lwz r10,64*5($inp)
2239 lwz r11,64*6($inp)
2240 lwz r12,64*7($inp)
2241 addi $inp,$inp,64*8
2242 sldi r9, r9, 32
2243 sldi r10,r10,32
2244 sldi r11,r11,32
2245 sldi r12,r12,32
2246 or r5,r5,r9
2247 or r6,r6,r10
2248 or r7,r7,r11
2249 or r8,r8,r12
2250 and r5,r5,r0
2251 and r6,r6,r0
2252 and r7,r7,r0
2253 and r8,r8,r0
2254 std r5,32($out) # Y
2255 std r6,40($out)
2256 std r7,48($out)
2257 std r8,56($out)
2258
2259 lwz r5, 64*0($inp)
2260 lwz r6, 64*1($inp)
2261 lwz r7, 64*2($inp)
2262 lwz r8, 64*3($inp)
2263 lwz r9, 64*4($inp)
2264 lwz r10,64*5($inp)
2265 lwz r11,64*6($inp)
2266 lwz r12,64*7($inp)
2267 sldi r9, r9, 32
2268 sldi r10,r10,32
2269 sldi r11,r11,32
2270 sldi r12,r12,32
2271 or r5,r5,r9
2272 or r6,r6,r10
2273 or r7,r7,r11
2274 or r8,r8,r12
2275 and r5,r5,r0
2276 and r6,r6,r0
2277 and r7,r7,r0
2278 and r8,r8,r0
2279 std r5,64($out) # Z
2280 std r6,72($out)
2281 std r7,80($out)
2282 std r8,88($out)
2283
2284 blr
2285 .long 0
2286 .byte 0,12,0x14,0,0,0,3,0
2287 .long 0
2288 .size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
2289
2290 ########################################################################
2291 # void ecp_nistz256_scatter_w7(void *out, const P256_POINT_AFFINE *inp,
2292 # int index);
2293 .globl ecp_nistz256_scatter_w7
2294 .align 4
2295 ecp_nistz256_scatter_w7:
2296 li r0,8
2297 mtctr r0
2298 add $out,$out,$index
2299 subi $inp,$inp,8
2300
2301 .Loop_scatter_w7:
2302 ldu r0,8($inp)
2303 stb r0,64*0($out)
2304 srdi r0,r0,8
2305 stb r0,64*1($out)
2306 srdi r0,r0,8
2307 stb r0,64*2($out)
2308 srdi r0,r0,8
2309 stb r0,64*3($out)
2310 srdi r0,r0,8
2311 stb r0,64*4($out)
2312 srdi r0,r0,8
2313 stb r0,64*5($out)
2314 srdi r0,r0,8
2315 stb r0,64*6($out)
2316 srdi r0,r0,8
2317 stb r0,64*7($out)
2318 addi $out,$out,64*8
2319 bdnz .Loop_scatter_w7
2320
2321 blr
2322 .long 0
2323 .byte 0,12,0x14,0,0,0,3,0
2324 .long 0
2325 .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
2326
2327 ########################################################################
2328 # void ecp_nistz256_gather_w7(P256_POINT_AFFINE *out, const void *inp,
2329 # int index);
2330 .globl ecp_nistz256_gather_w7
2331 .align 4
2332 ecp_nistz256_gather_w7:
2333 li r0,8
2334 mtctr r0
2335 neg r0,$index
2336 sradi r0,r0,63
2337
2338 add $index,$index,r0
2339 add $inp,$inp,$index
2340 subi $out,$out,8
2341
2342 .Loop_gather_w7:
2343 lbz r5, 64*0($inp)
2344 lbz r6, 64*1($inp)
2345 lbz r7, 64*2($inp)
2346 lbz r8, 64*3($inp)
2347 lbz r9, 64*4($inp)
2348 lbz r10,64*5($inp)
2349 lbz r11,64*6($inp)
2350 lbz r12,64*7($inp)
2351 addi $inp,$inp,64*8
2352
2353 sldi r6, r6, 8
2354 sldi r7, r7, 16
2355 sldi r8, r8, 24
2356 sldi r9, r9, 32
2357 sldi r10,r10,40
2358 sldi r11,r11,48
2359 sldi r12,r12,56
2360
2361 or r5,r5,r6
2362 or r7,r7,r8
2363 or r9,r9,r10
2364 or r11,r11,r12
2365 or r5,r5,r7
2366 or r9,r9,r11
2367 or r5,r5,r9
2368 and r5,r5,r0
2369 stdu r5,8($out)
2370 bdnz .Loop_gather_w7
2371
2372 blr
2373 .long 0
2374 .byte 0,12,0x14,0,0,0,3,0
2375 .long 0
2376 .size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
2377 ___
2378 }
2379
2380 foreach (split("\n",$code)) {
2381 s/\`([^\`]*)\`/eval $1/ge;
2382
2383 print $_,"\n";
2384 }
2385 close STDOUT or die "error closing STDOUT: $!"; # enforce flush
A mirror of the official openssl repository