1// +build amd64
2
3#include "textflag.h"
4
5// Depends on circl/math/fp448 package
6#include "../../math/fp448/fp_amd64.h"
7#include "curve_amd64.h"
8
9// CTE_A24 is (A+2)/4 from Curve448
10#define CTE_A24 39082
11
12#define Size 56
13
14// multiplyA24Leg multiplies x times CTE_A24 and stores in z
15// Uses: AX, DX, R8-R15, FLAGS
16// Instr: x86_64, cmov, adx
17#define multiplyA24Leg(z,x) \
18 MOVQ $CTE_A24, R15; \
19 MOVQ 0+x, AX; MULQ R15; MOVQ AX, R8; ;;;;;;;;;;;; MOVQ DX, R9; \
20 MOVQ 8+x, AX; MULQ R15; ADDQ AX, R9; ADCQ $0, DX; MOVQ DX, R10; \
21 MOVQ 16+x, AX; MULQ R15; ADDQ AX, R10; ADCQ $0, DX; MOVQ DX, R11; \
22 MOVQ 24+x, AX; MULQ R15; ADDQ AX, R11; ADCQ $0, DX; MOVQ DX, R12; \
23 MOVQ 32+x, AX; MULQ R15; ADDQ AX, R12; ADCQ $0, DX; MOVQ DX, R13; \
24 MOVQ 40+x, AX; MULQ R15; ADDQ AX, R13; ADCQ $0, DX; MOVQ DX, R14; \
25 MOVQ 48+x, AX; MULQ R15; ADDQ AX, R14; ADCQ $0, DX; \
26 MOVQ DX, AX; \
27 SHLQ $32, AX; \
28 ADDQ DX, R8; MOVQ $0, DX; \
29 ADCQ $0, R9; \
30 ADCQ $0, R10; \
31 ADCQ AX, R11; \
32 ADCQ $0, R12; \
33 ADCQ $0, R13; \
34 ADCQ $0, R14; \
35 ADCQ $0, DX; \
36 MOVQ DX, AX; \
37 SHLQ $32, AX; \
38 ADDQ DX, R8; \
39 ADCQ $0, R9; \
40 ADCQ $0, R10; \
41 ADCQ AX, R11; \
42 ADCQ $0, R12; \
43 ADCQ $0, R13; \
44 ADCQ $0, R14; \
45 MOVQ R8, 0+z; \
46 MOVQ R9, 8+z; \
47 MOVQ R10, 16+z; \
48 MOVQ R11, 24+z; \
49 MOVQ R12, 32+z; \
50 MOVQ R13, 40+z; \
51 MOVQ R14, 48+z;
52
53// multiplyA24Adx multiplies x times CTE_A24 and stores in z
54// Uses: AX, DX, R8-R14, FLAGS
55// Instr: x86_64, bmi2
56#define multiplyA24Adx(z,x) \
57 MOVQ $CTE_A24, DX; \
58 MULXQ 0+x, R8, R9; \
59 MULXQ 8+x, AX, R10; ADDQ AX, R9; \
60 MULXQ 16+x, AX, R11; ADCQ AX, R10; \
61 MULXQ 24+x, AX, R12; ADCQ AX, R11; \
62 MULXQ 32+x, AX, R13; ADCQ AX, R12; \
63 MULXQ 40+x, AX, R14; ADCQ AX, R13; \
64 MULXQ 48+x, AX, DX; ADCQ AX, R14; \
65 ;;;;;;;;;;;;;;;;;;;; ADCQ $0, DX; \
66 MOVQ DX, AX; \
67 SHLQ $32, AX; \
68 ADDQ DX, R8; MOVQ $0, DX; \
69 ADCQ $0, R9; \
70 ADCQ $0, R10; \
71 ADCQ AX, R11; \
72 ADCQ $0, R12; \
73 ADCQ $0, R13; \
74 ADCQ $0, R14; \
75 ADCQ $0, DX; \
76 MOVQ DX, AX; \
77 SHLQ $32, AX; \
78 ADDQ DX, R8; \
79 ADCQ $0, R9; \
80 ADCQ $0, R10; \
81 ADCQ AX, R11; \
82 ADCQ $0, R12; \
83 ADCQ $0, R13; \
84 ADCQ $0, R14; \
85 MOVQ R8, 0+z; \
86 MOVQ R9, 8+z; \
87 MOVQ R10, 16+z; \
88 MOVQ R11, 24+z; \
89 MOVQ R12, 32+z; \
90 MOVQ R13, 40+z; \
91 MOVQ R14, 48+z;
92
93#define mulA24Legacy \
94 multiplyA24Leg(0(DI),0(SI))
95#define mulA24Bmi2Adx \
96 multiplyA24Adx(0(DI),0(SI))
97
98// func mulA24Amd64(z, x *fp448.Elt)
99TEXT ·mulA24Amd64(SB),NOSPLIT,$0-16
100 MOVQ z+0(FP), DI
101 MOVQ x+8(FP), SI
102 CHECK_BMI2ADX(LMA24, mulA24Legacy, mulA24Bmi2Adx)
103
104// func ladderStepAmd64(w *[5]fp448.Elt, b uint)
105// ladderStepAmd64 calculates a point addition and doubling as follows:
106// (x2,z2) = 2*(x2,z2) and (x3,z3) = (x2,z2)+(x3,z3) using as a difference (x1,-).
107// w = {x1,x2,z2,x3,z4} are five fp255.Elt of 56 bytes.
108// stack = (t0,t1) are two fp.Elt of fp.Size bytes, and
109// (b0,b1) are two-double precision fp.Elt of 2*fp.Size bytes.
110TEXT ·ladderStepAmd64(SB),NOSPLIT,$336-16
111 // Parameters
112 #define regWork DI
113 #define regMove SI
114 #define x1 0*Size(regWork)
115 #define x2 1*Size(regWork)
116 #define z2 2*Size(regWork)
117 #define x3 3*Size(regWork)
118 #define z3 4*Size(regWork)
119 // Local variables
120 #define t0 0*Size(SP)
121 #define t1 1*Size(SP)
122 #define b0 2*Size(SP)
123 #define b1 4*Size(SP)
124 MOVQ w+0(FP), regWork
125 MOVQ b+8(FP), regMove
126 CHECK_BMI2ADX(LLADSTEP, ladderStepLeg, ladderStepBmi2Adx)
127 #undef regWork
128 #undef regMove
129 #undef x1
130 #undef x2
131 #undef z2
132 #undef x3
133 #undef z3
134 #undef t0
135 #undef t1
136 #undef b0
137 #undef b1
138
139// func diffAddAmd64(work *[5]fp.Elt, swap uint)
140// diffAddAmd64 calculates a differential point addition using a precomputed point.
141// (x1,z1) = (x1,z1)+(mu) using a difference point (x2,z2)
142// work = {mu,x1,z1,x2,z2} are five fp448.Elt of 56 bytes, and
143// stack = (b0,b1) are two-double precision fp.Elt of 2*fp.Size bytes.
144// This is Equation 7 at https://eprint.iacr.org/2017/264.
145TEXT ·diffAddAmd64(SB),NOSPLIT,$224-16
146 // Parameters
147 #define regWork DI
148 #define regSwap SI
149 #define ui 0*Size(regWork)
150 #define x1 1*Size(regWork)
151 #define z1 2*Size(regWork)
152 #define x2 3*Size(regWork)
153 #define z2 4*Size(regWork)
154 // Local variables
155 #define b0 0*Size(SP)
156 #define b1 2*Size(SP)
157 MOVQ w+0(FP), regWork
158 MOVQ b+8(FP), regSwap
159 cswap(x1,x2,regSwap)
160 cswap(z1,z2,regSwap)
161 CHECK_BMI2ADX(LDIFADD, difAddLeg, difAddBmi2Adx)
162 #undef regWork
163 #undef regSwap
164 #undef ui
165 #undef x1
166 #undef z1
167 #undef x2
168 #undef z2
169 #undef b0
170 #undef b1
171
172// func doubleAmd64(x, z *fp448.Elt)
173// doubleAmd64 calculates a point doubling (x1,z1) = 2*(x1,z1).
174// stack = (t0,t1) are two fp.Elt of fp.Size bytes, and
175// (b0,b1) are two-double precision fp.Elt of 2*fp.Size bytes.
176TEXT ·doubleAmd64(SB),NOSPLIT,$336-16
177 // Parameters
178 #define x1 0(DI)
179 #define z1 0(SI)
180 // Local variables
181 #define t0 0*Size(SP)
182 #define t1 1*Size(SP)
183 #define b0 2*Size(SP)
184 #define b1 4*Size(SP)
185 MOVQ x+0(FP), DI
186 MOVQ z+8(FP), SI
187 CHECK_BMI2ADX(LDOUB,doubleLeg,doubleBmi2Adx)
188 #undef x1
189 #undef z1
190 #undef t0
191 #undef t1
192 #undef b0
193 #undef b1
View as plain text