3 # This is crypto/bn/asm/x86-mont.pl (with asciz from crypto/perlasm/x86asm.pl)
4 # from OpenSSL 0.9.9-dev
7 { my @str=unpack("C*",shift);
10 &data_byte(@str[0..15]);
11 foreach (0..15) { shift @str; }
13 &data_byte(@str) if (@str);
16 # ====================================================================
17 # Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
18 # project. The module is, however, dual licensed under OpenSSL and
19 # CRYPTOGAMS licenses depending on where you obtain it. For further
20 # details see http://www.openssl.org/~appro/cryptogams/.
21 # ====================================================================
25 # This is a "teaser" code, as it can be improved in several ways...
26 # First of all non-SSE2 path should be implemented (yes, for now it
27 # performs Montgomery multiplication/convolution only on SSE2-capable
28 # CPUs such as P4, others fall down to original code). Then inner loop
29 # can be unrolled and modulo-scheduled to improve ILP and possibly
30 # moved to 128-bit XMM register bank (though it would require input
31 # rearrangement and/or increase bus bandwidth utilization). Dedicated
32 # squaring procedure should give further performance improvement...
33 # Yet, for being draft, the code improves rsa512 *sign* benchmark by
34 # 110%(!), rsa1024 one - by 70% and rsa4096 - by 20%:-)
38 # Modulo-scheduling SSE2 loops results in further 15-20% improvement.
39 # Integer-only code [being equipped with dedicated squaring procedure]
40 # gives ~40% on rsa512 sign benchmark...
42 push(@INC,"perlasm","../../perlasm");
45 &asm_init($ARGV[0],$0);
48 for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
50 &external_label("OPENSSL_ia32cap_P") if ($sse2);
52 &function_begin("bn_mul_mont");
56 $ap="esi"; $tp="esi"; # overlapping variables!!!
57 $rp="edi"; $bp="edi"; # overlapping variables!!!
61 $_num=&DWP(4*0,"esp"); # stack top layout
66 $_n0=&DWP(4*5,"esp"); $_n0q=&QWP(4*5,"esp");
68 $_bpend=&DWP(4*7,"esp");
69 $frame=32; # size of above frame rounded up to 16n
72 &mov ("edi",&wparam(5)); # int num
74 &jl (&label("just_leave"));
76 &lea ("esi",&wparam(0)); # put aside pointer to argument block
77 &lea ("edx",&wparam(1)); # load ap
78 &mov ("ebp","esp"); # saved stack pointer!
79 &add ("edi",2); # extra two words on top of tp
81 &lea ("esp",&DWP(-$frame,"esp","edi",4)); # alloca($frame+4*(num+2))
84 # minimize cache contention by arraning 2K window between stack
85 # pointer and ap argument [np is also position sensitive vector,
86 # but it's assumed to be near ap, as it's allocated at ~same
91 &sub ("esp","eax"); # this aligns sp and ap modulo 2048
96 &sub ("esp","edx"); # this splits them apart modulo 4096
98 &and ("esp",-64); # align to cache line
100 ################################# load argument block...
101 &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp
102 &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap
103 &mov ("ecx",&DWP(2*4,"esi"));# const BN_ULONG *bp
104 &mov ("edx",&DWP(3*4,"esi"));# const BN_ULONG *np
105 &mov ("esi",&DWP(4*4,"esi"));# const BN_ULONG *n0
106 #&mov ("edi",&DWP(5*4,"esi"));# int num
108 &mov ("esi",&DWP(0,"esi")); # pull n0[0]
109 &mov ($_rp,"eax"); # ... save a copy of argument block
114 &lea ($num,&DWP(-3,"edi")); # num=num-1 to assist modulo-scheduling
115 #&mov ($_num,$num); # redundant as $num is not reused
116 &mov ($_sp,"ebp"); # saved stack pointer!
119 $acc0="mm0"; # mmx register bank layout
128 &picmeup("eax","OPENSSL_ia32cap_P");
129 &bt (&DWP(0,"eax"),26);
130 &jnc (&label("non_sse2"));
133 &movd ($mask,"eax"); # mask 32 lower bits
135 &mov ($ap,$_ap); # load input pointers
142 &movd ($mul0,&DWP(0,$bp)); # bp[0]
143 &movd ($mul1,&DWP(0,$ap)); # ap[0]
144 &movd ($car1,&DWP(0,$np)); # np[0]
146 &pmuludq($mul1,$mul0); # ap[0]*bp[0]
148 &movq ($acc0,$mul1); # I wish movd worked for
149 &pand ($acc0,$mask); # inter-register transfers
151 &pmuludq($mul1,$_n0q); # *=n0
153 &pmuludq($car1,$mul1); # "t[0]"*np[0]*n0
154 &paddq ($car1,$acc0);
156 &movd ($acc1,&DWP(4,$np)); # np[1]
157 &movd ($acc0,&DWP(4,$ap)); # ap[1]
163 &set_label("1st",16);
164 &pmuludq($acc0,$mul0); # ap[j]*bp[0]
165 &pmuludq($acc1,$mul1); # np[j]*m1
166 &paddq ($car0,$acc0); # +=c0
167 &paddq ($car1,$acc1); # +=c1
171 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1]
172 &paddq ($car1,$acc0); # +=ap[j]*bp[0];
173 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1]
175 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[j-1]=
178 &lea ($j,&DWP(1,$j));
182 &pmuludq($acc0,$mul0); # ap[num-1]*bp[0]
183 &pmuludq($acc1,$mul1); # np[num-1]*m1
184 &paddq ($car0,$acc0); # +=c0
185 &paddq ($car1,$acc1); # +=c1
189 &paddq ($car1,$acc0); # +=ap[num-1]*bp[0];
190 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]=
195 &paddq ($car1,$car0);
196 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1]
202 &movd ($mul0,&DWP(0,$bp,$i,4)); # bp[i]
203 &movd ($mul1,&DWP(0,$ap)); # ap[0]
204 &movd ($temp,&DWP($frame,"esp")); # tp[0]
205 &movd ($car1,&DWP(0,$np)); # np[0]
206 &pmuludq($mul1,$mul0); # ap[0]*bp[i]
208 &paddq ($mul1,$temp); # +=tp[0]
213 &pmuludq($mul1,$_n0q); # *=n0
215 &pmuludq($car1,$mul1);
216 &paddq ($car1,$acc0);
218 &movd ($temp,&DWP($frame+4,"esp")); # tp[1]
219 &movd ($acc1,&DWP(4,$np)); # np[1]
220 &movd ($acc0,&DWP(4,$ap)); # ap[1]
224 &paddq ($car0,$temp); # +=tp[1]
229 &pmuludq($acc0,$mul0); # ap[j]*bp[i]
230 &pmuludq($acc1,$mul1); # np[j]*m1
231 &paddq ($car0,$acc0); # +=c0
232 &paddq ($car1,$acc1); # +=c1
235 &movd ($temp,&DWP($frame+4,"esp",$j,4));# tp[j+1]
237 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1]
238 &paddq ($car1,$acc0); # +=ap[j]*bp[i]+tp[j]
239 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1]
241 &movd (&DWP($frame-4,"esp",$j,4),$car1);# tp[j-1]=
243 &paddq ($car0,$temp); # +=tp[j+1]
246 &lea ($j,&DWP(1,$j)); # j++
247 &jnz (&label("inner"));
250 &pmuludq($acc0,$mul0); # ap[num-1]*bp[i]
251 &pmuludq($acc1,$mul1); # np[num-1]*m1
252 &paddq ($car0,$acc0); # +=c0
253 &paddq ($car1,$acc1); # +=c1
257 &paddq ($car1,$acc0); # +=ap[num-1]*bp[i]+tp[num-1]
258 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]=
262 &movd ($temp,&DWP($frame+4,"esp",$num,4)); # += tp[num]
263 &paddq ($car1,$car0);
264 &paddq ($car1,$temp);
265 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1]
267 &lea ($i,&DWP(1,$i)); # i++
269 &jle (&label("outer"));
271 &emms (); # done with mmx bank
272 &jmp (&label("common_tail"));
274 &set_label("non_sse2",16);
279 &xor ("eax","eax"); # signal "not fast enough [yet]"
280 &jmp (&label("just_leave"));
281 # While the below code provides competitive performance for
282 # all key lengthes on modern Intel cores, it's still more
283 # than 10% slower for 4096-bit key elsewhere:-( "Competitive"
284 # means compared to the original integer-only assembler.
285 # 512-bit RSA sign is better by ~40%, but that's about all
286 # one can say about all CPUs...
288 $inp="esi"; # integer path uses these registers differently
293 &lea ($carry,&DWP(1,$num));
297 &and ($carry,1); # see if num is even
298 &sub ("edx",$word); # see if ap==bp
299 &lea ("eax",&DWP(4,$word,$num,4)); # &bp[num]
301 &mov ($word,&DWP(0,$word)); # bp[0]
302 &jz (&label("bn_sqr_mont"));
303 &mov ($_bpend,"eax");
304 &mov ("eax",&DWP(0,$inp));
307 &set_label("mull",16);
309 &mul ($word); # ap[j]*bp[0]
311 &lea ($j,&DWP(1,$j));
313 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1]
315 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
316 &jl (&label("mull"));
319 &mul ($word); # ap[num-1]*bp[0]
324 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
326 &mov (&DWP($frame,"esp",$num,4),"eax"); # tp[num-1]=
328 &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]=
329 &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]=
331 &mov ("eax",&DWP(0,$inp)); # np[0]
332 &mul ($word); # np[0]*m
333 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
334 &mov ("eax",&DWP(4,$inp)); # np[1]
338 &jmp (&label("2ndmadd"));
340 &set_label("1stmadd",16);
342 &mul ($word); # ap[j]*bp[i]
343 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
344 &lea ($j,&DWP(1,$j));
347 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j+1]
350 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
351 &jl (&label("1stmadd"));
354 &mul ($word); # ap[num-1]*bp[i]
355 &add ("eax",&DWP($frame,"esp",$num,4)); # +=tp[num-1]
361 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
364 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
365 &mov (&DWP($frame,"esp",$num,4),$carry); # tp[num-1]=
367 &mov ("eax",&DWP(0,$inp)); # np[0]
368 &mov (&DWP($frame+4,"esp",$num,4),"edx"); # tp[num]=
369 &mov (&DWP($frame+8,"esp",$num,4),$j); # tp[num+1]=
371 &mul ($word); # np[0]*m
372 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
373 &mov ("eax",&DWP(4,$inp)); # np[1]
377 &set_label("2ndmadd",16);
379 &mul ($word); # np[j]*m
380 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
381 &lea ($j,&DWP(1,$j));
384 &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+1]
387 &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j-1]=
388 &jl (&label("2ndmadd"));
391 &mul ($word); # np[j]*m
392 &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1]
396 &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]=
399 &mov ($j,$_bp); # &bp[i]
400 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
401 &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1]
402 &lea ($j,&DWP(4,$j));
403 &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]=
405 &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]=
406 &je (&label("common_tail"));
408 &mov ($word,&DWP(0,$j)); # bp[i+1]
410 &mov ($_bp,$j); # &bp[++i]
413 &mov ("eax",&DWP(0,$inp));
414 &jmp (&label("1stmadd"));
416 &set_label("bn_sqr_mont",16);
419 &mov ($_bp,$j); # i=0
421 &mov ("eax",$word); # ap[0]
422 &mul ($word); # ap[0]*ap[0]
423 &mov (&DWP($frame,"esp"),"eax"); # tp[0]=
428 &set_label("sqr",16);
429 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j]
431 &mul ($word); # ap[j]*ap[0]
433 &lea ($j,&DWP(1,$j));
435 &lea ($carry,&DWP(0,$sbit,"eax",2));
439 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
442 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[num-1]
444 &mul ($word); # ap[num-1]*ap[0]
449 &lea ($carry,&DWP(0,$sbit,"eax",2));
450 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
452 &mov (&DWP($frame,"esp",$j,4),$carry); # tp[num-1]=
454 &lea ($carry,&DWP(0,"eax","edx",2));
455 &mov ("eax",&DWP(0,$inp)); # np[0]
457 &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num]=
458 &mov (&DWP($frame+8,"esp",$j,4),"edx"); # tp[num+1]=
460 &mul ($word); # np[0]*m
461 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
464 &mov ("eax",&DWP(4,$inp)); # np[1]
467 &set_label("3rdmadd",16);
469 &mul ($word); # np[j]*m
470 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
473 &mov ("eax",&DWP(4,$inp,$j,4)); # np[j+1]
475 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j-1]=
478 &mul ($word); # np[j+1]*m
479 &add ($carry,&DWP($frame+4,"esp",$j,4)); # +=tp[j+1]
480 &lea ($j,&DWP(2,$j));
483 &mov ("eax",&DWP(0,$inp,$j,4)); # np[j+2]
486 &mov (&DWP($frame-8,"esp",$j,4),$carry); # tp[j]=
487 &jl (&label("3rdmadd"));
490 &mul ($word); # np[j]*m
491 &add ($carry,&DWP($frame,"esp",$num,4)); # +=tp[num-1]
495 &mov (&DWP($frame-4,"esp",$num,4),$carry); # tp[num-2]=
500 &add ("edx",&DWP($frame+4,"esp",$num,4)); # carry+=tp[num]
501 &adc ("eax",&DWP($frame+8,"esp",$num,4)); # +=tp[num+1]
502 &mov (&DWP($frame,"esp",$num,4),"edx"); # tp[num-1]=
504 &mov (&DWP($frame+4,"esp",$num,4),"eax"); # tp[num]=
505 &je (&label("common_tail"));
507 &mov ($word,&DWP(4,$inp,$j,4)); # ap[i]
508 &lea ($j,&DWP(1,$j));
510 &mov ($_bp,$j); # ++i
511 &mul ($word); # ap[i]*ap[i]
512 &add ("eax",&DWP($frame,"esp",$j,4)); # +=tp[i]
514 &mov (&DWP($frame,"esp",$j,4),"eax"); # tp[i]=
515 &xor ($carry,$carry);
517 &lea ($j,&DWP(1,$j));
518 &je (&label("sqrlast"));
520 &mov ($sbit,"edx"); # zaps $num
523 &set_label("sqradd",16);
524 &mov ("eax",&DWP(0,$inp,$j,4)); # ap[j]
526 &mul ($word); # ap[j]*ap[i]
528 &lea ($carry,&DWP(0,"eax","eax"));
531 &add ($carry,&DWP($frame,"esp",$j,4)); # +=tp[j]
532 &lea ($j,&DWP(1,$j));
537 &mov (&DWP($frame-4,"esp",$j,4),$carry); # tp[j]=
539 &jle (&label("sqradd"));
546 &set_label("sqrlast");
549 &imul ($word,&DWP($frame,"esp")); # n0*tp[0]
551 &add ("edx",&DWP($frame,"esp",$j,4)); # +=tp[num]
552 &mov ("eax",&DWP(0,$inp)); # np[0]
554 &mov (&DWP($frame,"esp",$j,4),"edx"); # tp[num]=
555 &mov (&DWP($frame+4,"esp",$j,4),$carry); # tp[num+1]=
557 &mul ($word); # np[0]*m
558 &add ("eax",&DWP($frame,"esp")); # +=tp[0]
559 &lea ($num,&DWP(-1,$j));
562 &mov ("eax",&DWP(4,$inp)); # np[1]
564 &jmp (&label("3rdmadd"));
567 &set_label("common_tail",16);
568 &mov ($np,$_np); # load modulus pointer
569 &mov ($rp,$_rp); # load result pointer
570 &lea ($tp,&DWP($frame,"esp")); # [$ap and $bp are zapped]
572 &mov ("eax",&DWP(0,$tp)); # tp[0]
573 &mov ($j,$num); # j=num-1
574 &xor ($i,$i); # i=0 and clear CF!
576 &set_label("sub",16);
577 &sbb ("eax",&DWP(0,$np,$i,4));
578 &mov (&DWP(0,$rp,$i,4),"eax"); # rp[i]=tp[i]-np[i]
579 &dec ($j); # doesn't affect CF!
580 &mov ("eax",&DWP(4,$tp,$i,4)); # tp[i+1]
581 &lea ($i,&DWP(1,$i)); # i++
582 &jge (&label("sub"));
584 &sbb ("eax",0); # handle upmost overflow bit
589 &or ($tp,$np); # tp=carry?tp:rp
591 &set_label("copy",16); # copy or in-place refresh
592 &mov ("eax",&DWP(0,$tp,$num,4));
593 &mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i]
594 &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector
596 &jge (&label("copy"));
598 &mov ("esp",$_sp); # pull saved stack pointer
600 &set_label("just_leave");
601 &function_end("bn_mul_mont");
603 &asciz("Montgomery Multiplication for x86, CRYPTOGAMS by <appro\@openssl.org>");
projects / FreeBSD / releng / 9.0.git / blob