123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325 |
- #!/usr/bin/env perl
- #
- # ====================================================================
- # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
- # ====================================================================
- #
- # May 2011
- #
- # The module implements bn_GF2m_mul_2x2 polynomial multiplication
- # used in bn_gf2m.c. It's kind of low-hanging mechanical port from
- # C for the time being... Except that it has two code paths: pure
- # integer code suitable for any ARMv4 and later CPU and NEON code
- # suitable for ARMv7. Pure integer 1x1 multiplication subroutine runs
- # in ~45 cycles on dual-issue core such as Cortex A8, which is ~50%
- # faster than compiler-generated code. For ECDH and ECDSA verify (but
- # not for ECDSA sign) it means 25%-45% improvement depending on key
- # length, more for longer keys. Even though NEON 1x1 multiplication
- # runs in even less cycles, ~30, improvement is measurable only on
- # longer keys. One has to optimize code elsewhere to get NEON glow...
- #
- # April 2014
- #
- # Double bn_GF2m_mul_2x2 performance by using algorithm from paper
- # referred below, which improves ECDH and ECDSA verify benchmarks
- # by 18-40%.
- #
- # Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
- # Polynomial Multiplication on ARM Processors using the NEON Engine.
- #
- # http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf
- $flavour = shift;
- if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
- else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
- if ($flavour && $flavour ne "void") {
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
- die "can't locate arm-xlate.pl";
- open STDOUT,"| \"$^X\" $xlate $flavour $output";
- } else {
- open STDOUT,">$output";
- }
- $code=<<___;
- #include "arm_arch.h"
- .text
- #if defined(__thumb2__)
- .syntax unified
- .thumb
- #else
- .code 32
- #endif
- ___
- ################
- # private interface to mul_1x1_ialu
- #
- $a="r1";
- $b="r0";
- ($a0,$a1,$a2,$a12,$a4,$a14)=
- ($hi,$lo,$t0,$t1, $i0,$i1 )=map("r$_",(4..9),12);
- $mask="r12";
- $code.=<<___;
- .type mul_1x1_ialu,%function
- .align 5
- mul_1x1_ialu:
- mov $a0,#0
- bic $a1,$a,#3<<30 @ a1=a&0x3fffffff
- str $a0,[sp,#0] @ tab[0]=0
- add $a2,$a1,$a1 @ a2=a1<<1
- str $a1,[sp,#4] @ tab[1]=a1
- eor $a12,$a1,$a2 @ a1^a2
- str $a2,[sp,#8] @ tab[2]=a2
- mov $a4,$a1,lsl#2 @ a4=a1<<2
- str $a12,[sp,#12] @ tab[3]=a1^a2
- eor $a14,$a1,$a4 @ a1^a4
- str $a4,[sp,#16] @ tab[4]=a4
- eor $a0,$a2,$a4 @ a2^a4
- str $a14,[sp,#20] @ tab[5]=a1^a4
- eor $a12,$a12,$a4 @ a1^a2^a4
- str $a0,[sp,#24] @ tab[6]=a2^a4
- and $i0,$mask,$b,lsl#2
- str $a12,[sp,#28] @ tab[7]=a1^a2^a4
- and $i1,$mask,$b,lsr#1
- ldr $lo,[sp,$i0] @ tab[b & 0x7]
- and $i0,$mask,$b,lsr#4
- ldr $t1,[sp,$i1] @ tab[b >> 3 & 0x7]
- and $i1,$mask,$b,lsr#7
- ldr $t0,[sp,$i0] @ tab[b >> 6 & 0x7]
- eor $lo,$lo,$t1,lsl#3 @ stall
- mov $hi,$t1,lsr#29
- ldr $t1,[sp,$i1] @ tab[b >> 9 & 0x7]
- and $i0,$mask,$b,lsr#10
- eor $lo,$lo,$t0,lsl#6
- eor $hi,$hi,$t0,lsr#26
- ldr $t0,[sp,$i0] @ tab[b >> 12 & 0x7]
- and $i1,$mask,$b,lsr#13
- eor $lo,$lo,$t1,lsl#9
- eor $hi,$hi,$t1,lsr#23
- ldr $t1,[sp,$i1] @ tab[b >> 15 & 0x7]
- and $i0,$mask,$b,lsr#16
- eor $lo,$lo,$t0,lsl#12
- eor $hi,$hi,$t0,lsr#20
- ldr $t0,[sp,$i0] @ tab[b >> 18 & 0x7]
- and $i1,$mask,$b,lsr#19
- eor $lo,$lo,$t1,lsl#15
- eor $hi,$hi,$t1,lsr#17
- ldr $t1,[sp,$i1] @ tab[b >> 21 & 0x7]
- and $i0,$mask,$b,lsr#22
- eor $lo,$lo,$t0,lsl#18
- eor $hi,$hi,$t0,lsr#14
- ldr $t0,[sp,$i0] @ tab[b >> 24 & 0x7]
- and $i1,$mask,$b,lsr#25
- eor $lo,$lo,$t1,lsl#21
- eor $hi,$hi,$t1,lsr#11
- ldr $t1,[sp,$i1] @ tab[b >> 27 & 0x7]
- tst $a,#1<<30
- and $i0,$mask,$b,lsr#28
- eor $lo,$lo,$t0,lsl#24
- eor $hi,$hi,$t0,lsr#8
- ldr $t0,[sp,$i0] @ tab[b >> 30 ]
- #ifdef __thumb2__
- itt ne
- #endif
- eorne $lo,$lo,$b,lsl#30
- eorne $hi,$hi,$b,lsr#2
- tst $a,#1<<31
- eor $lo,$lo,$t1,lsl#27
- eor $hi,$hi,$t1,lsr#5
- #ifdef __thumb2__
- itt ne
- #endif
- eorne $lo,$lo,$b,lsl#31
- eorne $hi,$hi,$b,lsr#1
- eor $lo,$lo,$t0,lsl#30
- eor $hi,$hi,$t0,lsr#2
- mov pc,lr
- .size mul_1x1_ialu,.-mul_1x1_ialu
- ___
- ################
- # void bn_GF2m_mul_2x2(BN_ULONG *r,
- # BN_ULONG a1,BN_ULONG a0,
- # BN_ULONG b1,BN_ULONG b0); # r[3..0]=a1a0·b1b0
- {
- $code.=<<___;
- .global bn_GF2m_mul_2x2
- .type bn_GF2m_mul_2x2,%function
- .align 5
- bn_GF2m_mul_2x2:
- #if __ARM_MAX_ARCH__>=7
- stmdb sp!,{r10,lr}
- ldr r12,.LOPENSSL_armcap
- adr r10,.LOPENSSL_armcap
- ldr r12,[r12,r10]
- #ifdef __APPLE__
- ldr r12,[r12]
- #endif
- tst r12,#ARMV7_NEON
- itt ne
- ldrne r10,[sp],#8
- bne .LNEON
- stmdb sp!,{r4-r9}
- #else
- stmdb sp!,{r4-r10,lr}
- #endif
- ___
- $ret="r10"; # reassigned 1st argument
- $code.=<<___;
- mov $ret,r0 @ reassign 1st argument
- mov $b,r3 @ $b=b1
- sub r7,sp,#36
- mov r8,sp
- and r7,r7,#-32
- ldr r3,[sp,#32] @ load b0
- mov $mask,#7<<2
- mov sp,r7 @ allocate tab[8]
- str r8,[r7,#32]
- bl mul_1x1_ialu @ a1·b1
- str $lo,[$ret,#8]
- str $hi,[$ret,#12]
- eor $b,$b,r3 @ flip b0 and b1
- eor $a,$a,r2 @ flip a0 and a1
- eor r3,r3,$b
- eor r2,r2,$a
- eor $b,$b,r3
- eor $a,$a,r2
- bl mul_1x1_ialu @ a0·b0
- str $lo,[$ret]
- str $hi,[$ret,#4]
- eor $a,$a,r2
- eor $b,$b,r3
- bl mul_1x1_ialu @ (a1+a0)·(b1+b0)
- ___
- @r=map("r$_",(6..9));
- $code.=<<___;
- ldmia $ret,{@r[0]-@r[3]}
- eor $lo,$lo,$hi
- ldr sp,[sp,#32] @ destroy tab[8]
- eor $hi,$hi,@r[1]
- eor $lo,$lo,@r[0]
- eor $hi,$hi,@r[2]
- eor $lo,$lo,@r[3]
- eor $hi,$hi,@r[3]
- str $hi,[$ret,#8]
- eor $lo,$lo,$hi
- str $lo,[$ret,#4]
- #if __ARM_ARCH__>=5
- ldmia sp!,{r4-r10,pc}
- #else
- ldmia sp!,{r4-r10,lr}
- tst lr,#1
- moveq pc,lr @ be binary compatible with V4, yet
- bx lr @ interoperable with Thumb ISA:-)
- #endif
- ___
- }
- {
- my ($r,$t0,$t1,$t2,$t3)=map("q$_",(0..3,8..12));
- my ($a,$b,$k48,$k32,$k16)=map("d$_",(26..31));
- $code.=<<___;
- #if __ARM_MAX_ARCH__>=7
- .arch armv7-a
- .fpu neon
- .align 5
- .LNEON:
- ldr r12, [sp] @ 5th argument
- vmov $a, r2, r1
- vmov $b, r12, r3
- vmov.i64 $k48, #0x0000ffffffffffff
- vmov.i64 $k32, #0x00000000ffffffff
- vmov.i64 $k16, #0x000000000000ffff
- vext.8 $t0#lo, $a, $a, #1 @ A1
- vmull.p8 $t0, $t0#lo, $b @ F = A1*B
- vext.8 $r#lo, $b, $b, #1 @ B1
- vmull.p8 $r, $a, $r#lo @ E = A*B1
- vext.8 $t1#lo, $a, $a, #2 @ A2
- vmull.p8 $t1, $t1#lo, $b @ H = A2*B
- vext.8 $t3#lo, $b, $b, #2 @ B2
- vmull.p8 $t3, $a, $t3#lo @ G = A*B2
- vext.8 $t2#lo, $a, $a, #3 @ A3
- veor $t0, $t0, $r @ L = E + F
- vmull.p8 $t2, $t2#lo, $b @ J = A3*B
- vext.8 $r#lo, $b, $b, #3 @ B3
- veor $t1, $t1, $t3 @ M = G + H
- vmull.p8 $r, $a, $r#lo @ I = A*B3
- veor $t0#lo, $t0#lo, $t0#hi @ t0 = (L) (P0 + P1) << 8
- vand $t0#hi, $t0#hi, $k48
- vext.8 $t3#lo, $b, $b, #4 @ B4
- veor $t1#lo, $t1#lo, $t1#hi @ t1 = (M) (P2 + P3) << 16
- vand $t1#hi, $t1#hi, $k32
- vmull.p8 $t3, $a, $t3#lo @ K = A*B4
- veor $t2, $t2, $r @ N = I + J
- veor $t0#lo, $t0#lo, $t0#hi
- veor $t1#lo, $t1#lo, $t1#hi
- veor $t2#lo, $t2#lo, $t2#hi @ t2 = (N) (P4 + P5) << 24
- vand $t2#hi, $t2#hi, $k16
- vext.8 $t0, $t0, $t0, #15
- veor $t3#lo, $t3#lo, $t3#hi @ t3 = (K) (P6 + P7) << 32
- vmov.i64 $t3#hi, #0
- vext.8 $t1, $t1, $t1, #14
- veor $t2#lo, $t2#lo, $t2#hi
- vmull.p8 $r, $a, $b @ D = A*B
- vext.8 $t3, $t3, $t3, #12
- vext.8 $t2, $t2, $t2, #13
- veor $t0, $t0, $t1
- veor $t2, $t2, $t3
- veor $r, $r, $t0
- veor $r, $r, $t2
- vst1.32 {$r}, [r0]
- ret @ bx lr
- #endif
- ___
- }
- $code.=<<___;
- .size bn_GF2m_mul_2x2,.-bn_GF2m_mul_2x2
- #if __ARM_MAX_ARCH__>=7
- .align 5
- .LOPENSSL_armcap:
- .word OPENSSL_armcap_P-.
- #endif
- .asciz "GF(2^m) Multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
- .align 5
- #if __ARM_MAX_ARCH__>=7
- .comm OPENSSL_armcap_P,4,4
- #endif
- ___
- foreach (split("\n",$code)) {
- s/\`([^\`]*)\`/eval $1/geo;
- s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
- s/\bret\b/bx lr/go or
- s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
- print $_,"\n";
- }
- close STDOUT; # enforce flush
|