Home Explore Help
Sign In
wytfy
/
v2ray-core
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 454528353d
Branches Tags
v2ray-core
/
external
/
github.com
/
cloudflare
/
sidh
/
p503
/
arith_arm64.s

arith_arm64.s 15 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802 
  1. // +build arm64,!noasm
    2. 

  2. 

  3. #include "textflag.h"
    4. 

  4. 

  5. TEXT ·fp503ConditionalSwap(SB), NOSPLIT, $0-17
    6. 

  6. 	MOVD	x+0(FP), R0
    7. 

  7. 	MOVD	y+8(FP), R1
    8. 

  8. 	MOVB	choice+16(FP), R2
    9. 

  9. 

  10. 	// Set flags
    11. 

  11. 	// If choice is not 0 or 1, this implementation will swap completely
    12. 

  12. 	CMP	$0, R2
    13. 

  13. 

  14. 	LDP	0(R0), (R3, R4)
    15. 

  15. 	LDP	0(R1), (R5, R6)
    16. 

  16. 	CSEL	EQ, R3, R5, R7
    17. 

  17. 	CSEL	EQ, R4, R6, R8
    18. 

  18. 	STP	(R7, R8), 0(R0)
    19. 

  19. 	CSEL	NE, R3, R5, R9
    20. 

  20. 	CSEL	NE, R4, R6, R10
    21. 

  21. 	STP	(R9, R10), 0(R1)
    22. 

  22. 

  23. 	LDP	16(R0), (R3, R4)
    24. 

  24. 	LDP	16(R1), (R5, R6)
    25. 

  25. 	CSEL	EQ, R3, R5, R7
    26. 

  26. 	CSEL	EQ, R4, R6, R8
    27. 

  27. 	STP	(R7, R8), 16(R0)
    28. 

  28. 	CSEL	NE, R3, R5, R9
    29. 

  29. 	CSEL	NE, R4, R6, R10
    30. 

  30. 	STP	(R9, R10), 16(R1)
    31. 

  31. 

  32. 	LDP	32(R0), (R3, R4)
    33. 

  33. 	LDP	32(R1), (R5, R6)
    34. 

  34. 	CSEL	EQ, R3, R5, R7
    35. 

  35. 	CSEL	EQ, R4, R6, R8
    36. 

  36. 	STP	(R7, R8), 32(R0)
    37. 

  37. 	CSEL	NE, R3, R5, R9
    38. 

  38. 	CSEL	NE, R4, R6, R10
    39. 

  39. 	STP	(R9, R10), 32(R1)
    40. 

  40. 

  41. 	LDP	48(R0), (R3, R4)
    42. 

  42. 	LDP	48(R1), (R5, R6)
    43. 

  43. 	CSEL	EQ, R3, R5, R7
    44. 

  44. 	CSEL	EQ, R4, R6, R8
    45. 

  45. 	STP	(R7, R8), 48(R0)
    46. 

  46. 	CSEL	NE, R3, R5, R9
    47. 

  47. 	CSEL	NE, R4, R6, R10
    48. 

  48. 	STP	(R9, R10), 48(R1)
    49. 

  49. 

  50. 	RET
    51. 

  51. 

  52. TEXT ·fp503AddReduced(SB), NOSPLIT, $0-24
    53. 

  53. 	MOVD	z+0(FP), R2
    54. 

  54. 	MOVD	x+8(FP), R0
    55. 

  55. 	MOVD	y+16(FP), R1
    56. 

  56. 

  57. 	// Load first summand into R3-R10
    58. 

  58. 	// Add first summand and second summand and store result in R3-R10
    59. 

  59. 	LDP	0(R0), (R3, R4)
    60. 

  60. 	LDP	0(R1), (R11, R12)
    61. 

  61. 	LDP	16(R0), (R5, R6)
    62. 

  62. 	LDP	16(R1), (R13, R14)
    63. 

  63. 	ADDS	R11, R3
    64. 

  64. 	ADCS	R12, R4
    65. 

  65. 	ADCS	R13, R5
    66. 

  66. 	ADCS	R14, R6
    67. 

  67. 

  68. 	LDP	32(R0), (R7, R8)
    69. 

  69. 	LDP	32(R1), (R11, R12)
    70. 

  70. 	LDP	48(R0), (R9, R10)
    71. 

  71. 	LDP	48(R1), (R13, R14)
    72. 

  72. 	ADCS	R11, R7
    73. 

  73. 	ADCS	R12, R8
    74. 

  74. 	ADCS	R13, R9
    75. 

  75. 	ADC	R14, R10
    76. 

  76. 

  77. 	// Subtract 2 * p503 in R11-R17 from the result in R3-R10
    78. 

  78. 	LDP	·p503x2+0(SB), (R11, R12)
    79. 

  79. 	LDP	·p503x2+24(SB), (R13, R14)
    80. 

  80. 	SUBS	R11, R3
    81. 

  81. 	SBCS	R12, R4
    82. 

  82. 	LDP	·p503x2+40(SB), (R15, R16)
    83. 

  83. 	SBCS	R12, R5
    84. 

  84. 	SBCS	R13, R6
    85. 

  85. 	MOVD	·p503x2+56(SB), R17
    86. 

  86. 	SBCS	R14, R7
    87. 

  87. 	SBCS	R15, R8
    88. 

  88. 	SBCS	R16, R9
    89. 

  89. 	SBCS	R17, R10
    90. 

  90. 	SBC	ZR, ZR, R19
    91. 

  91. 

  92. 	// If x + y - 2 * p503 < 0, R19 is 1 and 2 * p503 should be added
    93. 

  93. 	AND	R19, R11
    94. 

  94. 	AND	R19, R12
    95. 

  95. 	AND	R19, R13
    96. 

  96. 	AND	R19, R14
    97. 

  97. 	AND	R19, R15
    98. 

  98. 	AND	R19, R16
    99. 

  99. 	AND	R19, R17
    100. 

  100. 

  101. 	ADDS	R11, R3
    102. 

  102. 	ADCS	R12, R4
    103. 

  103. 	STP	(R3, R4), 0(R2)
    104. 

  104. 	ADCS	R12, R5
    105. 

  105. 	ADCS	R13, R6
    106. 

  106. 	STP	(R5, R6), 16(R2)
    107. 

  107. 	ADCS	R14, R7
    108. 

  108. 	ADCS	R15, R8
    109. 

  109. 	STP	(R7, R8), 32(R2)
    110. 

  110. 	ADCS	R16, R9
    111. 

  111. 	ADC	R17, R10
    112. 

  112. 	STP	(R9, R10), 48(R2)
    113. 

  113. 

  114. 	RET
    115. 

  115. 

  116. TEXT ·fp503SubReduced(SB), NOSPLIT, $0-24
    117. 

  117. 	MOVD	z+0(FP), R2
    118. 

  118. 	MOVD	x+8(FP), R0
    119. 

  119. 	MOVD	y+16(FP), R1
    120. 

  120. 

  121. 	// Load x into R3-R10
    122. 

  122. 	// Subtract y from x and store result in R3-R10
    123. 

  123. 	LDP	0(R0), (R3, R4)
    124. 

  124. 	LDP	0(R1), (R11, R12)
    125. 

  125. 	LDP	16(R0), (R5, R6)
    126. 

  126. 	LDP	16(R1), (R13, R14)
    127. 

  127. 	SUBS	R11, R3
    128. 

  128. 	SBCS	R12, R4
    129. 

  129. 	SBCS	R13, R5
    130. 

  130. 	SBCS	R14, R6
    131. 

  131. 

  132. 	LDP	32(R0), (R7, R8)
    133. 

  133. 	LDP	32(R1), (R11, R12)
    134. 

  134. 	LDP	48(R0), (R9, R10)
    135. 

  135. 	LDP	48(R1), (R13, R14)
    136. 

  136. 	SBCS	R11, R7
    137. 

  137. 	SBCS	R12, R8
    138. 

  138. 	SBCS	R13, R9
    139. 

  139. 	SBCS	R14, R10
    140. 

  140. 	SBC	ZR, ZR, R19
    141. 

  141. 

  142. 	// If x - y < 0, R19 is 1 and 2 * p503 should be added
    143. 

  143. 	LDP	·p503x2+0(SB), (R11, R12)
    144. 

  144. 	LDP	·p503x2+24(SB), (R13, R14)
    145. 

  145. 	AND	R19, R11
    146. 

  146. 	AND	R19, R12
    147. 

  147. 	LDP	·p503x2+40(SB), (R15, R16)
    148. 

  148. 	AND	R19, R13
    149. 

  149. 	AND	R19, R14
    150. 

  150. 	MOVD	·p503x2+56(SB), R17
    151. 

  151. 	AND	R19, R15
    152. 

  152. 	AND	R19, R16
    153. 

  153. 	AND	R19, R17
    154. 

  154. 

  155. 	ADDS	R11, R3
    156. 

  156. 	ADCS	R12, R4
    157. 

  157. 	STP	(R3, R4), 0(R2)
    158. 

  158. 	ADCS	R12, R5
    159. 

  159. 	ADCS	R13, R6
    160. 

  160. 	STP	(R5, R6), 16(R2)
    161. 

  161. 	ADCS	R14, R7
    162. 

  162. 	ADCS	R15, R8
    163. 

  163. 	STP	(R7, R8), 32(R2)
    164. 

  164. 	ADCS	R16, R9
    165. 

  165. 	ADC	R17, R10
    166. 

  166. 	STP	(R9, R10), 48(R2)
    167. 

  167. 

  168. 	RET
    169. 

  169. 

  170. TEXT ·fp503AddLazy(SB), NOSPLIT, $0-24
    171. 

  171. 	MOVD	z+0(FP), R2
    172. 

  172. 	MOVD	x+8(FP), R0
    173. 

  173. 	MOVD	y+16(FP), R1
    174. 

  174. 

  175. 	// Load first summand into R3-R10
    176. 

  176. 	// Add first summand and second summand and store result in R3-R10
    177. 

  177. 	LDP	0(R0), (R3, R4)
    178. 

  178. 	LDP	0(R1), (R11, R12)
    179. 

  179. 	LDP	16(R0), (R5, R6)
    180. 

  180. 	LDP	16(R1), (R13, R14)
    181. 

  181. 	ADDS	R11, R3
    182. 

  182. 	ADCS	R12, R4
    183. 

  183. 	STP	(R3, R4), 0(R2)
    184. 

  184. 	ADCS	R13, R5
    185. 

  185. 	ADCS	R14, R6
    186. 

  186. 	STP	(R5, R6), 16(R2)
    187. 

  187. 

  188. 	LDP	32(R0), (R7, R8)
    189. 

  189. 	LDP	32(R1), (R11, R12)
    190. 

  190. 	LDP	48(R0), (R9, R10)
    191. 

  191. 	LDP	48(R1), (R13, R14)
    192. 

  192. 	ADCS	R11, R7
    193. 

  193. 	ADCS	R12, R8
    194. 

  194. 	STP	(R7, R8), 32(R2)
    195. 

  195. 	ADCS	R13, R9
    196. 

  196. 	ADC	R14, R10
    197. 

  197. 	STP	(R9, R10), 48(R2)
    198. 

  198. 

  199. 	RET
    200. 

  200. 

  201. TEXT ·fp503X2AddLazy(SB), NOSPLIT, $0-24
    202. 

  202. 	MOVD	z+0(FP), R2
    203. 

  203. 	MOVD	x+8(FP), R0
    204. 

  204. 	MOVD	y+16(FP), R1
    205. 

  205. 

  206. 	LDP	0(R0), (R3, R4)
    207. 

  207. 	LDP	0(R1), (R11, R12)
    208. 

  208. 	LDP	16(R0), (R5, R6)
    209. 

  209. 	LDP	16(R1), (R13, R14)
    210. 

  210. 	ADDS	R11, R3
    211. 

  211. 	ADCS	R12, R4
    212. 

  212. 	STP	(R3, R4), 0(R2)
    213. 

  213. 	ADCS	R13, R5
    214. 

  214. 	ADCS	R14, R6
    215. 

  215. 	STP	(R5, R6), 16(R2)
    216. 

  216. 

  217. 	LDP	32(R0), (R7, R8)
    218. 

  218. 	LDP	32(R1), (R11, R12)
    219. 

  219. 	LDP	48(R0), (R9, R10)
    220. 

  220. 	LDP	48(R1), (R13, R14)
    221. 

  221. 	ADCS	R11, R7
    222. 

  222. 	ADCS	R12, R8
    223. 

  223. 	STP	(R7, R8), 32(R2)
    224. 

  224. 	ADCS	R13, R9
    225. 

  225. 	ADCS	R14, R10
    226. 

  226. 	STP	(R9, R10), 48(R2)
    227. 

  227. 

  228. 	LDP	64(R0), (R3, R4)
    229. 

  229. 	LDP	64(R1), (R11, R12)
    230. 

  230. 	LDP	80(R0), (R5, R6)
    231. 

  231. 	LDP	80(R1), (R13, R14)
    232. 

  232. 	ADCS	R11, R3
    233. 

  233. 	ADCS	R12, R4
    234. 

  234. 	STP	(R3, R4), 64(R2)
    235. 

  235. 	ADCS	R13, R5
    236. 

  236. 	ADCS	R14, R6
    237. 

  237. 	STP	(R5, R6), 80(R2)
    238. 

  238. 

  239. 	LDP	96(R0), (R7, R8)
    240. 

  240. 	LDP	96(R1), (R11, R12)
    241. 

  241. 	LDP	112(R0), (R9, R10)
    242. 

  242. 	LDP	112(R1), (R13, R14)
    243. 

  243. 	ADCS	R11, R7
    244. 

  244. 	ADCS	R12, R8
    245. 

  245. 	STP	(R7, R8), 96(R2)
    246. 

  246. 	ADCS	R13, R9
    247. 

  247. 	ADC	R14, R10
    248. 

  248. 	STP	(R9, R10), 112(R2)
    249. 

  249. 

  250. 	RET
    251. 

  251. 

  252. TEXT ·fp503X2SubLazy(SB), NOSPLIT, $0-24
    253. 

  253. 	MOVD	z+0(FP), R2
    254. 

  254. 	MOVD	x+8(FP), R0
    255. 

  255. 	MOVD	y+16(FP), R1
    256. 

  256. 

  257. 	LDP	0(R0), (R3, R4)
    258. 

  258. 	LDP	0(R1), (R11, R12)
    259. 

  259. 	LDP	16(R0), (R5, R6)
    260. 

  260. 	LDP	16(R1), (R13, R14)
    261. 

  261. 	SUBS	R11, R3
    262. 

  262. 	SBCS	R12, R4
    263. 

  263. 	STP	(R3, R4), 0(R2)
    264. 

  264. 	SBCS	R13, R5
    265. 

  265. 	SBCS	R14, R6
    266. 

  266. 	STP	(R5, R6), 16(R2)
    267. 

  267. 

  268. 	LDP	32(R0), (R7, R8)
    269. 

  269. 	LDP	32(R1), (R11, R12)
    270. 

  270. 	LDP	48(R0), (R9, R10)
    271. 

  271. 	LDP	48(R1), (R13, R14)
    272. 

  272. 	SBCS	R11, R7
    273. 

  273. 	SBCS	R12, R8
    274. 

  274. 	STP	(R7, R8), 32(R2)
    275. 

  275. 	SBCS	R13, R9
    276. 

  276. 	SBCS	R14, R10
    277. 

  277. 	STP	(R9, R10), 48(R2)
    278. 

  278. 

  279. 	LDP	64(R0), (R3, R4)
    280. 

  280. 	LDP	64(R1), (R11, R12)
    281. 

  281. 	LDP	80(R0), (R5, R6)
    282. 

  282. 	LDP	80(R1), (R13, R14)
    283. 

  283. 	SBCS	R11, R3
    284. 

  284. 	SBCS	R12, R4
    285. 

  285. 	SBCS	R13, R5
    286. 

  286. 	SBCS	R14, R6
    287. 

  287. 

  288. 	LDP	96(R0), (R7, R8)
    289. 

  289. 	LDP	96(R1), (R11, R12)
    290. 

  290. 	LDP	112(R0), (R9, R10)
    291. 

  291. 	LDP	112(R1), (R13, R14)
    292. 

  292. 	SBCS	R11, R7
    293. 

  293. 	SBCS	R12, R8
    294. 

  294. 	SBCS	R13, R9
    295. 

  295. 	SBCS	R14, R10
    296. 

  296. 	SBC	ZR, ZR, R15
    297. 

  297. 

  298. 	// If x - y < 0, R15 is 1 and p503 should be added
    299. 

  299. 	LDP	·p503+16(SB), (R16, R17)
    300. 

  300. 	LDP	·p503+32(SB), (R19, R20)
    301. 

  301. 	AND	R15, R16
    302. 

  302. 	AND	R15, R17
    303. 

  303. 	LDP	·p503+48(SB), (R21, R22)
    304. 

  304. 	AND	R15, R19
    305. 

  305. 	AND	R15, R20
    306. 

  306. 	AND	R15, R21
    307. 

  307. 	AND	R15, R22
    308. 

  308. 

  309. 	ADDS	R16, R3
    310. 

  310. 	ADCS	R16, R4
    311. 

  311. 	STP	(R3, R4), 64(R2)
    312. 

  312. 	ADCS	R16, R5
    313. 

  313. 	ADCS	R17, R6
    314. 

  314. 	STP	(R5, R6), 80(R2)
    315. 

  315. 	ADCS	R19, R7
    316. 

  316. 	ADCS	R20, R8
    317. 

  317. 	STP	(R7, R8), 96(R2)
    318. 

  318. 	ADCS	R21, R9
    319. 

  319. 	ADC	R22, R10
    320. 

  320. 	STP	(R9, R10), 112(R2)
    321. 

  321. 

  322. 	RET
    323. 

  323. 

  324. // Expects that X0*Y0 is already in Z0(low),Z3(high) and X0*Y1 in Z1(low),Z2(high)
    325. 

  325. // Z0 is not actually touched
    326. 

  326. // Result of (X0-X1) * (Y0-Y1) will be in Z0-Z3
    327. 

  327. // Inputs get overwritten, except for X1
    328. 

  328. #define mul128x128comba(X0, X1, Y0, Y1, Z0, Z1, Z2, Z3, T0) \
    329. 

  329. 	MUL	X1, Y0, X0	\
    330. 

  330. 	UMULH	X1, Y0, Y0	\
    331. 

  331. 	ADDS	Z3, Z1		\
    332. 

  332. 	ADC	ZR, Z2		\
    333. 

  333. 				\
    334. 

  334. 	MUL	Y1, X1, T0	\
    335. 

  335. 	UMULH	Y1, X1, Y1	\
    336. 

  336. 	ADDS	X0, Z1		\
    337. 

  337. 	ADCS	Y0, Z2		\
    338. 

  338. 	ADC	ZR, ZR, Z3	\
    339. 

  339. 				\
    340. 

  340. 	ADDS	T0, Z2		\
    341. 

  341. 	ADC	Y1, Z3
    342. 

  342. 

  343. // Expects that X points to (X0-X1)
    344. 

  344. // Result of (X0-X3) * (Y0-Y3) will be in Z0-Z7
    345. 

  345. // Inputs get overwritten, except X2-X3 and Y2-Y3
    346. 

  346. #define mul256x256karatsuba(X, X0, X1, X2, X3, Y0, Y1, Y2, Y3, Z0, Z1, Z2, Z3, Z4, Z5, Z6, Z7, T0, T1)\
    347. 

  347. 	ADDS	X2, X0		\	// xH + xL, destroys xL
    348. 

  348. 	ADCS	X3, X1		\
    349. 

  349. 	ADCS	ZR, ZR, T0	\
    350. 

  350. 				\
    351. 

  351. 	ADDS	Y2, Y0, Z6	\	// yH + yL
    352. 

  352. 	ADCS	Y3, Y1, T1	\
    353. 

  353. 	ADC	ZR, ZR, Z7	\
    354. 

  354. 				\
    355. 

  355. 	SUB	T0, ZR, Z2	\
    356. 

  356. 	SUB	Z7, ZR, Z3	\
    357. 

  357. 	AND	Z7, T0		\	// combined carry
    358. 

  358. 				\
    359. 

  359. 	AND	Z2, Z6, Z0	\	// masked(yH + yL)
    360. 

  360. 	AND	Z2, T1, Z1	\
    361. 

  361. 				\
    362. 

  362. 	AND	Z3, X0, Z4	\	// masked(xH + xL)
    363. 

  363. 	AND	Z3, X1, Z5	\
    364. 

  364. 				\
    365. 

  365. 	MUL	Z6, X0, Z2	\
    366. 

  366. 	MUL	T1, X0, Z3	\
    367. 

  367. 				\
    368. 

  368. 	ADDS	Z4, Z0		\
    369. 

  369. 	UMULH	T1, X0, Z4	\
    370. 

  370. 	ADCS	Z5, Z1		\
    371. 

  371. 	UMULH	Z6, X0, Z5	\
    372. 

  372. 	ADC	ZR, T0		\
    373. 

  373. 				\	// (xH + xL) * (yH + yL)
    374. 

  374. 	mul128x128comba(X0, X1, Z6, T1, Z2, Z3, Z4, Z5, Z7)\
    375. 

  375. 				\
    376. 

  376. 	LDP 0+X, (X0, X1)	\
    377. 

  377. 				\
    378. 

  378. 	ADDS	Z0, Z4		\
    379. 

  379. 	UMULH	Y0, X0, Z7	\
    380. 

  380. 	UMULH	Y1, X0, T1	\
    381. 

  381. 	ADCS	Z1, Z5		\
    382. 

  382. 	MUL	Y0, X0, Z0	\
    383. 

  383. 	MUL	Y1, X0, Z1	\
    384. 

  384. 	ADC	ZR, T0		\
    385. 

  385. 				\	// xL * yL
    386. 

  386. 	mul128x128comba(X0, X1, Y0, Y1, Z0, Z1, T1, Z7, Z6)\
    387. 

  387. 				\
    388. 

  388. 	MUL	Y2, X2, X0	\
    389. 

  389. 	UMULH	Y2, X2, Y0	\
    390. 

  390. 	SUBS	Z0, Z2		\	// (xH + xL) * (yH + yL) - xL * yL
    391. 

  391. 	SBCS	Z1, Z3		\
    392. 

  392. 	SBCS	T1, Z4		\
    393. 

  393. 	MUL	Y3, X2, X1	\
    394. 

  394. 	UMULH	Y3, X2, Z6	\
    395. 

  395. 	SBCS	Z7, Z5		\
    396. 

  396. 	SBCS	ZR, T0		\
    397. 

  397. 				\	// xH * yH
    398. 

  398. 	mul128x128comba(X2, X3, Y2, Y3, X0, X1, Z6, Y0, Y1)\
    399. 

  399. 				\
    400. 

  400. 	SUBS	X0, Z2		\	// (xH + xL) * (yH + yL) - xL * yL - xH * yH
    401. 

  401. 	SBCS	X1, Z3		\
    402. 

  402. 	SBCS	Z6, Z4		\
    403. 

  403. 	SBCS	Y0, Z5		\
    404. 

  404. 	SBCS	ZR, T0		\
    405. 

  405. 				\
    406. 

  406. 	ADDS	T1, Z2		\	// (xH * yH) * 2^256 + ((xH + xL) * (yH + yL) - xL * yL - xH * yH) * 2^128 + xL * yL
    407. 

  407. 	ADCS	Z7, Z3		\
    408. 

  408. 	ADCS	X0, Z4		\
    409. 

  409. 	ADCS	X1, Z5		\
    410. 

  410. 	ADCS	T0, Z6		\
    411. 

  411. 	ADC	Y0, ZR, Z7
    412. 

  412. 

  413. 

  414. // This implements two-level Karatsuba with a 128x128 Comba multiplier
    415. 

  415. // at the bottom
    416. 

  416. TEXT ·fp503Mul(SB), NOSPLIT, $0-24
    417. 

  417. 	MOVD	z+0(FP), R2
    418. 

  418. 	MOVD	x+8(FP), R0
    419. 

  419. 	MOVD	y+16(FP), R1
    420. 

  420. 

  421. 	// Load xL in R3-R6, xH in R7-R10
    422. 

  422. 	// (xH + xL) in R25-R29
    423. 

  423. 	LDP	0(R0), (R3, R4)
    424. 

  424. 	LDP	32(R0), (R7, R8)
    425. 

  425. 	ADDS	R3, R7, R25
    426. 

  426. 	ADCS	R4, R8, R26
    427. 

  427. 	LDP	16(R0), (R5, R6)
    428. 

  428. 	LDP	48(R0), (R9, R10)
    429. 

  429. 	ADCS	R5, R9, R27
    430. 

  430. 	ADCS	R6, R10, R29
    431. 

  431. 	ADC	ZR, ZR, R7
    432. 

  432. 

  433. 	// Load yL in R11-R14, yH in R15-19
    434. 

  434. 	// (yH + yL) in R11-R14, destroys yL
    435. 

  435. 	LDP	0(R1), (R11, R12)
    436. 

  436. 	LDP	32(R1), (R15, R16)
    437. 

  437. 	ADDS	R15, R11
    438. 

  438. 	ADCS	R16, R12
    439. 

  439. 	LDP	16(R1), (R13, R14)
    440. 

  440. 	LDP	48(R1), (R17, R19)
    441. 

  441. 	ADCS	R17, R13
    442. 

  442. 	ADCS	R19, R14
    443. 

  443. 	ADC	ZR, ZR, R8
    444. 

  444. 

  445. 	// Compute maskes and combined carry
    446. 

  446. 	SUB	R7, ZR, R9
    447. 

  447. 	SUB	R8, ZR, R10
    448. 

  448. 	AND	R8, R7
    449. 

  449. 

  450. 	// masked(yH + yL)
    451. 

  451. 	AND	R9, R11, R15
    452. 

  452. 	AND	R9, R12, R16
    453. 

  453. 	AND	R9, R13, R17
    454. 

  454. 	AND	R9, R14, R19
    455. 

  455. 

  456. 	// masked(xH + xL)
    457. 

  457. 	AND	R10, R25, R20
    458. 

  458. 	AND	R10, R26, R21
    459. 

  459. 	AND	R10, R27, R22
    460. 

  460. 	AND	R10, R29, R23
    461. 

  461. 

  462. 	// masked(xH + xL) + masked(yH + yL) in R15-R19
    463. 

  463. 	ADDS	R20, R15
    464. 

  464. 	ADCS	R21, R16
    465. 

  465. 	ADCS	R22, R17
    466. 

  466. 	ADCS	R23, R19
    467. 

  467. 	ADC	ZR, R7
    468. 

  468. 

  469. 	// Use z as temporary storage
    470. 

  470. 	STP	(R25, R26), 0(R2)
    471. 

  471. 

  472. 	// (xH + xL) * (yH + yL)
    473. 

  473. 	mul256x256karatsuba(0(R2), R25, R26, R27, R29, R11, R12, R13, R14, R8, R9, R10, R20, R21, R22, R23, R24, R0, R1)
    474. 

  474. 

  475. 	MOVD	x+8(FP), R0
    476. 

  476. 	MOVD	y+16(FP), R1
    477. 

  477. 

  478. 	ADDS	R21, R15
    479. 

  479. 	ADCS	R22, R16
    480. 

  480. 	ADCS	R23, R17
    481. 

  481. 	ADCS	R24, R19
    482. 

  482. 	ADC	ZR, R7
    483. 

  483. 

  484. 	// Load yL in R11-R14
    485. 

  485. 	LDP	0(R1), (R11, R12)
    486. 

  486. 	LDP	16(R1), (R13, R14)
    487. 

  487. 

  488. 	// xL * yL
    489. 

  489. 	mul256x256karatsuba(0(R0), R3, R4, R5, R6, R11, R12, R13, R14, R21, R22, R23, R24, R25, R26, R27, R29, R1, R2)
    490. 

  490. 

  491. 	MOVD	z+0(FP), R2
    492. 

  492. 	MOVD	y+16(FP), R1
    493. 

  493. 

  494. 	// (xH + xL) * (yH + yL) - xL * yL
    495. 

  495. 	SUBS	R21, R8
    496. 

  496. 	SBCS	R22, R9
    497. 

  497. 	STP	(R21, R22), 0(R2)
    498. 

  498. 	SBCS	R23, R10
    499. 

  499. 	SBCS	R24, R20
    500. 

  500. 	STP	(R23, R24), 16(R2)
    501. 

  501. 	SBCS	R25, R15
    502. 

  502. 	SBCS	R26, R16
    503. 

  503. 	SBCS	R27, R17
    504. 

  504. 	SBCS	R29, R19
    505. 

  505. 	SBC	ZR, R7
    506. 

  506. 

  507. 	// Load xH in R3-R6, yH in R11-R14
    508. 

  508. 	LDP	32(R0), (R3, R4)
    509. 

  509. 	LDP	48(R0), (R5, R6)
    510. 

  510. 	LDP	32(R1), (R11, R12)
    511. 

  511. 	LDP	48(R1), (R13, R14)
    512. 

  512. 

  513. 	ADDS	R25, R8
    514. 

  514. 	ADCS	R26, R9
    515. 

  515. 	ADCS	R27, R10
    516. 

  516. 	ADCS	R29, R20
    517. 

  517. 	ADC	ZR, ZR, R1
    518. 

  518. 

  519. 	MOVD	R20, 32(R2)
    520. 

  520. 

  521. 	// xH * yH
    522. 

  522. 	mul256x256karatsuba(32(R0), R3, R4, R5, R6, R11, R12, R13, R14, R21, R22, R23, R24, R25, R26, R27, R29, R2, R20)
    523. 

  523. 	NEG	R1, R1
    524. 

  524. 

  525. 	MOVD	z+0(FP), R2
    526. 

  526. 	MOVD	32(R2), R20
    527. 

  527. 

  528. 	// (xH + xL) * (yH + yL) - xL * yL - xH * yH in R8-R10,R20,R15-R19
    529. 

  529. 	// Store lower half in z, that's done
    530. 

  530. 	SUBS	R21, R8
    531. 

  531. 	SBCS	R22, R9
    532. 

  532. 	STP	(R8, R9), 32(R2)
    533. 

  533. 	SBCS	R23, R10
    534. 

  534. 	SBCS	R24, R20
    535. 

  535. 	STP	(R10, R20), 48(R2)
    536. 

  536. 	SBCS	R25, R15
    537. 

  537. 	SBCS	R26, R16
    538. 

  538. 	SBCS	R27, R17
    539. 

  539. 	SBCS	R29, R19
    540. 

  540. 	SBC	ZR, R7
    541. 

  541. 

  542. 	// (xH * yH) * 2^512 + ((xH + xL) * (yH + yL) - xL * yL - xH * yH) * 2^256 + xL * yL
    543. 

  543. 	// Store remaining limbs in z
    544. 

  544. 	ADDS	$1, R1
    545. 

  545. 	ADCS	R21, R15
    546. 

  546. 	ADCS	R22, R16
    547. 

  547. 	STP	(R15, R16), 64(R2)
    548. 

  548. 	ADCS	R23, R17
    549. 

  549. 	ADCS	R24, R19
    550. 

  550. 	STP	(R17, R19), 80(R2)
    551. 

  551. 	ADCS	R7, R25
    552. 

  552. 	ADCS	ZR, R26
    553. 

  553. 	STP	(R25, R26), 96(R2)
    554. 

  554. 	ADCS	ZR, R27
    555. 

  555. 	ADC	ZR, R29
    556. 

  556. 	STP	(R27, R29), 112(R2)
    557. 

  557. 

  558. 	RET
    559. 

  559. 

  560. // Expects that X0*Y0 is already in Z0(low),Z3(high) and X0*Y1 in Z1(low),Z2(high)
    561. 

  561. // Z0 is not actually touched
    562. 

  562. // Result of (X0-X1) * (Y0-Y3) will be in Z0-Z5
    563. 

  563. // Inputs remain intact
    564. 

  564. #define mul128x256comba(X0, X1, Y0, Y1, Y2, Y3, Z0, Z1, Z2, Z3, Z4, Z5, T0, T1, T2, T3)\
    565. 

  565. 	MUL	X1, Y0, T0	\
    566. 

  566. 	UMULH	X1, Y0, T1	\
    567. 

  567. 	ADDS	Z3, Z1		\
    568. 

  568. 	ADC	ZR, Z2		\
    569. 

  569. 				\
    570. 

  570. 	MUL	X0, Y2, T2	\
    571. 

  571. 	UMULH	X0, Y2, T3	\
    572. 

  572. 	ADDS	T0, Z1		\
    573. 

  573. 	ADCS	T1, Z2		\
    574. 

  574. 	ADC	ZR, ZR, Z3	\
    575. 

  575. 				\
    576. 

  576. 	MUL	X1, Y1, T0	\
    577. 

  577. 	UMULH	X1, Y1, T1	\
    578. 

  578. 	ADDS	T2, Z2		\
    579. 

  579. 	ADCS	T3, Z3		\
    580. 

  580. 	ADC	ZR, ZR, Z4	\
    581. 

  581. 				\
    582. 

  582. 	MUL	X0, Y3, T2	\
    583. 

  583. 	UMULH	X0, Y3, T3	\
    584. 

  584. 	ADDS	T0, Z2		\
    585. 

  585. 	ADCS	T1, Z3		\
    586. 

  586. 	ADC	ZR, Z4		\
    587. 

  587. 				\
    588. 

  588. 	MUL	X1, Y2, T0	\
    589. 

  589. 	UMULH	X1, Y2, T1	\
    590. 

  590. 	ADDS	T2, Z3		\
    591. 

  591. 	ADCS	T3, Z4		\
    592. 

  592. 	ADC	ZR, ZR, Z5	\
    593. 

  593. 				\
    594. 

  594. 	MUL	X1, Y3, T2	\
    595. 

  595. 	UMULH	X1, Y3, T3	\
    596. 

  596. 	ADDS	T0, Z3		\
    597. 

  597. 	ADCS	T1, Z4		\
    598. 

  598. 	ADC	ZR, Z5		\
    599. 

  599. 	ADDS	T2, Z4		\
    600. 

  600. 	ADC	T3, Z5
    601. 

  601. 

  602. // This implements the shifted 2^(B*w) Montgomery reduction from
    603. 

  603. // https://eprint.iacr.org/2016/986.pdf, section Section 3.2, with
    604. 

  604. // B = 4, w = 64. Performance results were reported in
    605. 

  605. // https://eprint.iacr.org/2018/700.pdf Section 6.
    606. 

  606. TEXT ·fp503MontgomeryReduce(SB), NOSPLIT, $0-16
    607. 

  607. 	MOVD	x+8(FP), R0
    608. 

  608. 

  609. 	// Load x0-x1
    610. 

  610. 	LDP	0(R0), (R2, R3)
    611. 

  611. 

  612. 	// Load the prime constant in R25-R29
    613. 

  613. 	LDP	·p503p1s8+32(SB), (R25, R26)
    614. 

  614. 	LDP	·p503p1s8+48(SB), (R27, R29)
    615. 

  615. 

  616. 	// [x0,x1] * p503p1s8 to R4-R9
    617. 

  617. 	MUL	R2, R25, R4		// x0 * p503p1s8[0]
    618. 

  618. 	UMULH	R2, R25, R7
    619. 

  619. 	MUL	R2, R26, R5		// x0 * p503p1s8[1]
    620. 

  620. 	UMULH	R2, R26, R6
    621. 

  621. 

  622. 	mul128x256comba(R2, R3, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R11, R12, R13)
    623. 

  623. 

  624. 	LDP	16(R0), (R3, R11)	// x2
    625. 

  625. 	LDP	32(R0), (R12, R13)
    626. 

  626. 	LDP	48(R0), (R14, R15)
    627. 

  627. 

  628. 	// Left-shift result in R4-R9 by 56 to R4-R10
    629. 

  629. 	ORR	R9>>8, ZR, R10
    630. 

  630. 	LSL	$56, R9
    631. 

  631. 	ORR	R8>>8, R9
    632. 

  632. 	LSL	$56, R8
    633. 

  633. 	ORR	R7>>8, R8
    634. 

  634. 	LSL	$56, R7
    635. 

  635. 	ORR	R6>>8, R7
    636. 

  636. 	LSL	$56, R6
    637. 

  637. 	ORR	R5>>8, R6
    638. 

  638. 	LSL	$56, R5
    639. 

  639. 	ORR	R4>>8, R5
    640. 

  640. 	LSL	$56, R4
    641. 

  641. 

  642. 	ADDS	R4, R11			// x3
    643. 

  643. 	ADCS	R5, R12			// x4
    644. 

  644. 	ADCS	R6, R13
    645. 

  645. 	ADCS	R7, R14
    646. 

  646. 	ADCS	R8, R15
    647. 

  647. 	LDP	64(R0), (R16, R17)
    648. 

  648. 	LDP	80(R0), (R19, R20)
    649. 

  649. 	MUL	R3, R25, R4		// x2 * p503p1s8[0]
    650. 

  650. 	UMULH	R3, R25, R7
    651. 

  651. 	ADCS	R9, R16
    652. 

  652. 	ADCS	R10, R17
    653. 

  653. 	ADCS	ZR, R19
    654. 

  654. 	ADCS	ZR, R20
    655. 

  655. 	LDP	96(R0), (R21, R22)
    656. 

  656. 	LDP	112(R0), (R23, R24)
    657. 

  657. 	MUL	R3, R26, R5		// x2 * p503p1s8[1]
    658. 

  658. 	UMULH	R3, R26, R6
    659. 

  659. 	ADCS	ZR, R21
    660. 

  660. 	ADCS	ZR, R22
    661. 

  661. 	ADCS	ZR, R23
    662. 

  662. 	ADC	ZR, R24
    663. 

  663. 

  664. 	// [x2,x3] * p503p1s8 to R4-R9
    665. 

  665. 	mul128x256comba(R3, R11, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R0, R1, R2)
    666. 

  666. 

  667. 	ORR	R9>>8, ZR, R10
    668. 

  668. 	LSL	$56, R9
    669. 

  669. 	ORR	R8>>8, R9
    670. 

  670. 	LSL	$56, R8
    671. 

  671. 	ORR	R7>>8, R8
    672. 

  672. 	LSL	$56, R7
    673. 

  673. 	ORR	R6>>8, R7
    674. 

  674. 	LSL	$56, R6
    675. 

  675. 	ORR	R5>>8, R6
    676. 

  676. 	LSL	$56, R5
    677. 

  677. 	ORR	R4>>8, R5
    678. 

  678. 	LSL	$56, R4
    679. 

  679. 

  680. 	ADDS	R4, R13			// x5
    681. 

  681. 	ADCS	R5, R14			// x6
    682. 

  682. 	ADCS	R6, R15
    683. 

  683. 	ADCS	R7, R16
    684. 

  684. 	MUL	R12, R25, R4		// x4 * p503p1s8[0]
    685. 

  685. 	UMULH	R12, R25, R7
    686. 

  686. 	ADCS	R8, R17
    687. 

  687. 	ADCS	R9, R19
    688. 

  688. 	ADCS	R10, R20
    689. 

  689. 	ADCS	ZR, R21
    690. 

  690. 	MUL	R12, R26, R5		// x4 * p503p1s8[1]
    691. 

  691. 	UMULH	R12, R26, R6
    692. 

  692. 	ADCS	ZR, R22
    693. 

  693. 	ADCS	ZR, R23
    694. 

  694. 	ADC	ZR, R24
    695. 

  695. 

  696. 	// [x4,x5] * p503p1s8 to R4-R9
    697. 

  697. 	mul128x256comba(R12, R13, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R0, R1, R2)
    698. 

  698. 

  699. 	ORR	R9>>8, ZR, R10
    700. 

  700. 	LSL	$56, R9
    701. 

  701. 	ORR	R8>>8, R9
    702. 

  702. 	LSL	$56, R8
    703. 

  703. 	ORR	R7>>8, R8
    704. 

  704. 	LSL	$56, R7
    705. 

  705. 	ORR	R6>>8, R7
    706. 

  706. 	LSL	$56, R6
    707. 

  707. 	ORR	R5>>8, R6
    708. 

  708. 	LSL	$56, R5
    709. 

  709. 	ORR	R4>>8, R5
    710. 

  710. 	LSL	$56, R4
    711. 

  711. 

  712. 	ADDS	R4, R15			// x7
    713. 

  713. 	ADCS	R5, R16			// x8
    714. 

  714. 	ADCS	R6, R17
    715. 

  715. 	ADCS	R7, R19
    716. 

  716. 	MUL	R14, R25, R4		// x6 * p503p1s8[0]
    717. 

  717. 	UMULH	R14, R25, R7
    718. 

  718. 	ADCS	R8, R20
    719. 

  719. 	ADCS	R9, R21
    720. 

  720. 	ADCS	R10, R22
    721. 

  721. 	MUL	R14, R26, R5		// x6 * p503p1s8[1]
    722. 

  722. 	UMULH	R14, R26, R6
    723. 

  723. 	ADCS	ZR, R23
    724. 

  724. 	ADC	ZR, R24
    725. 

  725. 

  726. 	// [x6,x7] * p503p1s8 to R4-R9
    727. 

  727. 	mul128x256comba(R14, R15, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R0, R1, R2)
    728. 

  728. 

  729. 	ORR	R9>>8, ZR, R10
    730. 

  730. 	LSL	$56, R9
    731. 

  731. 	ORR	R8>>8, R9
    732. 

  732. 	LSL	$56, R8
    733. 

  733. 	ORR	R7>>8, R8
    734. 

  734. 	LSL	$56, R7
    735. 

  735. 	ORR	R6>>8, R7
    736. 

  736. 	LSL	$56, R6
    737. 

  737. 	ORR	R5>>8, R6
    738. 

  738. 	LSL	$56, R5
    739. 

  739. 	ORR	R4>>8, R5
    740. 

  740. 	LSL	$56, R4
    741. 

  741. 

  742. 	MOVD	z+0(FP), R0
    743. 

  743. 	ADDS	R4, R17
    744. 

  744. 	ADCS	R5, R19
    745. 

  745. 	STP	(R16, R17),  0(R0)	// Store final result to z
    746. 

  746. 	ADCS	R6, R20
    747. 

  747. 	ADCS	R7, R21
    748. 

  748. 	STP	(R19, R20), 16(R0)
    749. 

  749. 	ADCS	R8, R22
    750. 

  750. 	ADCS	R9, R23
    751. 

  751. 	STP	(R21, R22), 32(R0)
    752. 

  752. 	ADC	R10, R24
    753. 

  753. 	STP	(R23, R24), 48(R0)
    754. 

  754. 

  755. 	RET
    756. 

  756. 

  757. TEXT ·fp503StrongReduce(SB), NOSPLIT, $0-8
    758. 

  758. 	MOVD	x+0(FP), R0
    759. 

  759. 

  760. 	// Keep x in R1-R8, p503 in R9-R14, subtract to R1-R8
    761. 

  761. 	LDP	·p503+16(SB), (R9, R10)
    762. 

  762. 	LDP	0(R0), (R1, R2)
    763. 

  763. 	LDP	16(R0), (R3, R4)
    764. 

  764. 	SUBS	R9, R1
    765. 

  765. 	SBCS	R9, R2
    766. 

  766. 

  767. 	LDP	32(R0), (R5, R6)
    768. 

  768. 	LDP	·p503+32(SB), (R11, R12)
    769. 

  769. 	SBCS	R9, R3
    770. 

  770. 	SBCS	R10, R4
    771. 

  771. 

  772. 	LDP	48(R0), (R7, R8)
    773. 

  773. 	LDP	·p503+48(SB), (R13, R14)
    774. 

  774. 	SBCS	R11, R5
    775. 

  775. 	SBCS	R12, R6
    776. 

  776. 

  777. 	SBCS	R13, R7
    778. 

  778. 	SBCS	R14, R8
    779. 

  779. 	SBC	ZR, ZR, R15
    780. 

  780. 

  781. 	// Mask with the borrow and add p503
    782. 

  782. 	AND	R15, R9
    783. 

  783. 	AND	R15, R10
    784. 

  784. 	AND	R15, R11
    785. 

  785. 	AND	R15, R12
    786. 

  786. 	AND	R15, R13
    787. 

  787. 	AND	R15, R14
    788. 

  788. 

  789. 	ADDS	R9, R1
    790. 

  790. 	ADCS	R9, R2
    791. 

  791. 	STP	(R1, R2), 0(R0)
    792. 

  792. 	ADCS	R9, R3
    793. 

  793. 	ADCS	R10, R4
    794. 

  794. 	STP	(R3, R4), 16(R0)
    795. 

  795. 	ADCS	R11, R5
    796. 

  796. 	ADCS	R12, R6
    797. 

  797. 	STP	(R5, R6), 32(R0)
    798. 

  798. 	ADCS	R13, R7
    799. 

  799. 	ADCS	R14, R8
    800. 

  800. 	STP	(R7, R8), 48(R0)
    801. 

  801. 

  802. 	RET
    803.