jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
304 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 38455f34f2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '38455f34f2'
${ noResults }
ed448goldilocks/src/p521/arch_x86_64_r12/f_impl.c

392 lines
10 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "f_field.h"

  6. 

  7. typedef struct {

  8.   uint64x3_t lo, hi, hier;

  9. } nonad_t;

  10. 

  11. static inline __uint128_t widemulu(uint64_t a, uint64_t b) {

  12.     return ((__uint128_t)(a)) * b;

  13. }

  14. 

  15. static inline __int128_t widemuls(int64_t a, int64_t b) {

  16.     return ((__int128_t)(a)) * b;

  17. }

  18.  

  19. /* This is a trick to prevent terrible register allocation by hiding things from clang's optimizer */

  20. static inline uint64_t opacify(uint64_t x) {

  21.     __asm__ volatile("" : "+r"(x));

  22.     return x;

  23. }

  24. 

  25. /* These used to be hexads, leading to 10% better performance, but there were overflow issues */

  26. static inline void nonad_mul (

  27.   nonad_t *hex,

  28.   const uint64_t *a,

  29.   const uint64_t *b

  30. ) {

  31.     __uint128_t xu, xv, xw;

  32. 

  33.     uint64_t tmp = opacify(a[2]);

  34.     xw = widemulu(tmp, b[0]);

  35.     tmp <<= 1;

  36.     xu = widemulu(tmp, b[1]);

  37.     xv = widemulu(tmp, b[2]);

  38. 

  39.     tmp = opacify(a[1]);

  40.     xw += widemulu(tmp, b[1]);

  41.     xv += widemulu(tmp, b[0]);

  42.     tmp <<= 1;

  43.     xu += widemulu(tmp, b[2]);

  44. 

  45.     tmp = opacify(a[0]);

  46.     xu += widemulu(tmp, b[0]);

  47.     xv += widemulu(tmp, b[1]);

  48.     xw += widemulu(tmp, b[2]);

  49. 

  50.     uint64x3_t

  51.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  52.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  53. 

  54.     hex->hier = hi>>52;

  55.     hex->hi = (hi<<12)>>6 | lo>>58;

  56.     hex->lo = lo & mask58;

  57. }

  58. 

  59. static inline void hexad_mul_signed (

  60.   nonad_t *hex,

  61.   const int64_t *a,

  62.   const int64_t *b

  63. ) {

  64.     __int128_t xu, xv, xw;

  65. 

  66.     int64_t tmp = opacify(a[2]);

  67.     xw = widemuls(tmp, b[0]);

  68.     tmp <<= 1;

  69.     xu = widemuls(tmp, b[1]);

  70.     xv = widemuls(tmp, b[2]);

  71. 

  72.     tmp = opacify(a[1]);

  73.     xw += widemuls(tmp, b[1]);

  74.     xv += widemuls(tmp, b[0]);

  75.     tmp <<= 1;

  76.     xu += widemuls(tmp, b[2]);

  77. 

  78.     tmp = opacify(a[0]);

  79.     xu += widemuls(tmp, b[0]);

  80.     xv += widemuls(tmp, b[1]);

  81.     xw += widemuls(tmp, b[2]);

  82. 

  83.     uint64x3_t

  84.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  85.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  86. 

  87.     /*

  88.     hex->hier = (uint64x4_t)((int64x4_t)hi>>52);

  89.     hex->hi = (hi<<12)>>6 | lo>>58;

  90.     hex->lo = lo & mask58;

  91.     */

  92.     

  93.     hex->hi = hi<<6 | lo>>58;

  94.     hex->lo = lo & mask58;

  95. }

  96. 

  97. static inline void nonad_sqr (

  98.   nonad_t *hex,

  99.   const uint64_t *a

  100. ) {

  101.     __uint128_t xu, xv, xw;

  102. 

  103.     int64_t tmp = a[2];

  104.     tmp <<= 1;

  105.     xw = widemulu(tmp, a[0]);

  106.     xv = widemulu(tmp, a[2]);

  107.     tmp <<= 1;

  108.     xu = widemulu(tmp, a[1]);

  109. 

  110.     tmp = a[1];

  111.     xw += widemulu(tmp, a[1]);

  112.     tmp <<= 1;

  113.     xv += widemulu(tmp, a[0]);

  114. 

  115.     tmp = a[0];

  116.     xu += widemulu(tmp, a[0]);

  117. 

  118.     uint64x3_t

  119.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  120.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  121. 

  122.     hex->hier = hi>>52;

  123.     hex->hi = (hi<<12)>>6 | lo>>58;

  124.     hex->lo = lo & mask58;

  125. }

  126. 

  127. static inline void hexad_sqr_signed (

  128.   nonad_t *hex,

  129.   const int64_t *a

  130. ) {

  131.     __uint128_t xu, xv, xw;

  132. 

  133.     int64_t tmp = a[2];

  134.     tmp <<= 1;

  135.     xw = widemuls(tmp, a[0]);

  136.     xv = widemuls(tmp, a[2]);

  137.     tmp <<= 1;

  138.     xu = widemuls(tmp, a[1]);

  139. 

  140.     tmp = a[1];

  141.     xw += widemuls(tmp, a[1]);

  142.     tmp <<= 1;

  143.     xv += widemuls(tmp, a[0]);

  144. 

  145.     tmp = a[0];

  146.     xu += widemuls(tmp, a[0]);

  147. 

  148.     uint64x3_t

  149.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  150.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  151. 

  152. 

  153.     /*

  154.     hex->hier = (uint64x4_t)((int64x4_t)hi>>52);

  155.     hex->hi = (hi<<12)>>6 | lo>>58;

  156.     hex->lo = lo & mask58;

  157.     */

  158.     

  159.     hex->hi = hi<<6 | lo>>58;

  160.     hex->lo = lo & mask58;

  161. }

  162. 

  163. 

  164. 

  165. void gf_mul (gf *__restrict__ cs, const gf *as, const gf *bs) {

  166.     int i;

  167.     

  168. #if 0

  169.     assert(as->limb[3] == 0 && as->limb[7] == 0 && as->limb[11] == 0);

  170.     assert(bs->limb[3] == 0 && bs->limb[7] == 0 && bs->limb[11] == 0);

  171.     for (i=0; i<12; i++) {

  172.         assert(as->limb[i] < 5ull<<57);

  173.         assert(bs->limb[i] < 5ull<<57);

  174.     }

  175. #endif

  176.     

  177.     /* Bounds on the hexads and nonads.

  178.      *

  179.      * Limbs < 2<<58 + ep.

  180.      * Nonad mul < 1<<58, 1<<58, tiny

  181.      * -> t0 < (3,2,2)<<58 + tiny

  182.      * t1,t2 < 2<<58 + tiny

  183.      *   * w < (4,2,2)

  184.      * Hexad mul < +- (5,4,3) * 4<<116 -> 2^58 lo, +- (5,4,3) * 4<<58+ep

  185.      * TimesW < (2,1,1)<<58, (6,5,4)*4<<58 + ep

  186.     

  187.      * ot2 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  188.          == (3,2,2) + (4,2,2) + (4,2,2) +- (6,5,4)*4 - (1) << 58

  189.          in (-25, +35) << 58

  190. 

  191.     uint64x3_t ot0 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  192.     uint64x3_t ot1 = t0 + t1 - abde.lo + timesW(t2 - bcef.hi);

  193.     uint64x3_t ot2 = t0 + t1 + t2 - abde.hi - acdf.lo + vhi2;

  194.      

  195.      */

  196.     

  197.     

  198.     uint64_t *c = cs->limb;

  199.     const uint64_t *a = as->limb, *b = bs->limb;

  200. 

  201.     nonad_t ad, be, cf, abde, bcef, acdf;

  202.     nonad_mul(&ad, &a[0], &b[0]);

  203.     nonad_mul(&be, &a[4], &b[4]);

  204.     nonad_mul(&cf, &a[8], &b[8]);

  205. 

  206.     uint64_t amt = 26;

  207.     uint64x3_t vhi = { amt*((1ull<<58)-1), amt*((1ull<<58)-1), amt*((1ull<<58)-1), 0 },

  208.     vhi2 = { 0, 0, -amt<<57, 0 };

  209. 

  210.     uint64x3_t t2 = cf.lo + be.hi + ad.hier, t0 = ad.lo + timesW(cf.hi + be.hier) + vhi, t1 = ad.hi + be.lo + timesW(cf.hier);

  211. 

  212.     int64_t ta[4] VECTOR_ALIGNED, tb[4] VECTOR_ALIGNED;

  213.     // it seems to be faster not to vectorize these loops

  214.     for (i=0; i<3; i++) {

  215.         ta[i] = a[i]-a[i+4];

  216.         tb[i] = b[i]-b[i+4];

  217.     }

  218.     hexad_mul_signed(&abde,ta,tb);

  219. 

  220.     for (i=0; i<3; i++) {

  221.         ta[i] = a[i+4]-a[i+8];

  222.         tb[i] = b[i+4]-b[i+8];

  223.     }

  224.     hexad_mul_signed(&bcef,ta,tb);

  225. 

  226.     for (i=0; i<3; i++) {

  227.         ta[i] = a[i]-a[i+8];

  228.         tb[i] = b[i]-b[i+8];

  229.     }

  230.     hexad_mul_signed(&acdf,ta,tb);

  231. 

  232.     uint64x3_t ot0 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  233.     uint64x3_t ot1 = t0 + t1 - abde.lo + timesW(t2 - bcef.hi);

  234.     uint64x3_t ot2 = t0 + t1 + t2 - abde.hi - acdf.lo + vhi2;

  235. 

  236.     uint64x3_t out0 = (ot0 & mask58) + timesW(ot2>>58);

  237.     uint64x3_t out1 = (ot1 & mask58) + (ot0>>58);

  238.     uint64x3_t out2 = (ot2 & mask58) + (ot1>>58);

  239. 

  240.     *(uint64x4_t *)&c[0] = out0;

  241.     *(uint64x4_t *)&c[4] = out1;

  242.     *(uint64x4_t *)&c[8] = out2;

  243. }

  244. 

  245. 

  246. void gf_sqr (gf *__restrict__ cs, const gf *as) {

  247.     int i;

  248. #if 0

  249.     assert(as->limb[3] == 0 && as->limb[7] == 0 && as->limb[11] == 0);

  250.     for (i=0; i<12; i++) {

  251.         assert(as->limb[i] < 5ull<<57);

  252.     }

  253. #endif

  254. 

  255.     uint64_t *c = cs->limb;

  256.     const uint64_t *a = as->limb;

  257. 

  258.     nonad_t ad, be, cf, abde, bcef, acdf;

  259.     nonad_sqr(&ad, &a[0]);

  260.     nonad_sqr(&be, &a[4]);

  261.     nonad_sqr(&cf, &a[8]);

  262. 

  263.     uint64_t amt = 26;

  264.     uint64x3_t vhi = { amt*((1ull<<58)-1), amt*((1ull<<58)-1), amt*((1ull<<58)-1), 0 },

  265.     vhi2 = { 0, 0, -amt<<57, 0 };

  266.     

  267.     uint64x3_t t2 = cf.lo + be.hi + ad.hier, t0 = ad.lo + timesW(cf.hi + be.hier) + vhi, t1 = ad.hi + be.lo + timesW(cf.hier);

  268. 

  269.     int64_t ta[4] VECTOR_ALIGNED;

  270.     // it seems to be faster not to vectorize these loops

  271.     for (i=0; i<3; i++) {

  272.         ta[i] = a[i]-a[i+4];

  273.     }

  274.     hexad_sqr_signed(&abde,ta);

  275. 

  276.     for (i=0; i<3; i++) {

  277.         ta[i] = a[i+4]-a[i+8];

  278.     }

  279.     hexad_sqr_signed(&bcef,ta);

  280. 

  281.     for (i=0; i<3; i++) {

  282.         ta[i] = a[i]-a[i+8];

  283.     }

  284.     hexad_sqr_signed(&acdf,ta);

  285. 

  286.     uint64x3_t ot0 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  287.     uint64x3_t ot1 = t0 + t1 - abde.lo + timesW(t2 - bcef.hi);

  288.     uint64x3_t ot2 = t0 + t1 + t2 - abde.hi - acdf.lo + vhi2;

  289. 

  290.     uint64x3_t out0 = (ot0 & mask58) + timesW(ot2>>58);

  291.     uint64x3_t out1 = (ot1 & mask58) + (ot0>>58);

  292.     uint64x3_t out2 = (ot2 & mask58) + (ot1>>58);

  293. 

  294.     *(uint64x4_t *)&c[0] = out0;

  295.     *(uint64x4_t *)&c[4] = out1;

  296.     *(uint64x4_t *)&c[8] = out2;

  297. }

  298. 

  299. void gf_mulw (gf *__restrict__ cs, const gf *as, uint64_t b) {

  300. #if 0

  301.     int i;

  302.     assert(as->limb[3] == 0 && as->limb[7] == 0 && as->limb[11] == 0);

  303.     for (i=0; i<12; i++) {

  304.         assert(as->limb[i] < 1ull<<61);

  305.     }

  306.     assert(b < 1ull<<61);

  307. #endif

  308.     

  309.     

  310.     const uint64_t *a = as->limb;

  311.     uint64_t *c = cs->limb;

  312. 

  313.     __uint128_t accum0 = 0, accum3 = 0, accum6 = 0;

  314.     uint64_t mask = (1ull<<58) - 1;

  315. 

  316.     accum0 += widemulu(b, a[0]);

  317.     accum3 += widemulu(b, a[1]);

  318.     accum6 += widemulu(b, a[2]);

  319.     c[0] = accum0 & mask; accum0 >>= 58;

  320.     c[1] = accum3 & mask; accum3 >>= 58;

  321.     c[2] = accum6 & mask; accum6 >>= 58;

  322. 

  323.     accum0 += widemulu(b, a[4]);

  324.     accum3 += widemulu(b, a[5]);

  325.     accum6 += widemulu(b, a[6]);

  326.     c[4] = accum0 & mask; accum0 >>= 58;

  327.     c[5] = accum3 & mask; accum3 >>= 58;

  328.     c[6] = accum6 & mask; accum6 >>= 58;

  329. 

  330.     accum0 += widemulu(b, a[8]);

  331.     accum3 += widemulu(b, a[9]);

  332.     accum6 += widemulu(b, a[10]);

  333.     c[8] = accum0 & mask; accum0 >>= 58;

  334.     c[9] = accum3 & mask; accum3 >>= 58;

  335.     c[10] = accum6 & (mask>>1); accum6 >>= 57;

  336.     

  337.     accum0 += c[1];

  338.     c[1] = accum0 & mask;

  339.     c[5] += accum0 >> 58;

  340. 

  341.     accum3 += c[2];

  342.     c[2] = accum3 & mask;

  343.     c[6] += accum3 >> 58;

  344. 

  345.     accum6 += c[0];

  346.     c[0] = accum6 & mask;

  347.     c[4] += accum6 >> 58;

  348.     

  349.     c[3] = c[7] = c[11] = 0;

  350. }

  351. 

  352. 

  353. void gf_strong_reduce (gf *a) {

  354.     uint64_t mask = (1ull<<58)-1, mask2 = (1ull<<57)-1;

  355. 

  356.     /* first, clear high */

  357.     __int128_t scarry = a->limb[LIMBPERM(8)]>>57;

  358.     a->limb[LIMBPERM(8)] &= mask2;

  359. 

  360.     /* now the total is less than 2p */

  361. 

  362.     /* compute total_value - p.  No need to reduce mod p. */

  363. 

  364.     int i;

  365.     for (i=0; i<9; i++) {

  366.         scarry = scarry + a->limb[LIMBPERM(i)] - ((i==8) ? mask2 : mask);

  367.         a->limb[LIMBPERM(i)] = scarry & ((i==8) ? mask2 : mask);

  368.         scarry >>= (i==8) ? 57 : 58;

  369.     }

  370. 

  371.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  372.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^521

  373.     * so let's add back in p.  will carry back off the top for 2^521.

  374.     */

  375. 

  376.     assert(word_is_zero(scarry) | word_is_zero(scarry+1));

  377. 

  378.     uint64_t scarry_mask = scarry & mask;

  379.     __uint128_t carry = 0;

  380. 

  381.     /* add it back */

  382.     for (i=0; i<9; i++) {

  383.         carry = carry + a->limb[LIMBPERM(i)] + ((i==8)?(scarry_mask>>1):scarry_mask);

  384.         a->limb[LIMBPERM(i)] = carry & ((i==8) ? mask>>1 : mask);

  385.         carry >>= (i==8) ? 57 : 58;

  386.     }

  387. 

  388.     assert(word_is_zero(carry + scarry));

  389. 

  390.     a->limb[3] = a->limb[7] = a->limb[11] = 0;

  391. }