arnaucube
/
go-iden3-crypto
mirror of https://github.com/arnaucube/go-iden3-crypto.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
26 Branches
7 Tags
4.8 MiB
Branch: feature/goff-0-2-0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'feature/goff-0-2-0'
${ noResults }
go-iden3-crypto/ff/element_mul_amd64.s

695 lines
13 KiB
Raw Permalink Normal View History

Update to goff v0.2.0
4 years ago
  1. // Code generated by goff (v0.2.0) DO NOT EDIT
  3. #include "textflag.h"
  5. // func MulAssignElement(res,y *Element)
  6. // montgomery multiplication of res by y
  7. // stores the result in res
  8. TEXT ·MulAssignElement(SB), NOSPLIT, $0-16
  10. // dereference our parameters
  11. MOVQ res+0(FP), DI
  12. MOVQ y+8(FP), R8
  14. // check if we support adx and mulx
  15. CMPB ·supportAdx(SB), $1
  16. JNE no_adx
  18. // the algorithm is described here
  19. // https://hackmd.io/@zkteam/modular_multiplication
  20. // however, to benefit from the ADCX and ADOX carry chains
  21. // we split the inner loops in 2:
  22. // for i=0 to N-1
  23. // for j=0 to N-1
  24. // (A,t[j]) := t[j] + a[j]*b[i] + A
  25. // m := t[0]*q'[0] mod W
  26. // C,_ := t[0] + m*q[0]
  27. // for j=1 to N-1
  28. // (C,t[j-1]) := t[j] + m*q[j] + C
  29. // t[N-1] = C + A
  31. // ---------------------------------------------------------------------------------------------
  32. // outter loop 0
  34. // clear up the carry flags
  35. XORQ R9 , R9
  37. // R12 = y[0]
  38. MOVQ 0(R8), R12
  40. // for j=0 to N-1
  41. // (A,t[j]) := t[j] + x[j]*y[i] + A
  43. // DX = res[0]
  44. MOVQ 0(DI), DX
  45. MULXQ R12, CX , R9
  47. // DX = res[1]
  48. MOVQ 8(DI), DX
  49. MOVQ R9, BX
  50. MULXQ R12, AX, R9
  51. ADOXQ AX, BX
  53. // DX = res[2]
  54. MOVQ 16(DI), DX
  55. MOVQ R9, BP
  56. MULXQ R12, AX, R9
  57. ADOXQ AX, BP
  59. // DX = res[3]
  60. MOVQ 24(DI), DX
  61. MOVQ R9, SI
  62. MULXQ R12, AX, R9
  63. ADOXQ AX, SI
  65. // add the last carries to R9
  66. MOVQ $0, DX
  67. ADCXQ DX, R9
  68. ADOXQ DX, R9
  70. // m := t[0]*q'[0] mod W
  71. MOVQ $0xc2e1f593efffffff, DX
  72. MULXQ CX,R11, DX
  74. // clear the carry flags
  75. XORQ DX, DX
  77. // C,_ := t[0] + m*q[0]
  78. MOVQ $0x43e1f593f0000001, DX
  79. MULXQ R11, AX, R10
  80. ADCXQ CX ,AX
  82. // for j=1 to N-1
  83. // (C,t[j-1]) := t[j] + m*q[j] + C
  85. MOVQ $0x2833e84879b97091, DX
  86. MULXQ R11, AX, DX
  87. ADCXQ BX, R10
  88. ADOXQ AX, R10
  89. MOVQ R10, CX
  90. MOVQ DX, R10
  92. MOVQ $0xb85045b68181585d, DX
  93. MULXQ R11, AX, DX
  94. ADCXQ BP, R10
  95. ADOXQ AX, R10
  96. MOVQ R10, BX
  97. MOVQ DX, R10
  99. MOVQ $0x30644e72e131a029, DX
  100. MULXQ R11, AX, DX
  101. ADCXQ SI, R10
  102. ADOXQ AX, R10
  103. MOVQ R10, BP
  104. MOVQ $0, AX
  105. ADCXQ AX, DX
  106. ADOXQ DX, R9
  107. MOVQ R9, SI
  109. // ---------------------------------------------------------------------------------------------
  110. // outter loop 1
  112. // clear up the carry flags
  113. XORQ R9 , R9
  115. // R12 = y[1]
  116. MOVQ 8(R8), R12
  118. // for j=0 to N-1
  119. // (A,t[j]) := t[j] + x[j]*y[i] + A
  121. // DX = res[0]
  122. MOVQ 0(DI), DX
  123. MULXQ R12, AX, R9
  124. ADOXQ AX, CX
  126. // DX = res[1]
  127. MOVQ 8(DI), DX
  128. ADCXQ R9, BX
  129. MULXQ R12, AX, R9
  130. ADOXQ AX, BX
  132. // DX = res[2]
  133. MOVQ 16(DI), DX
  134. ADCXQ R9, BP
  135. MULXQ R12, AX, R9
  136. ADOXQ AX, BP
  138. // DX = res[3]
  139. MOVQ 24(DI), DX
  140. ADCXQ R9, SI
  141. MULXQ R12, AX, R9
  142. ADOXQ AX, SI
  144. // add the last carries to R9
  145. MOVQ $0, DX
  146. ADCXQ DX, R9
  147. ADOXQ DX, R9
  149. // m := t[0]*q'[0] mod W
  150. MOVQ $0xc2e1f593efffffff, DX
  151. MULXQ CX,R11, DX
  153. // clear the carry flags
  154. XORQ DX, DX
  156. // C,_ := t[0] + m*q[0]
  157. MOVQ $0x43e1f593f0000001, DX
  158. MULXQ R11, AX, R10
  159. ADCXQ CX ,AX
  161. // for j=1 to N-1
  162. // (C,t[j-1]) := t[j] + m*q[j] + C
  164. MOVQ $0x2833e84879b97091, DX
  165. MULXQ R11, AX, DX
  166. ADCXQ BX, R10
  167. ADOXQ AX, R10
  168. MOVQ R10, CX
  169. MOVQ DX, R10
  171. MOVQ $0xb85045b68181585d, DX
  172. MULXQ R11, AX, DX
  173. ADCXQ BP, R10
  174. ADOXQ AX, R10
  175. MOVQ R10, BX
  176. MOVQ DX, R10
  178. MOVQ $0x30644e72e131a029, DX
  179. MULXQ R11, AX, DX
  180. ADCXQ SI, R10
  181. ADOXQ AX, R10
  182. MOVQ R10, BP
  183. MOVQ $0, AX
  184. ADCXQ AX, DX
  185. ADOXQ DX, R9
  186. MOVQ R9, SI
  188. // ---------------------------------------------------------------------------------------------
  189. // outter loop 2
  191. // clear up the carry flags
  192. XORQ R9 , R9
  194. // R12 = y[2]
  195. MOVQ 16(R8), R12
  197. // for j=0 to N-1
  198. // (A,t[j]) := t[j] + x[j]*y[i] + A
  200. // DX = res[0]
  201. MOVQ 0(DI), DX
  202. MULXQ R12, AX, R9
  203. ADOXQ AX, CX
  205. // DX = res[1]
  206. MOVQ 8(DI), DX
  207. ADCXQ R9, BX
  208. MULXQ R12, AX, R9
  209. ADOXQ AX, BX
  211. // DX = res[2]
  212. MOVQ 16(DI), DX
  213. ADCXQ R9, BP
  214. MULXQ R12, AX, R9
  215. ADOXQ AX, BP
  217. // DX = res[3]
  218. MOVQ 24(DI), DX
  219. ADCXQ R9, SI
  220. MULXQ R12, AX, R9
  221. ADOXQ AX, SI
  223. // add the last carries to R9
  224. MOVQ $0, DX
  225. ADCXQ DX, R9
  226. ADOXQ DX, R9
  228. // m := t[0]*q'[0] mod W
  229. MOVQ $0xc2e1f593efffffff, DX
  230. MULXQ CX,R11, DX
  232. // clear the carry flags
  233. XORQ DX, DX
  235. // C,_ := t[0] + m*q[0]
  236. MOVQ $0x43e1f593f0000001, DX
  237. MULXQ R11, AX, R10
  238. ADCXQ CX ,AX
  240. // for j=1 to N-1
  241. // (C,t[j-1]) := t[j] + m*q[j] + C
  243. MOVQ $0x2833e84879b97091, DX
  244. MULXQ R11, AX, DX
  245. ADCXQ BX, R10
  246. ADOXQ AX, R10
  247. MOVQ R10, CX
  248. MOVQ DX, R10
  250. MOVQ $0xb85045b68181585d, DX
  251. MULXQ R11, AX, DX
  252. ADCXQ BP, R10
  253. ADOXQ AX, R10
  254. MOVQ R10, BX
  255. MOVQ DX, R10
  257. MOVQ $0x30644e72e131a029, DX
  258. MULXQ R11, AX, DX
  259. ADCXQ SI, R10
  260. ADOXQ AX, R10
  261. MOVQ R10, BP
  262. MOVQ $0, AX
  263. ADCXQ AX, DX
  264. ADOXQ DX, R9
  265. MOVQ R9, SI
  267. // ---------------------------------------------------------------------------------------------
  268. // outter loop 3
  270. // clear up the carry flags
  271. XORQ R9 , R9
  273. // R12 = y[3]
  274. MOVQ 24(R8), R12
  276. // for j=0 to N-1
  277. // (A,t[j]) := t[j] + x[j]*y[i] + A
  279. // DX = res[0]
  280. MOVQ 0(DI), DX
  281. MULXQ R12, AX, R9
  282. ADOXQ AX, CX
  284. // DX = res[1]
  285. MOVQ 8(DI), DX
  286. ADCXQ R9, BX
  287. MULXQ R12, AX, R9
  288. ADOXQ AX, BX
  290. // DX = res[2]
  291. MOVQ 16(DI), DX
  292. ADCXQ R9, BP
  293. MULXQ R12, AX, R9
  294. ADOXQ AX, BP
  296. // DX = res[3]
  297. MOVQ 24(DI), DX
  298. ADCXQ R9, SI
  299. MULXQ R12, AX, R9
  300. ADOXQ AX, SI
  302. // add the last carries to R9
  303. MOVQ $0, DX
  304. ADCXQ DX, R9
  305. ADOXQ DX, R9
  307. // m := t[0]*q'[0] mod W
  308. MOVQ $0xc2e1f593efffffff, DX
  309. MULXQ CX,R11, DX
  311. // clear the carry flags
  312. XORQ DX, DX
  314. // C,_ := t[0] + m*q[0]
  315. MOVQ $0x43e1f593f0000001, DX
  316. MULXQ R11, AX, R10
  317. ADCXQ CX ,AX
  319. // for j=1 to N-1
  320. // (C,t[j-1]) := t[j] + m*q[j] + C
  322. MOVQ $0x2833e84879b97091, DX
  323. MULXQ R11, AX, DX
  324. ADCXQ BX, R10
  325. ADOXQ AX, R10
  326. MOVQ R10, CX
  327. MOVQ DX, R10
  329. MOVQ $0xb85045b68181585d, DX
  330. MULXQ R11, AX, DX
  331. ADCXQ BP, R10
  332. ADOXQ AX, R10
  333. MOVQ R10, BX
  334. MOVQ DX, R10
  336. MOVQ $0x30644e72e131a029, DX
  337. MULXQ R11, AX, DX
  338. ADCXQ SI, R10
  339. ADOXQ AX, R10
  340. MOVQ R10, BP
  341. MOVQ $0, AX
  342. ADCXQ AX, DX
  343. ADOXQ DX, R9
  344. MOVQ R9, SI
  346. reduce:
  347. // reduce, constant time version
  348. // first we copy registers storing t in a separate set of registers
  349. // as SUBQ modifies the 2nd operand
  350. MOVQ CX, DX
  351. MOVQ BX, R8
  352. MOVQ BP, R9
  353. MOVQ SI, R10
  354. MOVQ $0x43e1f593f0000001, R11
  355. SUBQ R11, DX
  356. MOVQ $0x2833e84879b97091, R11
  357. SBBQ R11, R8
  358. MOVQ $0xb85045b68181585d, R11
  359. SBBQ R11, R9
  360. MOVQ $0x30644e72e131a029, R11
  361. SBBQ R11, R10
  362. JCS t_is_smaller // no borrow, we return t
  364. // borrow is set, we return u
  365. MOVQ DX, (DI)
  366. MOVQ R8, 8(DI)
  367. MOVQ R9, 16(DI)
  368. MOVQ R10, 24(DI)
  369. RET
  370. t_is_smaller:
  371. MOVQ CX, 0(DI)
  372. MOVQ BX, 8(DI)
  373. MOVQ BP, 16(DI)
  374. MOVQ SI, 24(DI)
  375. RET
  377. no_adx:
  379. // ---------------------------------------------------------------------------------------------
  380. // outter loop 0
  382. // (A,t[0]) := t[0] + x[0]*y[0]
  383. MOVQ (DI), AX // x[0]
  384. MOVQ 0(R8), R12
  385. MULQ R12 // x[0] * y[0]
  386. MOVQ DX, R9
  387. MOVQ AX, CX
  389. // m := t[0]*q'[0] mod W
  390. MOVQ $0xc2e1f593efffffff, R11
  391. IMULQ CX , R11
  393. // C,_ := t[0] + m*q[0]
  394. MOVQ $0x43e1f593f0000001, AX
  395. MULQ R11
  396. ADDQ CX ,AX
  397. ADCQ $0, DX
  398. MOVQ DX, R10
  400. // for j=1 to N-1
  401. // (A,t[j]) := t[j] + x[j]*y[i] + A
  402. // (C,t[j-1]) := t[j] + m*q[j] + C
  403. MOVQ 8(DI), AX
  404. MULQ R12 // x[1] * y[0]
  405. MOVQ R9, BX
  406. ADDQ AX, BX
  407. ADCQ $0, DX
  408. MOVQ DX, R9
  410. MOVQ $0x2833e84879b97091, AX
  411. MULQ R11
  412. ADDQ BX, R10
  413. ADCQ $0, DX
  414. ADDQ AX, R10
  415. ADCQ $0, DX
  417. MOVQ R10, CX
  418. MOVQ DX, R10
  419. MOVQ 16(DI), AX
  420. MULQ R12 // x[2] * y[0]
  421. MOVQ R9, BP
  422. ADDQ AX, BP
  423. ADCQ $0, DX
  424. MOVQ DX, R9
  426. MOVQ $0xb85045b68181585d, AX
  427. MULQ R11
  428. ADDQ BP, R10
  429. ADCQ $0, DX
  430. ADDQ AX, R10
  431. ADCQ $0, DX
  433. MOVQ R10, BX
  434. MOVQ DX, R10
  435. MOVQ 24(DI), AX
  436. MULQ R12 // x[3] * y[0]
  437. MOVQ R9, SI
  438. ADDQ AX, SI
  439. ADCQ $0, DX
  440. MOVQ DX, R9
  442. MOVQ $0x30644e72e131a029, AX
  443. MULQ R11
  444. ADDQ SI, R10
  445. ADCQ $0, DX
  446. ADDQ AX, R10
  447. ADCQ $0, DX
  449. MOVQ R10, BP
  450. MOVQ DX, R10
  452. ADDQ R10, R9
  453. MOVQ R9, SI
  455. // ---------------------------------------------------------------------------------------------
  456. // outter loop 1
  458. // (A,t[0]) := t[0] + x[0]*y[1]
  459. MOVQ (DI), AX // x[0]
  460. MOVQ 8(R8), R12
  461. MULQ R12 // x[0] * y[1]
  462. ADDQ AX, CX
  463. ADCQ $0, DX
  464. MOVQ DX, R9
  466. // m := t[0]*q'[0] mod W
  467. MOVQ $0xc2e1f593efffffff, R11
  468. IMULQ CX , R11
  470. // C,_ := t[0] + m*q[0]
  471. MOVQ $0x43e1f593f0000001, AX
  472. MULQ R11
  473. ADDQ CX ,AX
  474. ADCQ $0, DX
  475. MOVQ DX, R10
  477. // for j=1 to N-1
  478. // (A,t[j]) := t[j] + x[j]*y[i] + A
  479. // (C,t[j-1]) := t[j] + m*q[j] + C
  480. MOVQ 8(DI), AX
  481. MULQ R12 // x[1] * y[1]
  482. ADDQ R9, BX
  483. ADCQ $0, DX
  484. ADDQ AX, BX
  485. ADCQ $0, DX
  486. MOVQ DX, R9
  488. MOVQ $0x2833e84879b97091, AX
  489. MULQ R11
  490. ADDQ BX, R10
  491. ADCQ $0, DX
  492. ADDQ AX, R10
  493. ADCQ $0, DX
  495. MOVQ R10, CX
  496. MOVQ DX, R10
  497. MOVQ 16(DI), AX
  498. MULQ R12 // x[2] * y[1]
  499. ADDQ R9, BP
  500. ADCQ $0, DX
  501. ADDQ AX, BP
  502. ADCQ $0, DX
  503. MOVQ DX, R9
  505. MOVQ $0xb85045b68181585d, AX
  506. MULQ R11
  507. ADDQ BP, R10
  508. ADCQ $0, DX
  509. ADDQ AX, R10
  510. ADCQ $0, DX
  512. MOVQ R10, BX
  513. MOVQ DX, R10
  514. MOVQ 24(DI), AX
  515. MULQ R12 // x[3] * y[1]
  516. ADDQ R9, SI
  517. ADCQ $0, DX
  518. ADDQ AX, SI
  519. ADCQ $0, DX
  520. MOVQ DX, R9
  522. MOVQ $0x30644e72e131a029, AX
  523. MULQ R11
  524. ADDQ SI, R10
  525. ADCQ $0, DX
  526. ADDQ AX, R10
  527. ADCQ $0, DX
  529. MOVQ R10, BP
  530. MOVQ DX, R10
  532. ADDQ R10, R9
  533. MOVQ R9, SI
  535. // ---------------------------------------------------------------------------------------------
  536. // outter loop 2
  538. // (A,t[0]) := t[0] + x[0]*y[2]
  539. MOVQ (DI), AX // x[0]
  540. MOVQ 16(R8), R12
  541. MULQ R12 // x[0] * y[2]
  542. ADDQ AX, CX
  543. ADCQ $0, DX
  544. MOVQ DX, R9
  546. // m := t[0]*q'[0] mod W
  547. MOVQ $0xc2e1f593efffffff, R11
  548. IMULQ CX , R11
  550. // C,_ := t[0] + m*q[0]
  551. MOVQ $0x43e1f593f0000001, AX
  552. MULQ R11
  553. ADDQ CX ,AX
  554. ADCQ $0, DX
  555. MOVQ DX, R10
  557. // for j=1 to N-1
  558. // (A,t[j]) := t[j] + x[j]*y[i] + A
  559. // (C,t[j-1]) := t[j] + m*q[j] + C
  560. MOVQ 8(DI), AX
  561. MULQ R12 // x[1] * y[2]
  562. ADDQ R9, BX
  563. ADCQ $0, DX
  564. ADDQ AX, BX
  565. ADCQ $0, DX
  566. MOVQ DX, R9
  568. MOVQ $0x2833e84879b97091, AX
  569. MULQ R11
  570. ADDQ BX, R10
  571. ADCQ $0, DX
  572. ADDQ AX, R10
  573. ADCQ $0, DX
  575. MOVQ R10, CX
  576. MOVQ DX, R10
  577. MOVQ 16(DI), AX
  578. MULQ R12 // x[2] * y[2]
  579. ADDQ R9, BP
  580. ADCQ $0, DX
  581. ADDQ AX, BP
  582. ADCQ $0, DX
  583. MOVQ DX, R9
  585. MOVQ $0xb85045b68181585d, AX
  586. MULQ R11
  587. ADDQ BP, R10
  588. ADCQ $0, DX
  589. ADDQ AX, R10
  590. ADCQ $0, DX
  592. MOVQ R10, BX
  593. MOVQ DX, R10
  594. MOVQ 24(DI), AX
  595. MULQ R12 // x[3] * y[2]
  596. ADDQ R9, SI
  597. ADCQ $0, DX
  598. ADDQ AX, SI
  599. ADCQ $0, DX
  600. MOVQ DX, R9
  602. MOVQ $0x30644e72e131a029, AX
  603. MULQ R11
  604. ADDQ SI, R10
  605. ADCQ $0, DX
  606. ADDQ AX, R10
  607. ADCQ $0, DX
  609. MOVQ R10, BP
  610. MOVQ DX, R10
  612. ADDQ R10, R9
  613. MOVQ R9, SI
  615. // ---------------------------------------------------------------------------------------------
  616. // outter loop 3
  618. // (A,t[0]) := t[0] + x[0]*y[3]
  619. MOVQ (DI), AX // x[0]
  620. MOVQ 24(R8), R12
  621. MULQ R12 // x[0] * y[3]
  622. ADDQ AX, CX
  623. ADCQ $0, DX
  624. MOVQ DX, R9
  626. // m := t[0]*q'[0] mod W
  627. MOVQ $0xc2e1f593efffffff, R11
  628. IMULQ CX , R11
  630. // C,_ := t[0] + m*q[0]
  631. MOVQ $0x43e1f593f0000001, AX
  632. MULQ R11
  633. ADDQ CX ,AX
  634. ADCQ $0, DX
  635. MOVQ DX, R10
  637. // for j=1 to N-1
  638. // (A,t[j]) := t[j] + x[j]*y[i] + A
  639. // (C,t[j-1]) := t[j] + m*q[j] + C
  640. MOVQ 8(DI), AX
  641. MULQ R12 // x[1] * y[3]
  642. ADDQ R9, BX
  643. ADCQ $0, DX
  644. ADDQ AX, BX
  645. ADCQ $0, DX
  646. MOVQ DX, R9
  648. MOVQ $0x2833e84879b97091, AX
  649. MULQ R11
  650. ADDQ BX, R10
  651. ADCQ $0, DX
  652. ADDQ AX, R10
  653. ADCQ $0, DX
  655. MOVQ R10, CX
  656. MOVQ DX, R10
  657. MOVQ 16(DI), AX
  658. MULQ R12 // x[2] * y[3]
  659. ADDQ R9, BP
  660. ADCQ $0, DX
  661. ADDQ AX, BP
  662. ADCQ $0, DX
  663. MOVQ DX, R9
  665. MOVQ $0xb85045b68181585d, AX
  666. MULQ R11
  667. ADDQ BP, R10
  668. ADCQ $0, DX
  669. ADDQ AX, R10
  670. ADCQ $0, DX
  672. MOVQ R10, BX
  673. MOVQ DX, R10
  674. MOVQ 24(DI), AX
  675. MULQ R12 // x[3] * y[3]
  676. ADDQ R9, SI
  677. ADCQ $0, DX
  678. ADDQ AX, SI
  679. ADCQ $0, DX
  680. MOVQ DX, R9
  682. MOVQ $0x30644e72e131a029, AX
  683. MULQ R11
  684. ADDQ SI, R10
  685. ADCQ $0, DX
  686. ADDQ AX, R10
  687. ADCQ $0, DX
  689. MOVQ R10, BP
  690. MOVQ DX, R10
  692. ADDQ R10, R9
  693. MOVQ R9, SI
  695. JMP reduce