// +build !amd64_adx
|
|
|
|
// Copyright 2020 ConsenSys Software Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
#include "textflag.h"
|
|
#include "funcdata.h"
|
|
|
|
// modulus q
|
|
DATA q<>+0(SB)/8, $0x43e1f593f0000001
|
|
DATA q<>+8(SB)/8, $0x2833e84879b97091
|
|
DATA q<>+16(SB)/8, $0xb85045b68181585d
|
|
DATA q<>+24(SB)/8, $0x30644e72e131a029
|
|
GLOBL q<>(SB), (RODATA+NOPTR), $32
|
|
|
|
// qInv0 q'[0]
|
|
DATA qInv0<>(SB)/8, $0xc2e1f593efffffff
|
|
GLOBL qInv0<>(SB), (RODATA+NOPTR), $8
|
|
|
|
#define REDUCE(ra0, ra1, ra2, ra3, rb0, rb1, rb2, rb3) \
|
|
MOVQ ra0, rb0; \
|
|
SUBQ q<>(SB), ra0; \
|
|
MOVQ ra1, rb1; \
|
|
SBBQ q<>+8(SB), ra1; \
|
|
MOVQ ra2, rb2; \
|
|
SBBQ q<>+16(SB), ra2; \
|
|
MOVQ ra3, rb3; \
|
|
SBBQ q<>+24(SB), ra3; \
|
|
CMOVQCS rb0, ra0; \
|
|
CMOVQCS rb1, ra1; \
|
|
CMOVQCS rb2, ra2; \
|
|
CMOVQCS rb3, ra3; \
|
|
|
|
// mul(res, x, y *Element)
|
|
TEXT ·mul(SB), $24-24
|
|
|
|
// the algorithm is described here
|
|
// https://hackmd.io/@zkteam/modular_multiplication
|
|
// however, to benefit from the ADCX and ADOX carry chains
|
|
// we split the inner loops in 2:
|
|
// for i=0 to N-1
|
|
// for j=0 to N-1
|
|
// (A,t[j]) := t[j] + x[j]*y[i] + A
|
|
// m := t[0]*q'[0] mod W
|
|
// C,_ := t[0] + m*q[0]
|
|
// for j=1 to N-1
|
|
// (C,t[j-1]) := t[j] + m*q[j] + C
|
|
// t[N-1] = C + A
|
|
|
|
NO_LOCAL_POINTERS
|
|
CMPB ·supportAdx(SB), $1
|
|
JNE l1
|
|
MOVQ x+8(FP), SI
|
|
|
|
// x[0] -> DI
|
|
// x[1] -> R8
|
|
// x[2] -> R9
|
|
// x[3] -> R10
|
|
MOVQ 0(SI), DI
|
|
MOVQ 8(SI), R8
|
|
MOVQ 16(SI), R9
|
|
MOVQ 24(SI), R10
|
|
MOVQ y+16(FP), R11
|
|
|
|
// A -> BP
|
|
// t[0] -> R14
|
|
// t[1] -> R15
|
|
// t[2] -> CX
|
|
// t[3] -> BX
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
MOVQ 0(R11), DX
|
|
|
|
// (A,t[0]) := x[0]*y[0] + A
|
|
MULXQ DI, R14, R15
|
|
|
|
// (A,t[1]) := x[1]*y[0] + A
|
|
MULXQ R8, AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (A,t[2]) := x[2]*y[0] + A
|
|
MULXQ R9, AX, BX
|
|
ADOXQ AX, CX
|
|
|
|
// (A,t[3]) := x[3]*y[0] + A
|
|
MULXQ R10, AX, BP
|
|
ADOXQ AX, BX
|
|
|
|
// A += carries from ADCXQ and ADOXQ
|
|
MOVQ $0, AX
|
|
ADOXQ AX, BP
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, R12
|
|
ADCXQ R14, AX
|
|
MOVQ R12, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
|
|
// t[3] = C + A
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ BP, BX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
MOVQ 8(R11), DX
|
|
|
|
// (A,t[0]) := t[0] + x[0]*y[1] + A
|
|
MULXQ DI, AX, BP
|
|
ADOXQ AX, R14
|
|
|
|
// (A,t[1]) := t[1] + x[1]*y[1] + A
|
|
ADCXQ BP, R15
|
|
MULXQ R8, AX, BP
|
|
ADOXQ AX, R15
|
|
|
|
// (A,t[2]) := t[2] + x[2]*y[1] + A
|
|
ADCXQ BP, CX
|
|
MULXQ R9, AX, BP
|
|
ADOXQ AX, CX
|
|
|
|
// (A,t[3]) := t[3] + x[3]*y[1] + A
|
|
ADCXQ BP, BX
|
|
MULXQ R10, AX, BP
|
|
ADOXQ AX, BX
|
|
|
|
// A += carries from ADCXQ and ADOXQ
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BP
|
|
ADOXQ AX, BP
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, R12
|
|
ADCXQ R14, AX
|
|
MOVQ R12, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
|
|
// t[3] = C + A
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ BP, BX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
MOVQ 16(R11), DX
|
|
|
|
// (A,t[0]) := t[0] + x[0]*y[2] + A
|
|
MULXQ DI, AX, BP
|
|
ADOXQ AX, R14
|
|
|
|
// (A,t[1]) := t[1] + x[1]*y[2] + A
|
|
ADCXQ BP, R15
|
|
MULXQ R8, AX, BP
|
|
ADOXQ AX, R15
|
|
|
|
// (A,t[2]) := t[2] + x[2]*y[2] + A
|
|
ADCXQ BP, CX
|
|
MULXQ R9, AX, BP
|
|
ADOXQ AX, CX
|
|
|
|
// (A,t[3]) := t[3] + x[3]*y[2] + A
|
|
ADCXQ BP, BX
|
|
MULXQ R10, AX, BP
|
|
ADOXQ AX, BX
|
|
|
|
// A += carries from ADCXQ and ADOXQ
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BP
|
|
ADOXQ AX, BP
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, R12
|
|
ADCXQ R14, AX
|
|
MOVQ R12, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
|
|
// t[3] = C + A
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ BP, BX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
MOVQ 24(R11), DX
|
|
|
|
// (A,t[0]) := t[0] + x[0]*y[3] + A
|
|
MULXQ DI, AX, BP
|
|
ADOXQ AX, R14
|
|
|
|
// (A,t[1]) := t[1] + x[1]*y[3] + A
|
|
ADCXQ BP, R15
|
|
MULXQ R8, AX, BP
|
|
ADOXQ AX, R15
|
|
|
|
// (A,t[2]) := t[2] + x[2]*y[3] + A
|
|
ADCXQ BP, CX
|
|
MULXQ R9, AX, BP
|
|
ADOXQ AX, CX
|
|
|
|
// (A,t[3]) := t[3] + x[3]*y[3] + A
|
|
ADCXQ BP, BX
|
|
MULXQ R10, AX, BP
|
|
ADOXQ AX, BX
|
|
|
|
// A += carries from ADCXQ and ADOXQ
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BP
|
|
ADOXQ AX, BP
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
|
|
// clear the flags
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, R12
|
|
ADCXQ R14, AX
|
|
MOVQ R12, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
|
|
// t[3] = C + A
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ BP, BX
|
|
|
|
// reduce element(R14,R15,CX,BX) using temp registers (R13,SI,R12,R11)
|
|
REDUCE(R14,R15,CX,BX,R13,SI,R12,R11)
|
|
|
|
MOVQ res+0(FP), AX
|
|
MOVQ R14, 0(AX)
|
|
MOVQ R15, 8(AX)
|
|
MOVQ CX, 16(AX)
|
|
MOVQ BX, 24(AX)
|
|
RET
|
|
|
|
l1:
|
|
MOVQ res+0(FP), AX
|
|
MOVQ AX, (SP)
|
|
MOVQ x+8(FP), AX
|
|
MOVQ AX, 8(SP)
|
|
MOVQ y+16(FP), AX
|
|
MOVQ AX, 16(SP)
|
|
CALL ·_mulGeneric(SB)
|
|
RET
|
|
|
|
TEXT ·fromMont(SB), $8-8
|
|
NO_LOCAL_POINTERS
|
|
|
|
// the algorithm is described here
|
|
// https://hackmd.io/@zkteam/modular_multiplication
|
|
// when y = 1 we have:
|
|
// for i=0 to N-1
|
|
// t[i] = x[i]
|
|
// for i=0 to N-1
|
|
// m := t[0]*q'[0] mod W
|
|
// C,_ := t[0] + m*q[0]
|
|
// for j=1 to N-1
|
|
// (C,t[j-1]) := t[j] + m*q[j] + C
|
|
// t[N-1] = C
|
|
CMPB ·supportAdx(SB), $1
|
|
JNE l2
|
|
MOVQ res+0(FP), DX
|
|
MOVQ 0(DX), R14
|
|
MOVQ 8(DX), R15
|
|
MOVQ 16(DX), CX
|
|
MOVQ 24(DX), BX
|
|
XORQ DX, DX
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, BP
|
|
ADCXQ R14, AX
|
|
MOVQ BP, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ AX, BX
|
|
XORQ DX, DX
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, BP
|
|
ADCXQ R14, AX
|
|
MOVQ BP, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ AX, BX
|
|
XORQ DX, DX
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, BP
|
|
ADCXQ R14, AX
|
|
MOVQ BP, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ AX, BX
|
|
XORQ DX, DX
|
|
|
|
// m := t[0]*q'[0] mod W
|
|
MOVQ qInv0<>(SB), DX
|
|
IMULQ R14, DX
|
|
XORQ AX, AX
|
|
|
|
// C,_ := t[0] + m*q[0]
|
|
MULXQ q<>+0(SB), AX, BP
|
|
ADCXQ R14, AX
|
|
MOVQ BP, R14
|
|
|
|
// (C,t[0]) := t[1] + m*q[1] + C
|
|
ADCXQ R15, R14
|
|
MULXQ q<>+8(SB), AX, R15
|
|
ADOXQ AX, R14
|
|
|
|
// (C,t[1]) := t[2] + m*q[2] + C
|
|
ADCXQ CX, R15
|
|
MULXQ q<>+16(SB), AX, CX
|
|
ADOXQ AX, R15
|
|
|
|
// (C,t[2]) := t[3] + m*q[3] + C
|
|
ADCXQ BX, CX
|
|
MULXQ q<>+24(SB), AX, BX
|
|
ADOXQ AX, CX
|
|
MOVQ $0, AX
|
|
ADCXQ AX, BX
|
|
ADOXQ AX, BX
|
|
|
|
// reduce element(R14,R15,CX,BX) using temp registers (SI,DI,R8,R9)
|
|
REDUCE(R14,R15,CX,BX,SI,DI,R8,R9)
|
|
|
|
MOVQ res+0(FP), AX
|
|
MOVQ R14, 0(AX)
|
|
MOVQ R15, 8(AX)
|
|
MOVQ CX, 16(AX)
|
|
MOVQ BX, 24(AX)
|
|
RET
|
|
|
|
l2:
|
|
MOVQ res+0(FP), AX
|
|
MOVQ AX, (SP)
|
|
CALL ·_fromMontGeneric(SB)
|
|
RET
|