jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 1f480b0f95
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1f480b0f95'
${ noResults }
ed448goldilocks/src/p448/arch_neon/p448.c

724 lines
24 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. #include "p448.h"

  7. 

  8. static inline mask_t __attribute__((always_inline))

  9. is_zero (

  10.     word_t x

  11. ) {

  12.     dword_t xx = x;

  13.     xx--;

  14.     return xx >> WORD_BITS;

  15. }

  16. 

  17. static uint64_t widemul_32 (

  18.     const uint32_t a,

  19.     const uint32_t b

  20. ) {

  21.     return ((uint64_t)a)* b;

  22. }

  23. 

  24. #ifdef __ARM_NEON__

  25. static __inline__ void __attribute__((gnu_inline,always_inline))

  26. xx_vtrnq_s64 (

  27.     int64x2_t *x,

  28.     int64x2_t *y

  29. ) {

  30.     __asm__ __volatile__ ("vswp %f0, %e1" : "+w"(*x), "+w"(*y));

  31. }

  32. 

  33. static __inline__ int64x2_t __attribute__((gnu_inline,always_inline))

  34. xx_vaddup_s64(int64x2_t x) {

  35.     __asm__ ("vadd.s64 %f0, %e0" : "+w"(x));

  36.     return x;

  37. }

  38. #else

  39. #include "neon_emulation.h"

  40. #endif /* ARM_NEON */

  41. 

  42. static inline void __attribute__((gnu_inline,always_inline,unused))

  43. smlal (

  44.     uint64_t *acc,

  45.     const uint32_t a,

  46.     const uint32_t b

  47. ) {

  48.     *acc += (int64_t)(int32_t)a * (int64_t)(int32_t)b;

  49. }

  50. 

  51. static inline void __attribute__((gnu_inline,always_inline,unused))

  52. smlal2 (

  53.     uint64_t *acc,

  54.     const uint32_t a,

  55.     const uint32_t b

  56. ) {

  57.     *acc += (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;

  58. }

  59. 

  60. static inline void __attribute__((gnu_inline,always_inline,unused))

  61. smull (

  62.     uint64_t *acc,

  63.     const uint32_t a,

  64.     const uint32_t b

  65. ) {

  66.     *acc = (int64_t)(int32_t)a * (int64_t)(int32_t)b;

  67. }

  68. 

  69. static inline void __attribute__((gnu_inline,always_inline,unused))

  70. smull2 (

  71.     uint64_t *acc,

  72.     const uint32_t a,

  73.     const uint32_t b

  74. ) {

  75.     *acc = (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;

  76. }

  77. 

  78. void

  79. p448_mul (

  80.     p448_t *__restrict__ cs,

  81.     const p448_t *as,

  82.     const p448_t *bs

  83. ) {

  84.     const uint32_t *a = as->limb, *b = bs->limb;

  85.     uint32_t *c = cs->limb;

  86.     

  87.     

  88.     const int32x2_t

  89.         *val = (const int32x2_t *)a,

  90.         *vbl = (const int32x2_t *)b,

  91.         *vah = (const int32x2_t *)(&a[8]),

  92.         *vbh = (const int32x2_t *)(&b[8]);

  93.     

  94.     int32x2_t

  95.         *vcl = (int32x2_t *)c,

  96.         *vch = (int32x2_t *)(&c[8]),

  97.         vmask = {(1<<28) - 1, (1<<28)-1};

  98. 

  99.     int64x2_t accumx0a, accumx0b;

  100.     int64x2_t accumx1a, accumx1b;

  101.     int64x2_t accumx2a, accumx2b;

  102.     int64x2_t accumx3a, accumx3b;

  103.     int64x2_t accumx4a, accumx4b;

  104.     int64x2_t accumx5a, accumx5b;

  105.     int64x2_t accumx6a, accumx6b;

  106.     int64x2_t accumx7a, accumx7b;

  107.     int64x2_t carry;

  108.     int32x2x2_t trn_res;

  109.     int32x2_t delta;

  110.     

  111.     accumx0a = vmull_lane_s32(          delta = val[1] + vah[1], vbh[3], 0);

  112.     accumx1a = vmull_lane_s32(          delta, vbh[3], 1);

  113.     accumx0a = vmlal_lane_s32(accumx0a, delta = val[2] + vah[2], vbh[2], 0);

  114.     accumx1a = vmlal_lane_s32(accumx1a, delta, vbh[2], 1);

  115.     accumx0a = vmlal_lane_s32(accumx0a, delta = val[3] + vah[3], vbh[1], 0);

  116.     accumx1a = vmlal_lane_s32(accumx1a, delta, vbh[1], 1);

  117.     accumx0b = vmull_lane_s32(          delta = val[0] + vah[0], vbh[0], 0);

  118.     accumx1b = vmull_lane_s32(          delta, vbh[0], 1);

  119.     accumx0b = vmlal_lane_s32(accumx0b, vah[1], vbl[3], 0);

  120.     accumx1b = vmlal_lane_s32(accumx1b, vah[1], vbl[3], 1);

  121.     accumx0b = vmlal_lane_s32(accumx0b, vah[2], vbl[2], 0);

  122.     accumx1b = vmlal_lane_s32(accumx1b, vah[2], vbl[2], 1);

  123.     accumx0b = vmlal_lane_s32(accumx0b, vah[3], vbl[1], 0);

  124.     accumx1b = vmlal_lane_s32(accumx1b, vah[3], vbl[1], 1);

  125.     accumx0b += accumx0a;

  126.     accumx1b += accumx1a;

  127.     accumx0a = vmlal_lane_s32(accumx0a, vah[0], vbl[0], 0);

  128.     accumx1a = vmlal_lane_s32(accumx1a, vah[0], vbl[0], 1);

  129.     accumx0a = vmlal_lane_s32(accumx0a, val[1], delta = vbl[3] - vbh[3], 0);

  130.     accumx1a = vmlal_lane_s32(accumx1a, val[1], delta, 1);

  131.     accumx0a = vmlal_lane_s32(accumx0a, val[2], delta = vbl[2] - vbh[2], 0);

  132.     accumx1a = vmlal_lane_s32(accumx1a, val[2], delta, 1);

  133.     accumx0a = vmlal_lane_s32(accumx0a, val[3], delta = vbl[1] - vbh[1], 0);

  134.     accumx1a = vmlal_lane_s32(accumx1a, val[3], delta, 1);

  135.     accumx0a += accumx0b;

  136.     accumx1a += accumx1b;

  137.     accumx0b = vmlal_lane_s32(accumx0b, val[0], delta = vbl[0] - vbh[0], 0);

  138.     accumx1b = vmlal_lane_s32(accumx1b, val[0], delta, 1);

  139.     xx_vtrnq_s64(&accumx0a, &accumx0b);

  140.     xx_vtrnq_s64(&accumx1a, &accumx1b);

  141.     accumx0b += accumx1a;

  142.     accumx0b = vsraq_n_s64(accumx0b,accumx0a,28);

  143.     accumx1b = vsraq_n_s64(accumx1b,accumx0b,28);

  144.     trn_res = vtrn_s32(vmovn_s64(accumx0a), vmovn_s64(accumx0b));

  145.     vcl[0] = trn_res.val[1] & vmask;

  146.     vch[0] = trn_res.val[0] & vmask;

  147.     

  148.     

  149.     

  150.     

  151.     accumx2a = vmull_lane_s32(          delta = val[2] + vah[2], vbh[3], 0);

  152.     accumx3a = vmull_lane_s32(          delta, vbh[3], 1);

  153.     accumx2a = vmlal_lane_s32(accumx2a, delta = val[3] + vah[3], vbh[2], 0);

  154.     accumx3a = vmlal_lane_s32(accumx3a, delta, vbh[2], 1);

  155.     accumx2b = vmull_lane_s32(          delta = val[0] + vah[0], vbh[1], 0);

  156.     accumx3b = vmull_lane_s32(          delta, vbh[1], 1);

  157.     accumx2b = vmlal_lane_s32(accumx2b, delta = val[1] + vah[1], vbh[0], 0);

  158.     accumx3b = vmlal_lane_s32(accumx3b, delta, vbh[0], 1);

  159.     accumx2b = vmlal_lane_s32(accumx2b, vah[2], vbl[3], 0);

  160.     accumx3b = vmlal_lane_s32(accumx3b, vah[2], vbl[3], 1);

  161.     accumx2b = vmlal_lane_s32(accumx2b, vah[3], vbl[2], 0);

  162.     accumx3b = vmlal_lane_s32(accumx3b, vah[3], vbl[2], 1);

  163.     accumx2b += accumx2a;

  164.     accumx3b += accumx3a;

  165.     accumx2a = vmlal_lane_s32(accumx2a, vah[0], vbl[1], 0);

  166.     accumx3a = vmlal_lane_s32(accumx3a, vah[0], vbl[1], 1);

  167.     accumx2a = vmlal_lane_s32(accumx2a, vah[1], vbl[0], 0);

  168.     accumx3a = vmlal_lane_s32(accumx3a, vah[1], vbl[0], 1);

  169.     accumx2a = vmlal_lane_s32(accumx2a, val[2], delta = vbl[3] - vbh[3], 0);

  170.     accumx3a = vmlal_lane_s32(accumx3a, val[2], delta, 1);

  171.     accumx2a = vmlal_lane_s32(accumx2a, val[3], delta = vbl[2] - vbh[2], 0);

  172.     accumx3a = vmlal_lane_s32(accumx3a, val[3], delta, 1);

  173.     accumx2a += accumx2b;

  174.     accumx3a += accumx3b;

  175.     accumx2b = vmlal_lane_s32(accumx2b, val[0], delta = vbl[1] - vbh[1], 0);

  176.     accumx3b = vmlal_lane_s32(accumx3b, val[0], delta, 1);

  177.     accumx2b = vmlal_lane_s32(accumx2b, val[1], delta = vbl[0] - vbh[0], 0);

  178.     accumx3b = vmlal_lane_s32(accumx3b, val[1], delta, 1);

  179.     xx_vtrnq_s64(&accumx2a, &accumx2b);

  180.     xx_vtrnq_s64(&accumx3a, &accumx3b);

  181.     accumx2a += accumx1b;

  182.     accumx2b += accumx3a;

  183.     accumx2b = vsraq_n_s64(accumx2b,accumx2a,28);

  184.     accumx3b = vsraq_n_s64(accumx3b,accumx2b,28);

  185.     trn_res = vtrn_s32(vmovn_s64(accumx2a), vmovn_s64(accumx2b));

  186.     vcl[1] = trn_res.val[1] & vmask;

  187.     vch[1] = trn_res.val[0] & vmask;

  188.     carry = accumx3b;

  189.     

  190.     

  191.     

  192.     

  193.     accumx4a = vmull_lane_s32(          delta = val[3] + vah[3], vbh[3], 0);

  194.     accumx5a = vmull_lane_s32(          delta, vbh[3], 1);

  195.     accumx4b = accumx4a;

  196.     accumx5b = accumx5a;

  197.     accumx4b = vmlal_lane_s32(accumx4b, delta = val[0] + vah[0], vbh[2], 0);

  198.     accumx5b = vmlal_lane_s32(accumx5b, delta, vbh[2], 1);

  199.     accumx4b = vmlal_lane_s32(accumx4b, delta = val[1] + vah[1], vbh[1], 0);

  200.     accumx5b = vmlal_lane_s32(accumx5b, delta, vbh[1], 1);

  201.     accumx4b = vmlal_lane_s32(accumx4b, delta = val[2] + vah[2], vbh[0], 0);

  202.     accumx5b = vmlal_lane_s32(accumx5b, delta, vbh[0], 1);

  203.     accumx4b = vmlal_lane_s32(accumx4b, vah[3], vbl[3], 0);

  204.     accumx5b = vmlal_lane_s32(accumx5b, vah[3], vbl[3], 1);

  205.     accumx4a += accumx4b;

  206.     accumx5a += accumx5b;

  207.     accumx4a = vmlal_lane_s32(accumx4a, vah[0], vbl[2], 0);

  208.     accumx5a = vmlal_lane_s32(accumx5a, vah[0], vbl[2], 1);

  209.     accumx4a = vmlal_lane_s32(accumx4a, vah[1], vbl[1], 0);

  210.     accumx5a = vmlal_lane_s32(accumx5a, vah[1], vbl[1], 1);

  211.     accumx4a = vmlal_lane_s32(accumx4a, vah[2], vbl[0], 0);

  212.     accumx5a = vmlal_lane_s32(accumx5a, vah[2], vbl[0], 1);

  213.     accumx4a = vmlal_lane_s32(accumx4a, val[3], delta = vbl[3] - vbh[3], 0);

  214.     accumx5a = vmlal_lane_s32(accumx5a, val[3], delta, 1);

  215.     /**/

  216.     accumx4b = vmlal_lane_s32(accumx4b, val[0], delta = vbl[2] - vbh[2], 0);

  217.     accumx5b = vmlal_lane_s32(accumx5b, val[0], delta, 1);

  218.     accumx4b = vmlal_lane_s32(accumx4b, val[1], delta = vbl[1] - vbh[1], 0);

  219.     accumx5b = vmlal_lane_s32(accumx5b, val[1], delta, 1);

  220.     accumx4b = vmlal_lane_s32(accumx4b, val[2], delta = vbl[0] - vbh[0], 0);

  221.     accumx5b = vmlal_lane_s32(accumx5b, val[2], delta, 1);

  222.     

  223.     xx_vtrnq_s64(&accumx4a, &accumx4b);

  224.     xx_vtrnq_s64(&accumx5a, &accumx5b);

  225.     accumx4a += carry;

  226.     accumx4b += accumx5a;

  227.     accumx4b = vsraq_n_s64(accumx4b,accumx4a,28);

  228.     accumx5b = vsraq_n_s64(accumx5b,accumx4b,28);

  229.     

  230.     trn_res = vtrn_s32(vmovn_s64(accumx4a), vmovn_s64(accumx4b));

  231.     vcl[2] = trn_res.val[1] & vmask;

  232.     vch[2] = trn_res.val[0] & vmask;

  233.     

  234.     

  235.     

  236.     

  237.     accumx6b = vmull_lane_s32(          delta = val[0] + vah[0], vbh[3], 0);

  238.     accumx7b = vmull_lane_s32(          delta, vbh[3], 1);

  239.     accumx6b = vmlal_lane_s32(accumx6b, delta = val[1] + vah[1], vbh[2], 0);

  240.     accumx7b = vmlal_lane_s32(accumx7b, delta, vbh[2], 1);

  241.     accumx6b = vmlal_lane_s32(accumx6b, delta = val[2] + vah[2], vbh[1], 0);

  242.     accumx7b = vmlal_lane_s32(accumx7b, delta, vbh[1], 1);

  243.     accumx6b = vmlal_lane_s32(accumx6b, delta = val[3] + vah[3], vbh[0], 0);

  244.     accumx7b = vmlal_lane_s32(accumx7b, delta, vbh[0], 1);

  245.     accumx6a = accumx6b;

  246.     accumx7a = accumx7b;

  247.     accumx6a = vmlal_lane_s32(accumx6a, vah[0], vbl[3], 0);

  248.     accumx7a = vmlal_lane_s32(accumx7a, vah[0], vbl[3], 1);

  249.     accumx6a = vmlal_lane_s32(accumx6a, vah[1], vbl[2], 0);

  250.     accumx7a = vmlal_lane_s32(accumx7a, vah[1], vbl[2], 1);

  251.     accumx6a = vmlal_lane_s32(accumx6a, vah[2], vbl[1], 0);

  252.     accumx7a = vmlal_lane_s32(accumx7a, vah[2], vbl[1], 1);

  253.     accumx6a = vmlal_lane_s32(accumx6a, vah[3], vbl[0], 0);

  254.     accumx7a = vmlal_lane_s32(accumx7a, vah[3], vbl[0], 1);

  255.     /**/

  256.     accumx6b = vmlal_lane_s32(accumx6b, val[0], delta = vbl[3] - vbh[3], 0);

  257.     accumx7b = vmlal_lane_s32(accumx7b, val[0], delta, 1);

  258.     accumx6b = vmlal_lane_s32(accumx6b, val[1], delta = vbl[2] - vbh[2], 0);

  259.     accumx7b = vmlal_lane_s32(accumx7b, val[1], delta, 1);

  260.     accumx6b = vmlal_lane_s32(accumx6b, val[2], delta = vbl[1] - vbh[1], 0);

  261.     accumx7b = vmlal_lane_s32(accumx7b, val[2], delta, 1);

  262.     accumx6b = vmlal_lane_s32(accumx6b, val[3], delta = vbl[0] - vbh[0], 0);

  263.     accumx7b = vmlal_lane_s32(accumx7b, val[3], delta, 1);

  264. 

  265.     xx_vtrnq_s64(&accumx6a, &accumx6b);

  266.     xx_vtrnq_s64(&accumx7a, &accumx7b);

  267.     accumx6a += accumx5b;

  268.     accumx6b += accumx7a;

  269.     

  270.     accumx6b = vsraq_n_s64(accumx6b,accumx6a,28);

  271.     accumx7b = vsraq_n_s64(accumx7b,accumx6b,28);

  272.     trn_res = vtrn_s32(vmovn_s64(accumx6a), vmovn_s64(accumx6b));

  273.     vcl[3] = trn_res.val[1] & vmask;

  274.     vch[3] = trn_res.val[0] & vmask;

  275.     

  276.     

  277.     accumx7b = xx_vaddup_s64(accumx7b);

  278. 

  279.     int32x2_t t0 = vcl[0], t1 = vch[0];

  280.     trn_res = vtrn_s32(t0,t1);

  281.     t0 = trn_res.val[0]; t1 = trn_res.val[1];

  282.     

  283.     accumx7b = vaddw_s32(accumx7b, t0);

  284.     t0 = vmovn_s64(accumx7b) & vmask;

  285.     

  286.     accumx7b = vshrq_n_s64(accumx7b,28);

  287.     accumx7b = vaddw_s32(accumx7b, t1);

  288.     t1 = vmovn_s64(accumx7b) & vmask;

  289.     trn_res = vtrn_s32(t0,t1);

  290.     vcl[0] = trn_res.val[0];

  291.     vch[0] = trn_res.val[1];

  292.     accumx7b = vshrq_n_s64(accumx7b,28);

  293. 

  294.     t0 = vmovn_s64(accumx7b);

  295.     

  296.     uint32_t

  297.         c0 = vget_lane_s32(t0,0),

  298.         c1 = vget_lane_s32(t0,1);

  299.     c[2]  += c0;

  300.     c[10] += c1;

  301. }

  302. 

  303. void

  304. p448_sqr (

  305.     p448_t *__restrict__ cs,

  306.     const p448_t *as

  307. ) {

  308.     /* FUTURE possible improvements:

  309.      *    don't use nega-phi algorithm, so as to avoid extra phi-twiddle at end

  310.      *        or use phi/nega-phi for everything, montgomery style

  311.      *        or find some sort of phi algorithm which doesn't have this problem

  312.      *    break up lanemuls so that only diags get 1mul'd instead of diag 2x2 blocks

  313.      *

  314.      * These improvements are all pretty minor, but I guess together they might matter?

  315.      */

  316.     

  317.     const uint32_t *b = as->limb;

  318.     uint32_t *c = cs->limb;

  319. 

  320.     int32x2_t vbm[4];

  321.     

  322.     const int32x2_t

  323.         *vbl = (const int32x2_t *)b,

  324.         *vbh = (const int32x2_t *)(&b[8]);

  325.         

  326.     int i;

  327.     for (i=0; i<4; i++) {

  328.         vbm[i] = vbl[i] - vbh[i];

  329.     }

  330.     

  331.     int32x2_t

  332.         *vcl = (int32x2_t *)c,

  333.         *vch = (int32x2_t *)(&c[8]),

  334.         vmask = {(1<<28) - 1, (1<<28)-1};

  335. 

  336.     int64x2_t accumx0a, accumx0b;

  337.     int64x2_t accumx1a, accumx1b;

  338.     int64x2_t accumx2a, accumx2b;

  339.     int64x2_t accumx3a, accumx3b;

  340.     int64x2_t accumx4a, accumx4b;

  341.     int64x2_t accumx5a, accumx5b;

  342.     int64x2_t accumx6a, accumx6b;

  343.     int64x2_t accumx7a, accumx7b;

  344.     int64x2_t carry;

  345.     int32x2x2_t trn_res;

  346.     

  347.     accumx0a = vqdmull_lane_s32(          vbh[1], vbh[3], 0);

  348.     accumx1a = vqdmull_lane_s32(          vbh[1], vbh[3], 1);

  349.     accumx2a = vqdmull_lane_s32(          vbh[2], vbh[3], 0);

  350.     accumx3a = vqdmull_lane_s32(          vbh[2], vbh[3], 1);

  351.     accumx0a =   vmlal_lane_s32(accumx0a, vbh[2], vbh[2], 0);

  352.     accumx1a =   vmlal_lane_s32(accumx1a, vbh[2], vbh[2], 1);

  353.     accumx2b = accumx2a;

  354.     accumx3b = accumx3a;

  355.     accumx2b = vqdmlal_lane_s32(accumx2b, vbh[0], vbh[1], 0);

  356.     accumx3b = vqdmlal_lane_s32(accumx3b, vbh[0], vbh[1], 1);

  357.     accumx0b = accumx0a;

  358.     accumx1b = accumx1a;

  359.     accumx0b =   vmlal_lane_s32(accumx0b, vbh[0], vbh[0], 0);

  360.     accumx1b =   vmlal_lane_s32(accumx1b, vbh[0], vbh[0], 1);

  361.     accumx0b = vqdmlal_lane_s32(accumx0b, vbl[1], vbl[3], 0);

  362.     accumx1b = vqdmlal_lane_s32(accumx1b, vbl[1], vbl[3], 1);

  363.     accumx2b = vqdmlal_lane_s32(accumx2b, vbl[2], vbl[3], 0);

  364.     accumx3b = vqdmlal_lane_s32(accumx3b, vbl[2], vbl[3], 1);

  365.     accumx0b =   vmlal_lane_s32(accumx0b, vbl[2], vbl[2], 0);

  366.     accumx1b =   vmlal_lane_s32(accumx1b, vbl[2], vbl[2], 1);

  367.     accumx2a += accumx2b;

  368.     accumx3a += accumx3b;

  369.     accumx2a = vqdmlal_lane_s32(accumx2a, vbl[0], vbl[1], 0);

  370.     accumx3a = vqdmlal_lane_s32(accumx3a, vbl[0], vbl[1], 1);

  371.     accumx0a += accumx0b;

  372.     accumx1a += accumx1b;

  373.     accumx0a =   vmlal_lane_s32(accumx0a, vbl[0], vbl[0], 0);

  374.     accumx1a =   vmlal_lane_s32(accumx1a, vbl[0], vbl[0], 1);

  375.     accumx0a = vqdmlsl_lane_s32(accumx0a, vbm[1], vbm[3], 0);

  376.     accumx1a = vqdmlsl_lane_s32(accumx1a, vbm[1], vbm[3], 1);

  377.     accumx0a =   vmlsl_lane_s32(accumx0a, vbm[2], vbm[2], 0);

  378.     accumx1a =   vmlsl_lane_s32(accumx1a, vbm[2], vbm[2], 1);

  379.     accumx2a = vqdmlsl_lane_s32(accumx2a, vbm[2], vbm[3], 0);

  380.     accumx3a = vqdmlsl_lane_s32(accumx3a, vbm[2], vbm[3], 1);

  381.     accumx0b += accumx0a;

  382.     accumx1b += accumx1a;

  383.     accumx0b =   vmlsl_lane_s32(accumx0b, vbm[0], vbm[0], 0);

  384.     accumx1b =   vmlsl_lane_s32(accumx1b, vbm[0], vbm[0], 1);

  385.     accumx2b += accumx2a;

  386.     accumx3b += accumx3a;

  387.     accumx2b = vqdmlsl_lane_s32(accumx2b, vbm[0], vbm[1], 0);

  388.     accumx3b = vqdmlsl_lane_s32(accumx3b, vbm[0], vbm[1], 1);

  389.     xx_vtrnq_s64(&accumx0b, &accumx0a);

  390.     xx_vtrnq_s64(&accumx1b, &accumx1a);

  391.     xx_vtrnq_s64(&accumx2b, &accumx2a);

  392.     xx_vtrnq_s64(&accumx3b, &accumx3a);

  393.     accumx0a += accumx1b;

  394.     accumx0a = vsraq_n_s64(accumx0a,accumx0b,28);

  395.     accumx1a = vsraq_n_s64(accumx1a,accumx0a,28);

  396.     accumx2b += accumx1a;

  397.     accumx2a += accumx3b;

  398.     accumx2a = vsraq_n_s64(accumx2a,accumx2b,28);

  399.     accumx3a = vsraq_n_s64(accumx3a,accumx2a,28);

  400.     trn_res = vtrn_s32(vmovn_s64(accumx0b), vmovn_s64(accumx0a));

  401.     vcl[0] = trn_res.val[1] & vmask;

  402.     vch[0] = trn_res.val[0] & vmask;

  403.     trn_res = vtrn_s32(vmovn_s64(accumx2b), vmovn_s64(accumx2a));

  404.     vcl[1] = trn_res.val[1] & vmask;

  405.     vch[1] = trn_res.val[0] & vmask;

  406.     carry = accumx3a;

  407.     

  408.     accumx4a =   vmull_lane_s32(          vbh[3], vbh[3], 0);

  409.     accumx5a =   vmull_lane_s32(          vbh[3], vbh[3], 1);

  410.     accumx6b = vqdmull_lane_s32(          vbh[0], vbh[3], 0);

  411.     accumx7b = vqdmull_lane_s32(          vbh[0], vbh[3], 1);

  412.     accumx4b = accumx4a;

  413.     accumx5b = accumx5a;

  414.     accumx4b = vqdmlal_lane_s32(accumx4b, vbh[0], vbh[2], 0);

  415.     accumx5b = vqdmlal_lane_s32(accumx5b, vbh[0], vbh[2], 1);

  416.     accumx6b = vqdmlal_lane_s32(accumx6b, vbh[1], vbh[2], 0);

  417.     accumx7b = vqdmlal_lane_s32(accumx7b, vbh[1], vbh[2], 1);

  418.     accumx4b =   vmlal_lane_s32(accumx4b, vbh[1], vbh[1], 0);

  419.     accumx5b =   vmlal_lane_s32(accumx5b, vbh[1], vbh[1], 1);

  420.     accumx4b =   vmlal_lane_s32(accumx4b, vbl[3], vbl[3], 0);

  421.     accumx5b =   vmlal_lane_s32(accumx5b, vbl[3], vbl[3], 1);

  422.     accumx6a = accumx6b;

  423.     accumx7a = accumx7b;

  424.     accumx6a = vqdmlal_lane_s32(accumx6a, vbl[0], vbl[3], 0);

  425.     accumx7a = vqdmlal_lane_s32(accumx7a, vbl[0], vbl[3], 1);

  426.     accumx4a += accumx4b;

  427.     accumx5a += accumx5b;

  428.     accumx4a = vqdmlal_lane_s32(accumx4a, vbl[0], vbl[2], 0);

  429.     accumx5a = vqdmlal_lane_s32(accumx5a, vbl[0], vbl[2], 1);

  430.     accumx6a = vqdmlal_lane_s32(accumx6a, vbl[1], vbl[2], 0);

  431.     accumx7a = vqdmlal_lane_s32(accumx7a, vbl[1], vbl[2], 1);

  432.     accumx4a =   vmlal_lane_s32(accumx4a, vbl[1], vbl[1], 0);

  433.     accumx5a =   vmlal_lane_s32(accumx5a, vbl[1], vbl[1], 1);

  434.     accumx4a =   vmlsl_lane_s32(accumx4a, vbm[3], vbm[3], 0);

  435.     accumx5a =   vmlsl_lane_s32(accumx5a, vbm[3], vbm[3], 1);

  436.     accumx6b += accumx6a;

  437.     accumx7b += accumx7a;

  438.     accumx6b = vqdmlsl_lane_s32(accumx6b, vbm[0], vbm[3], 0);

  439.     accumx7b = vqdmlsl_lane_s32(accumx7b, vbm[0], vbm[3], 1);

  440.     accumx4b += accumx4a;

  441.     accumx5b += accumx5a;

  442.     accumx4b = vqdmlsl_lane_s32(accumx4b, vbm[0], vbm[2], 0);

  443.     accumx5b = vqdmlsl_lane_s32(accumx5b, vbm[0], vbm[2], 1);

  444.     accumx4b =   vmlsl_lane_s32(accumx4b, vbm[1], vbm[1], 0);

  445.     accumx5b =   vmlsl_lane_s32(accumx5b, vbm[1], vbm[1], 1);

  446.     accumx6b = vqdmlsl_lane_s32(accumx6b, vbm[1], vbm[2], 0);

  447.     accumx7b = vqdmlsl_lane_s32(accumx7b, vbm[1], vbm[2], 1);

  448.     

  449.     xx_vtrnq_s64(&accumx4b, &accumx4a);

  450.     xx_vtrnq_s64(&accumx5b, &accumx5a);

  451.     xx_vtrnq_s64(&accumx6b, &accumx6a);

  452.     xx_vtrnq_s64(&accumx7b, &accumx7a);

  453.     accumx4b += carry;

  454.     accumx4a += accumx5b;

  455.     accumx4a = vsraq_n_s64(accumx4a,accumx4b,28);

  456.     accumx5a = vsraq_n_s64(accumx5a,accumx4a,28);

  457.     accumx6b += accumx5a;

  458.     accumx6a += accumx7b;

  459.     

  460.     trn_res = vtrn_s32(vmovn_s64(accumx4b), vmovn_s64(accumx4a));

  461.     vcl[2] = trn_res.val[1] & vmask;

  462.     vch[2] = trn_res.val[0] & vmask;

  463.     accumx6a = vsraq_n_s64(accumx6a,accumx6b,28);

  464.     accumx7a = vsraq_n_s64(accumx7a,accumx6a,28);

  465.     trn_res = vtrn_s32(vmovn_s64(accumx6b), vmovn_s64(accumx6a));

  466.     vcl[3] = trn_res.val[1] & vmask;

  467.     vch[3] = trn_res.val[0] & vmask;

  468.     

  469.     accumx7a = xx_vaddup_s64(accumx7a);

  470. 

  471.     int32x2_t t0 = vcl[0], t1 = vch[0];

  472.     trn_res = vtrn_s32(t0,t1);

  473.     t0 = trn_res.val[0]; t1 = trn_res.val[1];

  474.     

  475.     accumx7a = vaddw_s32(accumx7a, t0);

  476.     t0 = vmovn_s64(accumx7a) & vmask;

  477.     

  478.     accumx7a = vshrq_n_s64(accumx7a,28);

  479.     accumx7a = vaddw_s32(accumx7a, t1);

  480.     t1 = vmovn_s64(accumx7a) & vmask;

  481.     trn_res = vtrn_s32(t0,t1);

  482.     vcl[0] = trn_res.val[0];

  483.     vch[0] = trn_res.val[1];

  484.     accumx7a = vshrq_n_s64(accumx7a,28);

  485. 

  486.     t0 = vmovn_s64(accumx7a);

  487.     

  488.     uint32_t

  489.         c0 = vget_lane_s32(t0,0),

  490.         c1 = vget_lane_s32(t0,1);

  491.     c[2]  += c0;

  492.     c[10] += c1;

  493. }

  494. 

  495. void

  496. p448_mulw (

  497.     p448_t *__restrict__ cs,

  498.     const p448_t *as,

  499.     uint64_t b

  500. ) {

  501.     const uint32_t bhi = b>>28, blo = b & ((1<<28)-1);

  502.     

  503.     const uint32_t *a = as->limb;

  504.     uint32_t *c = cs->limb;

  505. 

  506.     uint64_t accum0, accum8;

  507.     uint32_t mask = (1ull<<28)-1;  

  508. 

  509.     int i;

  510. 

  511.     uint32_t c0, c8, n0, n8;

  512.     accum0 = widemul_32(bhi, a[15]);

  513.     accum8 = widemul_32(bhi, a[15] + a[7]);

  514.     c0 = a[0]; c8 = a[8];

  515.     smlal(&accum0, blo, c0);

  516.     smlal(&accum8, blo, c8);

  517. 

  518.     c[0] = accum0 & mask; accum0 >>= 28;

  519.     c[8] = accum8 & mask; accum8 >>= 28;

  520.     

  521.     i=1;

  522.     {

  523.         n0 = a[i]; n8 = a[i+8];

  524.         smlal(&accum0, bhi, c0);

  525.         smlal(&accum8, bhi, c8);

  526.         smlal(&accum0, blo, n0);

  527.         smlal(&accum8, blo, n8);

  528.         

  529.         c[i] = accum0 & mask; accum0 >>= 28;

  530.         c[i+8] = accum8 & mask; accum8 >>= 28;

  531.         i++;

  532.     }

  533.     {

  534.         c0 = a[i]; c8 = a[i+8];

  535.         smlal(&accum0, bhi, n0);

  536.         smlal(&accum8, bhi, n8);

  537.         smlal(&accum0, blo, c0);

  538.         smlal(&accum8, blo, c8);

  539. 

  540.         c[i] = accum0 & mask; accum0 >>= 28;

  541.         c[i+8] = accum8 & mask; accum8 >>= 28;

  542.         i++;

  543.     }

  544.     {

  545.         n0 = a[i]; n8 = a[i+8];

  546.         smlal(&accum0, bhi, c0);

  547.         smlal(&accum8, bhi, c8);

  548.         smlal(&accum0, blo, n0);

  549.         smlal(&accum8, blo, n8);

  550. 

  551.         c[i] = accum0 & mask; accum0 >>= 28;

  552.         c[i+8] = accum8 & mask; accum8 >>= 28;

  553.         i++;

  554.     }

  555.     {

  556.         c0 = a[i]; c8 = a[i+8];

  557.         smlal(&accum0, bhi, n0);

  558.         smlal(&accum8, bhi, n8);

  559.         smlal(&accum0, blo, c0);

  560.         smlal(&accum8, blo, c8);

  561. 

  562.         c[i] = accum0 & mask; accum0 >>= 28;

  563.         c[i+8] = accum8 & mask; accum8 >>= 28;

  564.         i++;

  565.     }

  566.     {

  567.         n0 = a[i]; n8 = a[i+8];

  568.         smlal(&accum0, bhi, c0);

  569.         smlal(&accum8, bhi, c8);

  570.         smlal(&accum0, blo, n0);

  571.         smlal(&accum8, blo, n8);

  572. 

  573.         c[i] = accum0 & mask; accum0 >>= 28;

  574.         c[i+8] = accum8 & mask; accum8 >>= 28;

  575.         i++;

  576.     }

  577.     {

  578.         c0 = a[i]; c8 = a[i+8];

  579.         smlal(&accum0, bhi, n0);

  580.         smlal(&accum8, bhi, n8);

  581.         smlal(&accum0, blo, c0);

  582.         smlal(&accum8, blo, c8);

  583.         

  584.         c[i] = accum0 & mask; accum0 >>= 28;

  585.         c[i+8] = accum8 & mask; accum8 >>= 28;

  586.         i++;

  587.     }

  588.     {

  589.         n0 = a[i]; n8 = a[i+8];

  590.         smlal(&accum0, bhi, c0);

  591.         smlal(&accum8, bhi, c8);

  592.         smlal(&accum0, blo, n0);

  593.         smlal(&accum8, blo, n8);

  594. 

  595.         c[i] = accum0 & mask; accum0 >>= 28;

  596.         c[i+8] = accum8 & mask; accum8 >>= 28;

  597.         i++;

  598.     }

  599. 

  600.     accum0 += accum8 + c[8];

  601.     c[8] = accum0 & mask;

  602.     c[9] += accum0 >> 28;

  603. 

  604.     accum8 += c[0];

  605.     c[0] = accum8 & mask;

  606.     c[1] += accum8 >> 28;

  607. }

  608. 

  609. void

  610. p448_strong_reduce (

  611.     p448_t *a

  612. ) {

  613.     word_t mask = (1ull<<28)-1;

  614. 

  615.     /* first, clear high */

  616.     a->limb[8] += a->limb[15]>>28;

  617.     a->limb[0] += a->limb[15]>>28;

  618.     a->limb[15] &= mask;

  619. 

  620.     /* now the total is less than 2^448 - 2^(448-56) + 2^(448-56+8) < 2p */

  621. 

  622.     /* compute total_value - p.  No need to reduce mod p. */

  623. 

  624.     dsword_t scarry = 0;

  625.     int i;

  626.     for (i=0; i<16; i++) {

  627.         scarry = scarry + a->limb[i] - ((i==8)?mask-1:mask);

  628.         a->limb[i] = scarry & mask;

  629.         scarry >>= 28;

  630.     }

  631. 

  632.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  633.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^448

  634.     * so let's add back in p.  will carry back off the top for 2^448.

  635.     */

  636. 

  637.     assert(is_zero(scarry) | is_zero(scarry+1));

  638. 

  639.     word_t scarry_mask = scarry & mask;

  640.     dword_t carry = 0;

  641. 

  642.     /* add it back */

  643.     for (i=0; i<16; i++) {

  644.         carry = carry + a->limb[i] + ((i==8)?(scarry_mask&~1):scarry_mask);

  645.         a->limb[i] = carry & mask;

  646.         carry >>= 28;

  647.     }

  648. 

  649.     assert(is_zero(carry + scarry));

  650. }

  651. 

  652. mask_t

  653. p448_is_zero (

  654.     const struct p448_t *a

  655. ) {

  656.     struct p448_t b;

  657.     p448_copy(&b,a);

  658.     p448_strong_reduce(&b);

  659. 

  660.     uint32_t any = 0;

  661.     int i;

  662.     for (i=0; i<16; i++) {

  663.         any |= b.limb[i];

  664.     }

  665.     return is_zero(any);

  666. }

  667. 

  668. void

  669. p448_serialize (

  670.     uint8_t *serial,

  671.     const struct p448_t *x

  672. ) {

  673.     int i,j;

  674.     p448_t red;

  675.     p448_copy(&red, x);

  676.     p448_strong_reduce(&red);

  677.     for (i=0; i<8; i++) {

  678.         uint64_t limb = red.limb[2*i] + (((uint64_t)red.limb[2*i+1])<<28);

  679.         for (j=0; j<7; j++) {

  680.             serial[7*i+j] = limb;

  681.             limb >>= 8;

  682.         }

  683.         assert(limb == 0);

  684.     }

  685. }

  686. 

  687. mask_t

  688. p448_deserialize (

  689.     p448_t *x,

  690.     const uint8_t serial[56]

  691. ) {

  692.     int i,j;

  693.     for (i=0; i<8; i++) {

  694.         uint64_t out = 0;

  695.         for (j=0; j<7; j++) {

  696.             out |= ((uint64_t)serial[7*i+j])<<(8*j);

  697.         }

  698.         x->limb[2*i] = out & ((1ull<<28)-1);

  699.         x->limb[2*i+1] = out >> 28;

  700.     }

  701.     

  702.     /* Check for reduction.

  703.      *

  704.      * The idea is to create a variable ge which is all ones (rather, 56 ones)

  705.      * if and only if the low $i$ words of $x$ are >= those of p.

  706.      *

  707.      * Remember p = little_endian(1111,1111,1111,1111,1110,1111,1111,1111)

  708.      */

  709.     uint32_t ge = -1, mask = (1ull<<28)-1;

  710.     for (i=0; i<8; i++) {

  711.         ge &= x->limb[i];

  712.     }

  713.     

  714.     /* At this point, ge = 1111 iff bottom are all 1111.  Now propagate if 1110, or set if 1111 */

  715.     ge = (ge & (x->limb[8] + 1)) | is_zero(x->limb[8] ^ mask);

  716.     

  717.     /* Propagate the rest */

  718.     for (i=9; i<16; i++) {

  719.         ge &= x->limb[i];

  720.     }

  721.     

  722.     return ~is_zero(ge ^ mask);

  723. }