/* x86_64 BIGNUM accelerator version 0.1, December 2002. * * Implemented by Andy Polyakov <[email protected]> for the OpenSSL * project. * * Rights for redistribution and usage in source and binary forms are * granted according to the OpenSSL license. Warranty of any kind is * disclaimed. * * Q. Version 0.1? It doesn't sound like Andy, he used to assign real * versions, like 1.0... * A. Well, that's because this code is basically a quick-n-dirty * proof-of-concept hack. As you can see it's implemented with * inline assembler, which means that you're bound to GCC and that * there might be enough room for further improvement. * * Q. Why inline assembler? * A. x86_64 features own ABI which I'm not familiar with. This is * why I decided to let the compiler take care of subroutine * prologue/epilogue as well as register allocation. For reference. * Win64 implements different ABI for AMD64, different from Linux. * * Q. How much faster does it get? * A. 'apps/openssl speed rsa dsa' output with no-asm: * * sign verify sign/s verify/s * rsa 512 bits 0.0006s 0.0001s 1683.8 18456.2 * rsa 1024 bits 0.0028s 0.0002s 356.0 6407.0 * rsa 2048 bits 0.0172s 0.0005s 58.0 1957.8 * rsa 4096 bits 0.1155s 0.0018s 8.7 555.6 * sign verify sign/s verify/s * dsa 512 bits 0.0005s 0.0006s 2100.8 1768.3 * dsa 1024 bits 0.0014s 0.0018s 692.3 559.2 * dsa 2048 bits 0.0049s 0.0061s 204.7 165.0 * * 'apps/openssl speed rsa dsa' output with this module: * * sign verify sign/s verify/s * rsa 512 bits 0.0004s 0.0000s 2767.1 33297.9 * rsa 1024 bits 0.0012s 0.0001s 867.4 14674.7 * rsa 2048 bits 0.0061s 0.0002s 164.0 5270.0 * rsa 4096 bits 0.0384s 0.0006s 26.1 1650.8 * sign verify sign/s verify/s * dsa 512 bits 0.0002s 0.0003s 4442.2 3786.3 * dsa 1024 bits 0.0005s 0.0007s 1835.1 1497.4 * dsa 2048 bits 0.0016s 0.0020s 620.4 504.6 * * For the reference. IA-32 assembler implementation performs * very much like 64-bit code compiled with no-asm on the same * machine. */ #include <openssl/bn.h> // TODO(davidben): Get this file working on MSVC x64. #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ (defined(__GNUC__) || defined(__clang__)) #include "../internal.h" #undef mul #undef mul_add // "m"(a), "+m"(r) is the way to favor DirectPath µ-code; // "g"(0) let the compiler to decide where does it // want to keep the value of zero; #define mul_add … #define mul … #undef sqr #define sqr … BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num, BN_ULONG w) { … } BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num, BN_ULONG w) { … } void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, size_t n) { … } BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, size_t n) { … } BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, size_t n) { … } // mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) // mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) // sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) // sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) // Keep in mind that carrying into high part of multiplication result can not // overflow, because it cannot be all-ones. #define mul_add_c … #define sqr_add_c … #define mul_add_c2 … #define sqr_add_c2 … void bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]) { … } void bn_mul_comba4(BN_ULONG r[8], const BN_ULONG a[4], const BN_ULONG b[4]) { … } void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]) { … } void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) { … } #undef mul_add #undef mul #undef sqr #undef mul_add_c #undef sqr_add_c #undef mul_add_c2 #undef sqr_add_c2 #endif // !NO_ASM && X86_64 && (__GNUC__ || __clang__)