polyval-ce-core.S source code [linux/arch/arm64/crypto/polyval-ce-core.S]

1	/ SPDX-License-Identifier: GPL-2.0 /
2	/*
3	* Implementation of POLYVAL using ARMv8 Crypto Extensions.
4	*
5	* Copyright 2021 Google LLC
6	*/
7	/*
8	* This is an efficient implementation of POLYVAL using ARMv8 Crypto Extensions
9	* It works on 8 blocks at a time, by precomputing the first 8 keys powers h^8,
10	* ..., h^1 in the POLYVAL finite field. This precomputation allows us to split
11	* finite field multiplication into two steps.
12	*
13	* In the first step, we consider h^i, m_i as normal polynomials of degree less
14	* than 128. We then compute p(x) = h^8m_0 + ... + h^1m_7 where multiplication
15	* is simply polynomial multiplication.
16	*
17	* In the second step, we compute the reduction of p(x) modulo the finite field
18	* modulus g(x) = x^128 + x^127 + x^126 + x^121 + 1.
19	*
20	* This two step process is equivalent to computing h^8m_0 + ... + h^1m_7 where
21	* multiplication is finite field multiplication. The advantage is that the
22	* two-step process only requires 1 finite field reduction for every 8
23	* polynomial multiplications. Further parallelism is gained by interleaving the
24	* multiplications and polynomial reductions.
25	*/
26
27	#include <linux/linkage.h>
28	#define STRIDE_BLOCKS 8
29
30	KEY_POWERS .req x0
31	MSG .req x1
32	BLOCKS_LEFT .req x2
33	ACCUMULATOR .req x3
34	KEY_START .req x10
35	EXTRA_BYTES .req x11
36	TMP .req x13
37
38	M0 .req v0
39	M1 .req v1
40	M2 .req v2
41	M3 .req v3
42	M4 .req v4
43	M5 .req v5
44	M6 .req v6
45	M7 .req v7
46	KEY8 .req v8
47	KEY7 .req v9
48	KEY6 .req v10
49	KEY5 .req v11
50	KEY4 .req v12
51	KEY3 .req v13
52	KEY2 .req v14
53	KEY1 .req v15
54	PL .req v16
55	PH .req v17
56	TMP_V .req v18
57	LO .req v20
58	MI .req v21
59	HI .req v22
60	SUM .req v23
61	GSTAR .req v24
62
63	.text
64
65	.arch armv8-a+crypto
66	.align `4`
67
68	.Lgstar:
69	.quad `0xc200000000000000`, `0xc200000000000000`
70
71	/*
72	* Computes the product of two 128-bit polynomials in X and Y and XORs the
73	* components of the 256-bit product into LO, MI, HI.
74	*
75	* Given:
76	* X = [X_1 : X_0]
77	* Y = [Y_1 : Y_0]
78	*
79	* We compute:
80	* LO += X_0 * Y_0
81	* MI += (X_0 + X_1) * (Y_0 + Y_1)
82	* HI += X_1 * Y_1
83	*
84	* Later, the 256-bit result can be extracted as:
85	* [HI_1 : HI_0 + HI_1 + MI_1 + LO_1 : LO_1 + HI_0 + MI_0 + LO_0 : LO_0]
86	* This step is done when computing the polynomial reduction for efficiency
87	* reasons.
88	*
89	* Karatsuba multiplication is used instead of Schoolbook multiplication because
90	* it was found to be slightly faster on ARM64 CPUs.
91	*
92	*/
93	.macro karatsuba1 X Y
94	X .req \X
95	Y .req \Y
96	ext v25`.16b`, X`.16b`, X`.16b`, #`8`
97	ext v26`.16b`, Y`.16b`, Y`.16b`, #`8`
98	eor v25`.16b`, v25`.16b`, X`.16b`
99	eor v26`.16b`, v26`.16b`, Y`.16b`
100	pmull2 v28`.1q`, X`.2d`, Y`.2d`
101	pmull v29`.1q`, X`.1d`, Y`.1d`
102	pmull v27`.1q`, v25`.1d`, v26`.1d`
103	eor HI`.16b`, HI`.16b`, v28`.16b`
104	eor LO`.16b`, LO`.16b`, v29`.16b`
105	eor MI`.16b`, MI`.16b`, v27`.16b`
106	.unreq X
107	.unreq Y
108	.endm
109
110	/*
111	* Same as karatsuba1, except overwrites HI, LO, MI rather than XORing into
112	* them.
113	*/
114	.macro karatsuba1_store X Y
115	X .req \X
116	Y .req \Y
117	ext v25`.16b`, X`.16b`, X`.16b`, #`8`
118	ext v26`.16b`, Y`.16b`, Y`.16b`, #`8`
119	eor v25`.16b`, v25`.16b`, X`.16b`
120	eor v26`.16b`, v26`.16b`, Y`.16b`
121	pmull2 HI`.1q`, X`.2d`, Y`.2d`
122	pmull LO`.1q`, X`.1d`, Y`.1d`
123	pmull MI`.1q`, v25`.1d`, v26`.1d`
124	.unreq X
125	.unreq Y
126	.endm
127
128	/*
129	* Computes the 256-bit polynomial represented by LO, HI, MI. Stores
130	* the result in PL, PH.
131	* [PH : PL] =
132	* [HI_1 : HI_1 + HI_0 + MI_1 + LO_1 : HI_0 + MI_0 + LO_1 + LO_0 : LO_0]
133	*/
134	.macro karatsuba2
135	// v4 = [HI_1 + MI_1 : HI_0 + MI_0]
136	eor v4`.16b`, HI`.16b`, MI`.16b`
137	// v4 = [HI_1 + MI_1 + LO_1 : HI_0 + MI_0 + LO_0]
138	eor v4`.16b`, v4`.16b`, LO`.16b`
139	// v5 = [HI_0 : LO_1]
140	ext v5`.16b`, LO`.16b`, HI`.16b`, #`8`
141	// v4 = [HI_1 + HI_0 + MI_1 + LO_1 : HI_0 + MI_0 + LO_1 + LO_0]
142	eor v4`.16b`, v4`.16b`, v5`.16b`
143	// HI = [HI_0 : HI_1]
144	ext HI`.16b`, HI`.16b`, HI`.16b`, #`8`
145	// LO = [LO_0 : LO_1]
146	ext LO`.16b`, LO`.16b`, LO`.16b`, #`8`
147	// PH = [HI_1 : HI_1 + HI_0 + MI_1 + LO_1]
148	ext PH`.16b`, v4`.16b`, HI`.16b`, #`8`
149	// PL = [HI_0 + MI_0 + LO_1 + LO_0 : LO_0]
150	ext PL`.16b`, LO`.16b`, v4`.16b`, #`8`
151	.endm
152
153	/*
154	* Computes the 128-bit reduction of PH : PL. Stores the result in dest.
155	*
156	* This macro computes p(x) mod g(x) where p(x) is in montgomery form and g(x) =
157	* x^128 + x^127 + x^126 + x^121 + 1.
158	*
159	* We have a 256-bit polynomial PH : PL = P_3 : P_2 : P_1 : P_0 that is the
160	* product of two 128-bit polynomials in Montgomery form. We need to reduce it
161	* mod g(x). Also, since polynomials in Montgomery form have an "extra" factor
162	* of x^128, this product has two extra factors of x^128. To get it back into
163	* Montgomery form, we need to remove one of these factors by dividing by x^128.
164	*
165	* To accomplish both of these goals, we add multiples of g(x) that cancel out
166	* the low 128 bits P_1 : P_0, leaving just the high 128 bits. Since the low
167	* bits are zero, the polynomial division by x^128 can be done by right
168	* shifting.
169	*
170	* Since the only nonzero term in the low 64 bits of g(x) is the constant term,
171	* the multiple of g(x) needed to cancel out P_0 is P_0 * g(x). The CPU can
172	* only do 64x64 bit multiplications, so split P_0 * g(x) into x^128 * P_0 +
173	* x^64 * g(x) P_0 + P_0, where g*(x) is bits 64-127 of g(x). Adding this to
174	* the original polynomial gives P_3 : P_2 + P_0 + T_1 : P_1 + T_0 : 0, where T
175	* = T_1 : T_0 = g(x) P_0. Thus, bits 0-63 got "folded" into bits 64-191.
176	*
177	* Repeating this same process on the next 64 bits "folds" bits 64-127 into bits
178	* 128-255, giving the answer in bits 128-255. This time, we need to cancel P_1
179	* + T_0 in bits 64-127. The multiple of g(x) required is (P_1 + T_0) * g(x) *
180	* x^64. Adding this to our previous computation gives P_3 + P_1 + T_0 + V_1 :
181	* P_2 + P_0 + T_1 + V_0 : 0 : 0, where V = V_1 : V_0 = g(x) (P_1 + T_0).
182	*
183	* So our final computation is:
184	* T = T_1 : T_0 = g(x) P_0
185	* V = V_1 : V_0 = g(x) (P_1 + T_0)
186	* p(x) / x^{128} mod g(x) = P_3 + P_1 + T_0 + V_1 : P_2 + P_0 + T_1 + V_0
187	*
188	* The implementation below saves a XOR instruction by computing P_1 + T_0 : P_0
189	* + T_1 and XORing into dest, rather than separately XORing P_1 : P_0 and T_0 :
190	* T_1 into dest. This allows us to reuse P_1 + T_0 when computing V.
191	*/
192	.macro montgomery_reduction dest
193	DEST .req \dest
194	// TMP_V = T_1 : T_0 = P_0 g(x)
195	pmull TMP_V`.1q`, PL`.1d`, GSTAR`.1d`
196	// TMP_V = T_0 : T_1
197	ext TMP_V`.16b`, TMP_V`.16b`, TMP_V`.16b`, #`8`
198	// TMP_V = P_1 + T_0 : P_0 + T_1
199	eor TMP_V`.16b`, PL`.16b`, TMP_V`.16b`
200	// PH = P_3 + P_1 + T_0 : P_2 + P_0 + T_1
201	eor PH`.16b`, PH`.16b`, TMP_V`.16b`
202	// TMP_V = V_1 : V_0 = (P_1 + T_0) g(x)
203	pmull2 TMP_V`.1q`, TMP_V`.2d`, GSTAR`.2d`
204	eor DEST`.16b`, PH`.16b`, TMP_V`.16b`
205	.unreq DEST
206	.endm
207
208	/*
209	* Compute Polyval on 8 blocks.
210	*
211	* If reduce is set, also computes the montgomery reduction of the
212	* previous full_stride call and XORs with the first message block.
213	* (m_0 + REDUCE(PL, PH))h^8 + ... + m_7h^1.
214	* I.e., the first multiplication uses m_0 + REDUCE(PL, PH) instead of m_0.
215	*
216	* Sets PL, PH.
217	*/
218	.macro full_stride reduce
219	eor LO`.16b`, LO`.16b`, LO`.16b`
220	eor MI`.16b`, MI`.16b`, MI`.16b`
221	eor HI`.16b`, HI`.16b`, HI`.16b`
222
223	ld1 {M0`.16b`, M1`.16b`, M2`.16b`, M3`.16b`}, [MSG], #`64`
224	ld1 {M4`.16b`, M5`.16b`, M6`.16b`, M7`.16b`}, [MSG], #`64`
225
226	karatsuba1 M7 KEY1
227	.if \reduce
228	pmull TMP_V`.1q`, PL`.1d`, GSTAR`.1d`
229	.endif
230
231	karatsuba1 M6 KEY2
232	.if \reduce
233	ext TMP_V`.16b`, TMP_V`.16b`, TMP_V`.16b`, #`8`
234	.endif
235
236	karatsuba1 M5 KEY3
237	.if \reduce
238	eor TMP_V`.16b`, PL`.16b`, TMP_V`.16b`
239	.endif
240
241	karatsuba1 M4 KEY4
242	.if \reduce
243	eor PH`.16b`, PH`.16b`, TMP_V`.16b`
244	.endif
245
246	karatsuba1 M3 KEY5
247	.if \reduce
248	pmull2 TMP_V`.1q`, TMP_V`.2d`, GSTAR`.2d`
249	.endif
250
251	karatsuba1 M2 KEY6
252	.if \reduce
253	eor SUM`.16b`, PH`.16b`, TMP_V`.16b`
254	.endif
255
256	karatsuba1 M1 KEY7
257	eor M0`.16b`, M0`.16b`, SUM`.16b`
258
259	karatsuba1 M0 KEY8
260	karatsuba2
261	.endm
262
263	/*
264	* Handle any extra blocks after full_stride loop.
265	*/
266	.macro partial_stride
267	add KEY_POWERS, KEY_START, #(STRIDE_BLOCKS << `4`)
268	sub KEY_POWERS, KEY_POWERS, BLOCKS_LEFT, lsl #`4`
269	ld1 {KEY1`.16b`}, [KEY_POWERS], #`16`
270
271	ld1 {TMP_V`.16b`}, [MSG], #`16`
272	eor SUM`.16b`, SUM`.16b`, TMP_V`.16b`
273	karatsuba1_store KEY1 SUM
274	sub BLOCKS_LEFT, BLOCKS_LEFT, #`1`
275
276	tst BLOCKS_LEFT, #`4`
277	beq .Lpartial4BlocksDone
278	ld1 {M0`.16b`, M1`.16b`, M2`.16b`, M3`.16b`}, [MSG], #`64`
279	ld1 {KEY8`.16b`, KEY7`.16b`, KEY6`.16b`, KEY5`.16b`}, [KEY_POWERS], #`64`
280	karatsuba1 M0 KEY8
281	karatsuba1 M1 KEY7
282	karatsuba1 M2 KEY6
283	karatsuba1 M3 KEY5
284	.Lpartial4BlocksDone:
285	tst BLOCKS_LEFT, #`2`
286	beq .Lpartial2BlocksDone
287	ld1 {M0`.16b`, M1`.16b`}, [MSG], #`32`
288	ld1 {KEY8`.16b`, KEY7`.16b`}, [KEY_POWERS], #`32`
289	karatsuba1 M0 KEY8
290	karatsuba1 M1 KEY7
291	.Lpartial2BlocksDone:
292	tst BLOCKS_LEFT, #`1`
293	beq .LpartialDone
294	ld1 {M0`.16b`}, [MSG], #`16`
295	ld1 {KEY8`.16b`}, [KEY_POWERS], #`16`
296	karatsuba1 M0 KEY8
297	.LpartialDone:
298	karatsuba2
299	montgomery_reduction SUM
300	.endm
301
302	/*
303	* Perform montgomery multiplication in GF(2^128) and store result in op1.
304	*
305	* Computes op1op2x^{-128} mod x^128 + x^127 + x^126 + x^121 + 1
306	* If op1, op2 are in montgomery form, this computes the montgomery
307	* form of op1*op2.
308	*
309	* void pmull_polyval_mul(u8 op1, const u8 op2);
310	*/
311	SYM_FUNC_START(pmull_polyval_mul)
312	adr TMP, .Lgstar
313	ld1 {GSTAR`.2d`}, [TMP]
314	ld1 {v0`.16b`}, [x0]
315	ld1 {v1`.16b`}, [x1]
316	karatsuba1_store v0 v1
317	karatsuba2
318	montgomery_reduction SUM
319	st1 {SUM`.16b`}, [x0]
320	ret
321	SYM_FUNC_END(pmull_polyval_mul)
322
323	/*
324	* Perform polynomial evaluation as specified by POLYVAL. This computes:
325	* h^n * accumulator + h^n * m_0 + ... + h^1 * m_{n-1}
326	* where n=nblocks, h is the hash key, and m_i are the message blocks.
327	*
328	* x0 - pointer to precomputed key powers h^8 ... h^1
329	* x1 - pointer to message blocks
330	* x2 - number of blocks to hash
331	* x3 - pointer to accumulator
332	*
333	* void pmull_polyval_update(const struct polyval_ctx ctx, const u8 in,
334	* size_t nblocks, u8 *accumulator);
335	*/
336	SYM_FUNC_START(pmull_polyval_update)
337	adr TMP, .Lgstar
338	mov KEY_START, KEY_POWERS
339	ld1 {GSTAR`.2d`}, [TMP]
340	ld1 {SUM`.16b`}, [ACCUMULATOR]
341	subs BLOCKS_LEFT, BLOCKS_LEFT, #STRIDE_BLOCKS
342	blt .LstrideLoopExit
343	ld1 {KEY8`.16b`, KEY7`.16b`, KEY6`.16b`, KEY5`.16b`}, [KEY_POWERS], #`64`
344	ld1 {KEY4`.16b`, KEY3`.16b`, KEY2`.16b`, KEY1`.16b`}, [KEY_POWERS], #`64`
345	full_stride `0`
346	subs BLOCKS_LEFT, BLOCKS_LEFT, #STRIDE_BLOCKS
347	blt .LstrideLoopExitReduce
348	.LstrideLoop:
349	full_stride `1`
350	subs BLOCKS_LEFT, BLOCKS_LEFT, #STRIDE_BLOCKS
351	bge .LstrideLoop
352	.LstrideLoopExitReduce:
353	montgomery_reduction SUM
354	.LstrideLoopExit:
355	adds BLOCKS_LEFT, BLOCKS_LEFT, #STRIDE_BLOCKS
356	beq .LskipPartial
357	partial_stride
358	.LskipPartial:
359	st1 {SUM`.16b`}, [ACCUMULATOR]
360	ret
361	SYM_FUNC_END(pmull_polyval_update)
362

source code of linux/arch/arm64/crypto/polyval-ce-core.S