3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # GHASH for for PowerISA v2.07.
14 # Accurate performance measurements are problematic, because it's
15 # always virtualized setup with possibly throttled processor.
16 # Relative comparison is therefore more informative. This initial
17 # version is ~2.1x slower than hardware-assisted AES-128-CTR, ~12x
18 # faster than "4-bit" integer-only compiler-generated 64-bit code.
19 # "Initial version" means that there is room for futher improvement.
24 if ($flavour =~ /64/) {
30 } elsif ($flavour =~ /32/) {
36 } else { die "nonsense $flavour"; }
38 $0 =~ m/(.*[\/\\])[^\
/\\]+$/; $dir=$1;
39 ( $xlate="${dir}ppc-xlate.pl" and -f
$xlate ) or
40 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f
$xlate) or
41 die "can't locate ppc-xlate.pl";
43 open STDOUT
,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
45 my ($Xip,$Htbl,$inp,$len)=map("r$_",(3..6)); # argument block
47 my ($Xl,$Xm,$Xh,$IN)=map("v$_",(0..3));
48 my ($zero,$t0,$t1,$t2,$xC2,$H,$Hh,$Hl,$lemask)=map("v$_",(4..12));
65 lvx_u
$H,0,r4
# load H
67 vspltisb
$xC2,-16 # 0xf0
69 vaddubm
$xC2,$xC2,$xC2 # 0xe0
70 vxor
$zero,$zero,$zero
71 vor
$xC2,$xC2,$t0 # 0xe1
72 vsldoi
$xC2,$xC2,$zero,15 # 0xe1...
73 vsldoi
$t1,$zero,$t0,1 # ...1
74 vaddubm
$xC2,$xC2,$xC2 # 0xc2...
76 vor
$xC2,$xC2,$t1 # 0xc2....01
77 vspltb
$t1,$H,0 # most significant byte
79 vsrab
$t1,$t1,$t2 # broadcast carry bit
81 vxor
$H,$H,$t1 # twisted H
83 vsldoi
$H,$H,$H,8 # twist even more ...
84 vsldoi
$xC2,$zero,$xC2,8 # 0xc2.0
85 vsldoi
$Hl,$zero,$H,8 # ... and split
88 stvx_u
$xC2,0,r3
# save pre-computed table
96 .byte
0,12,0x14,0,0,0,2,0
98 .size
.gcm_init_p8
,.-.gcm_init_p8
109 lvx_u
$IN,0,$Xip # load Xi
111 lvx_u
$Hl,r8
,$Htbl # load pre-computed table
112 le?lvsl
$lemask,r0
,r0
116 le?vxor
$lemask,$lemask,$t0
118 le?vperm
$IN,$IN,$IN,$lemask
119 vxor
$zero,$zero,$zero
121 vpmsumd
$Xl,$IN,$Hl # H.lo·Xi.lo
122 vpmsumd
$Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
123 vpmsumd
$Xh,$IN,$Hh # H.hi·Xi.hi
125 vpmsumd
$t2,$Xl,$xC2 # 1st phase
127 vsldoi
$t0,$Xm,$zero,8
128 vsldoi
$t1,$zero,$Xm,8
135 vsldoi
$t1,$Xl,$Xl,8 # 2nd phase
140 le?vperm
$Xl,$Xl,$Xl,$lemask
141 stvx_u
$Xl,0,$Xip # write out Xi
146 .byte
0,12,0x14,0,0,0,2,0
148 .size
.gcm_gmult_p8
,.-.gcm_gmult_p8
159 lvx_u
$Xl,0,$Xip # load Xi
161 lvx_u
$Hl,r8
,$Htbl # load pre-computed table
162 le?lvsl
$lemask,r0
,r0
166 le?vxor
$lemask,$lemask,$t0
168 le?vperm
$Xl,$Xl,$Xl,$lemask
169 vxor
$zero,$zero,$zero
174 le?vperm
$IN,$IN,$IN,$lemask
181 vpmsumd
$Xl,$IN,$Hl # H.lo·Xi.lo
182 subfe
. r0
,r0
,r0
# borrow?-1:0
183 vpmsumd
$Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
185 vpmsumd
$Xh,$IN,$Hh # H.hi·Xi.hi
188 vpmsumd
$t2,$Xl,$xC2 # 1st phase
190 vsldoi
$t0,$Xm,$zero,8
191 vsldoi
$t1,$zero,$Xm,8
200 vsldoi
$t1,$Xl,$Xl,8 # 2nd phase
202 le?vperm
$IN,$IN,$IN,$lemask
206 beq Loop
# did $len-=16 borrow?
209 le?vperm
$Xl,$Xl,$Xl,$lemask
210 stvx_u
$Xl,0,$Xip # write out Xi
215 .byte
0,12,0x14,0,0,0,4,0
217 .size
.gcm_ghash_p8
,.-.gcm_ghash_p8
219 .asciz
"GHASH for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
223 foreach (split("\n",$code)) {
224 if ($flavour =~ /le$/o) { # little-endian
234 close STDOUT
; # enforce flush
