Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 94b1c249a1
Branches Tags
ydb
/
contrib
/
libs
/
openssl
/
asm
/
aarch64
/
crypto
/
bn
/
armv8-mont.S

armv8-mont.S 30 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408 
  1. .text
    2. 

  2. 

  3. .globl	bn_mul_mont
    4. 

  4. .type	bn_mul_mont,%function
    5. 

  5. .align	5
    6. 

  6. bn_mul_mont:
    7. 

  7. 	tst	x5,#7
    8. 

  8. 	b.eq	__bn_sqr8x_mont
    9. 

  9. 	tst	x5,#3
    10. 

  10. 	b.eq	__bn_mul4x_mont
    11. 

  11. .Lmul_mont:
    12. 

  12. 	stp	x29,x30,[sp,#-64]!
    13. 

  13. 	add	x29,sp,#0
    14. 

  14. 	stp	x19,x20,[sp,#16]
    15. 

  15. 	stp	x21,x22,[sp,#32]
    16. 

  16. 	stp	x23,x24,[sp,#48]
    17. 

  17. 

  18. 	ldr	x9,[x2],#8		// bp[0]
    19. 

  19. 	sub	x22,sp,x5,lsl#3
    20. 

  20. 	ldp	x7,x8,[x1],#16	// ap[0..1]
    21. 

  21. 	lsl	x5,x5,#3
    22. 

  22. 	ldr	x4,[x4]		// *n0
    23. 

  23. 	and	x22,x22,#-16		// ABI says so
    24. 

  24. 	ldp	x13,x14,[x3],#16	// np[0..1]
    25. 

  25. 

  26. 	mul	x6,x7,x9		// ap[0]*bp[0]
    27. 

  27. 	sub	x21,x5,#16		// j=num-2
    28. 

  28. 	umulh	x7,x7,x9
    29. 

  29. 	mul	x10,x8,x9		// ap[1]*bp[0]
    30. 

  30. 	umulh	x11,x8,x9
    31. 

  31. 

  32. 	mul	x15,x6,x4		// "tp[0]"*n0
    33. 

  33. 	mov	sp,x22			// alloca
    34. 

  34. 

  35. 	// (*)	mul	x12,x13,x15	// np[0]*m1
    36. 

  36. 	umulh	x13,x13,x15
    37. 

  37. 	mul	x16,x14,x15		// np[1]*m1
    38. 

  38. 	// (*)	adds	x12,x12,x6	// discarded
    39. 

  39. 	// (*)	As for removal of first multiplication and addition
    40. 

  40. 	//	instructions. The outcome of first addition is
    41. 

  41. 	//	guaranteed to be zero, which leaves two computationally
    42. 

  42. 	//	significant outcomes: it either carries or not. Then
    43. 

  43. 	//	question is when does it carry? Is there alternative
    44. 

  44. 	//	way to deduce it? If you follow operations, you can
    45. 

  45. 	//	observe that condition for carry is quite simple:
    46. 

  46. 	//	x6 being non-zero. So that carry can be calculated
    47. 

  47. 	//	by adding -1 to x6. That's what next instruction does.
    48. 

  48. 	subs	xzr,x6,#1		// (*)
    49. 

  49. 	umulh	x17,x14,x15
    50. 

  50. 	adc	x13,x13,xzr
    51. 

  51. 	cbz	x21,.L1st_skip
    52. 

  52. 

  53. .L1st:
    54. 

  54. 	ldr	x8,[x1],#8
    55. 

  55. 	adds	x6,x10,x7
    56. 

  56. 	sub	x21,x21,#8		// j--
    57. 

  57. 	adc	x7,x11,xzr
    58. 

  58. 

  59. 	ldr	x14,[x3],#8
    60. 

  60. 	adds	x12,x16,x13
    61. 

  61. 	mul	x10,x8,x9		// ap[j]*bp[0]
    62. 

  62. 	adc	x13,x17,xzr
    63. 

  63. 	umulh	x11,x8,x9
    64. 

  64. 

  65. 	adds	x12,x12,x6
    66. 

  66. 	mul	x16,x14,x15		// np[j]*m1
    67. 

  67. 	adc	x13,x13,xzr
    68. 

  68. 	umulh	x17,x14,x15
    69. 

  69. 	str	x12,[x22],#8		// tp[j-1]
    70. 

  70. 	cbnz	x21,.L1st
    71. 

  71. 

  72. .L1st_skip:
    73. 

  73. 	adds	x6,x10,x7
    74. 

  74. 	sub	x1,x1,x5		// rewind x1
    75. 

  75. 	adc	x7,x11,xzr
    76. 

  76. 

  77. 	adds	x12,x16,x13
    78. 

  78. 	sub	x3,x3,x5		// rewind x3
    79. 

  79. 	adc	x13,x17,xzr
    80. 

  80. 

  81. 	adds	x12,x12,x6
    82. 

  82. 	sub	x20,x5,#8		// i=num-1
    83. 

  83. 	adcs	x13,x13,x7
    84. 

  84. 

  85. 	adc	x19,xzr,xzr		// upmost overflow bit
    86. 

  86. 	stp	x12,x13,[x22]
    87. 

  87. 

  88. .Louter:
    89. 

  89. 	ldr	x9,[x2],#8		// bp[i]
    90. 

  90. 	ldp	x7,x8,[x1],#16
    91. 

  91. 	ldr	x23,[sp]		// tp[0]
    92. 

  92. 	add	x22,sp,#8
    93. 

  93. 

  94. 	mul	x6,x7,x9		// ap[0]*bp[i]
    95. 

  95. 	sub	x21,x5,#16		// j=num-2
    96. 

  96. 	umulh	x7,x7,x9
    97. 

  97. 	ldp	x13,x14,[x3],#16
    98. 

  98. 	mul	x10,x8,x9		// ap[1]*bp[i]
    99. 

  99. 	adds	x6,x6,x23
    100. 

  100. 	umulh	x11,x8,x9
    101. 

  101. 	adc	x7,x7,xzr
    102. 

  102. 

  103. 	mul	x15,x6,x4
    104. 

  104. 	sub	x20,x20,#8		// i--
    105. 

  105. 

  106. 	// (*)	mul	x12,x13,x15	// np[0]*m1
    107. 

  107. 	umulh	x13,x13,x15
    108. 

  108. 	mul	x16,x14,x15		// np[1]*m1
    109. 

  109. 	// (*)	adds	x12,x12,x6
    110. 

  110. 	subs	xzr,x6,#1		// (*)
    111. 

  111. 	umulh	x17,x14,x15
    112. 

  112. 	cbz	x21,.Linner_skip
    113. 

  113. 

  114. .Linner:
    115. 

  115. 	ldr	x8,[x1],#8
    116. 

  116. 	adc	x13,x13,xzr
    117. 

  117. 	ldr	x23,[x22],#8		// tp[j]
    118. 

  118. 	adds	x6,x10,x7
    119. 

  119. 	sub	x21,x21,#8		// j--
    120. 

  120. 	adc	x7,x11,xzr
    121. 

  121. 

  122. 	adds	x12,x16,x13
    123. 

  123. 	ldr	x14,[x3],#8
    124. 

  124. 	adc	x13,x17,xzr
    125. 

  125. 

  126. 	mul	x10,x8,x9		// ap[j]*bp[i]
    127. 

  127. 	adds	x6,x6,x23
    128. 

  128. 	umulh	x11,x8,x9
    129. 

  129. 	adc	x7,x7,xzr
    130. 

  130. 

  131. 	mul	x16,x14,x15		// np[j]*m1
    132. 

  132. 	adds	x12,x12,x6
    133. 

  133. 	umulh	x17,x14,x15
    134. 

  134. 	str	x12,[x22,#-16]		// tp[j-1]
    135. 

  135. 	cbnz	x21,.Linner
    136. 

  136. 

  137. .Linner_skip:
    138. 

  138. 	ldr	x23,[x22],#8		// tp[j]
    139. 

  139. 	adc	x13,x13,xzr
    140. 

  140. 	adds	x6,x10,x7
    141. 

  141. 	sub	x1,x1,x5		// rewind x1
    142. 

  142. 	adc	x7,x11,xzr
    143. 

  143. 

  144. 	adds	x12,x16,x13
    145. 

  145. 	sub	x3,x3,x5		// rewind x3
    146. 

  146. 	adcs	x13,x17,x19
    147. 

  147. 	adc	x19,xzr,xzr
    148. 

  148. 

  149. 	adds	x6,x6,x23
    150. 

  150. 	adc	x7,x7,xzr
    151. 

  151. 

  152. 	adds	x12,x12,x6
    153. 

  153. 	adcs	x13,x13,x7
    154. 

  154. 	adc	x19,x19,xzr		// upmost overflow bit
    155. 

  155. 	stp	x12,x13,[x22,#-16]
    156. 

  156. 

  157. 	cbnz	x20,.Louter
    158. 

  158. 

  159. 	// Final step. We see if result is larger than modulus, and
    160. 

  160. 	// if it is, subtract the modulus. But comparison implies
    161. 

  161. 	// subtraction. So we subtract modulus, see if it borrowed,
    162. 

  162. 	// and conditionally copy original value.
    163. 

  163. 	ldr	x23,[sp]		// tp[0]
    164. 

  164. 	add	x22,sp,#8
    165. 

  165. 	ldr	x14,[x3],#8		// np[0]
    166. 

  166. 	subs	x21,x5,#8		// j=num-1 and clear borrow
    167. 

  167. 	mov	x1,x0
    168. 

  168. .Lsub:
    169. 

  169. 	sbcs	x8,x23,x14		// tp[j]-np[j]
    170. 

  170. 	ldr	x23,[x22],#8
    171. 

  171. 	sub	x21,x21,#8		// j--
    172. 

  172. 	ldr	x14,[x3],#8
    173. 

  173. 	str	x8,[x1],#8		// rp[j]=tp[j]-np[j]
    174. 

  174. 	cbnz	x21,.Lsub
    175. 

  175. 

  176. 	sbcs	x8,x23,x14
    177. 

  177. 	sbcs	x19,x19,xzr		// did it borrow?
    178. 

  178. 	str	x8,[x1],#8		// rp[num-1]
    179. 

  179. 

  180. 	ldr	x23,[sp]		// tp[0]
    181. 

  181. 	add	x22,sp,#8
    182. 

  182. 	ldr	x8,[x0],#8		// rp[0]
    183. 

  183. 	sub	x5,x5,#8		// num--
    184. 

  184. 	nop
    185. 

  185. .Lcond_copy:
    186. 

  186. 	sub	x5,x5,#8		// num--
    187. 

  187. 	csel	x14,x23,x8,lo		// did it borrow?
    188. 

  188. 	ldr	x23,[x22],#8
    189. 

  189. 	ldr	x8,[x0],#8
    190. 

  190. 	str	xzr,[x22,#-16]		// wipe tp
    191. 

  191. 	str	x14,[x0,#-16]
    192. 

  192. 	cbnz	x5,.Lcond_copy
    193. 

  193. 

  194. 	csel	x14,x23,x8,lo
    195. 

  195. 	str	xzr,[x22,#-8]		// wipe tp
    196. 

  196. 	str	x14,[x0,#-8]
    197. 

  197. 

  198. 	ldp	x19,x20,[x29,#16]
    199. 

  199. 	mov	sp,x29
    200. 

  200. 	ldp	x21,x22,[x29,#32]
    201. 

  201. 	mov	x0,#1
    202. 

  202. 	ldp	x23,x24,[x29,#48]
    203. 

  203. 	ldr	x29,[sp],#64
    204. 

  204. 	ret
    205. 

  205. .size	bn_mul_mont,.-bn_mul_mont
    206. 

  206. .type	__bn_sqr8x_mont,%function
    207. 

  207. .align	5
    208. 

  208. __bn_sqr8x_mont:
    209. 

  209. 	cmp	x1,x2
    210. 

  210. 	b.ne	__bn_mul4x_mont
    211. 

  211. .Lsqr8x_mont:
    212. 

  212. .inst	0xd503233f		// paciasp
    213. 

  213. 	stp	x29,x30,[sp,#-128]!
    214. 

  214. 	add	x29,sp,#0
    215. 

  215. 	stp	x19,x20,[sp,#16]
    216. 

  216. 	stp	x21,x22,[sp,#32]
    217. 

  217. 	stp	x23,x24,[sp,#48]
    218. 

  218. 	stp	x25,x26,[sp,#64]
    219. 

  219. 	stp	x27,x28,[sp,#80]
    220. 

  220. 	stp	x0,x3,[sp,#96]	// offload rp and np
    221. 

  221. 

  222. 	ldp	x6,x7,[x1,#8*0]
    223. 

  223. 	ldp	x8,x9,[x1,#8*2]
    224. 

  224. 	ldp	x10,x11,[x1,#8*4]
    225. 

  225. 	ldp	x12,x13,[x1,#8*6]
    226. 

  226. 

  227. 	sub	x2,sp,x5,lsl#4
    228. 

  228. 	lsl	x5,x5,#3
    229. 

  229. 	ldr	x4,[x4]		// *n0
    230. 

  230. 	mov	sp,x2			// alloca
    231. 

  231. 	sub	x27,x5,#8*8
    232. 

  232. 	b	.Lsqr8x_zero_start
    233. 

  233. 

  234. .Lsqr8x_zero:
    235. 

  235. 	sub	x27,x27,#8*8
    236. 

  236. 	stp	xzr,xzr,[x2,#8*0]
    237. 

  237. 	stp	xzr,xzr,[x2,#8*2]
    238. 

  238. 	stp	xzr,xzr,[x2,#8*4]
    239. 

  239. 	stp	xzr,xzr,[x2,#8*6]
    240. 

  240. .Lsqr8x_zero_start:
    241. 

  241. 	stp	xzr,xzr,[x2,#8*8]
    242. 

  242. 	stp	xzr,xzr,[x2,#8*10]
    243. 

  243. 	stp	xzr,xzr,[x2,#8*12]
    244. 

  244. 	stp	xzr,xzr,[x2,#8*14]
    245. 

  245. 	add	x2,x2,#8*16
    246. 

  246. 	cbnz	x27,.Lsqr8x_zero
    247. 

  247. 

  248. 	add	x3,x1,x5
    249. 

  249. 	add	x1,x1,#8*8
    250. 

  250. 	mov	x19,xzr
    251. 

  251. 	mov	x20,xzr
    252. 

  252. 	mov	x21,xzr
    253. 

  253. 	mov	x22,xzr
    254. 

  254. 	mov	x23,xzr
    255. 

  255. 	mov	x24,xzr
    256. 

  256. 	mov	x25,xzr
    257. 

  257. 	mov	x26,xzr
    258. 

  258. 	mov	x2,sp
    259. 

  259. 	str	x4,[x29,#112]		// offload n0
    260. 

  260. 

  261. 	// Multiply everything but a[i]*a[i]
    262. 

  262. .align	4
    263. 

  263. .Lsqr8x_outer_loop:
    264. 

  264.         //                                                 a[1]a[0]	(i)
    265. 

  265.         //                                             a[2]a[0]
    266. 

  266.         //                                         a[3]a[0]
    267. 

  267.         //                                     a[4]a[0]
    268. 

  268.         //                                 a[5]a[0]
    269. 

  269.         //                             a[6]a[0]
    270. 

  270.         //                         a[7]a[0]
    271. 

  271.         //                                         a[2]a[1]		(ii)
    272. 

  272.         //                                     a[3]a[1]
    273. 

  273.         //                                 a[4]a[1]
    274. 

  274.         //                             a[5]a[1]
    275. 

  275.         //                         a[6]a[1]
    276. 

  276.         //                     a[7]a[1]
    277. 

  277.         //                                 a[3]a[2]			(iii)
    278. 

  278.         //                             a[4]a[2]
    279. 

  279.         //                         a[5]a[2]
    280. 

  280.         //                     a[6]a[2]
    281. 

  281.         //                 a[7]a[2]
    282. 

  282.         //                         a[4]a[3]				(iv)
    283. 

  283.         //                     a[5]a[3]
    284. 

  284.         //                 a[6]a[3]
    285. 

  285.         //             a[7]a[3]
    286. 

  286.         //                 a[5]a[4]					(v)
    287. 

  287.         //             a[6]a[4]
    288. 

  288.         //         a[7]a[4]
    289. 

  289.         //         a[6]a[5]						(vi)
    290. 

  290.         //     a[7]a[5]
    291. 

  291.         // a[7]a[6]							(vii)
    292. 

  292. 

  293. 	mul	x14,x7,x6		// lo(a[1..7]*a[0])		(i)
    294. 

  294. 	mul	x15,x8,x6
    295. 

  295. 	mul	x16,x9,x6
    296. 

  296. 	mul	x17,x10,x6
    297. 

  297. 	adds	x20,x20,x14		// t[1]+lo(a[1]*a[0])
    298. 

  298. 	mul	x14,x11,x6
    299. 

  299. 	adcs	x21,x21,x15
    300. 

  300. 	mul	x15,x12,x6
    301. 

  301. 	adcs	x22,x22,x16
    302. 

  302. 	mul	x16,x13,x6
    303. 

  303. 	adcs	x23,x23,x17
    304. 

  304. 	umulh	x17,x7,x6		// hi(a[1..7]*a[0])
    305. 

  305. 	adcs	x24,x24,x14
    306. 

  306. 	umulh	x14,x8,x6
    307. 

  307. 	adcs	x25,x25,x15
    308. 

  308. 	umulh	x15,x9,x6
    309. 

  309. 	adcs	x26,x26,x16
    310. 

  310. 	umulh	x16,x10,x6
    311. 

  311. 	stp	x19,x20,[x2],#8*2	// t[0..1]
    312. 

  312. 	adc	x19,xzr,xzr		// t[8]
    313. 

  313. 	adds	x21,x21,x17		// t[2]+lo(a[1]*a[0])
    314. 

  314. 	umulh	x17,x11,x6
    315. 

  315. 	adcs	x22,x22,x14
    316. 

  316. 	umulh	x14,x12,x6
    317. 

  317. 	adcs	x23,x23,x15
    318. 

  318. 	umulh	x15,x13,x6
    319. 

  319. 	adcs	x24,x24,x16
    320. 

  320. 	mul	x16,x8,x7		// lo(a[2..7]*a[1])		(ii)
    321. 

  321. 	adcs	x25,x25,x17
    322. 

  322. 	mul	x17,x9,x7
    323. 

  323. 	adcs	x26,x26,x14
    324. 

  324. 	mul	x14,x10,x7
    325. 

  325. 	adc	x19,x19,x15
    326. 

  326. 

  327. 	mul	x15,x11,x7
    328. 

  328. 	adds	x22,x22,x16
    329. 

  329. 	mul	x16,x12,x7
    330. 

  330. 	adcs	x23,x23,x17
    331. 

  331. 	mul	x17,x13,x7
    332. 

  332. 	adcs	x24,x24,x14
    333. 

  333. 	umulh	x14,x8,x7		// hi(a[2..7]*a[1])
    334. 

  334. 	adcs	x25,x25,x15
    335. 

  335. 	umulh	x15,x9,x7
    336. 

  336. 	adcs	x26,x26,x16
    337. 

  337. 	umulh	x16,x10,x7
    338. 

  338. 	adcs	x19,x19,x17
    339. 

  339. 	umulh	x17,x11,x7
    340. 

  340. 	stp	x21,x22,[x2],#8*2	// t[2..3]
    341. 

  341. 	adc	x20,xzr,xzr		// t[9]
    342. 

  342. 	adds	x23,x23,x14
    343. 

  343. 	umulh	x14,x12,x7
    344. 

  344. 	adcs	x24,x24,x15
    345. 

  345. 	umulh	x15,x13,x7
    346. 

  346. 	adcs	x25,x25,x16
    347. 

  347. 	mul	x16,x9,x8		// lo(a[3..7]*a[2])		(iii)
    348. 

  348. 	adcs	x26,x26,x17
    349. 

  349. 	mul	x17,x10,x8
    350. 

  350. 	adcs	x19,x19,x14
    351. 

  351. 	mul	x14,x11,x8
    352. 

  352. 	adc	x20,x20,x15
    353. 

  353. 

  354. 	mul	x15,x12,x8
    355. 

  355. 	adds	x24,x24,x16
    356. 

  356. 	mul	x16,x13,x8
    357. 

  357. 	adcs	x25,x25,x17
    358. 

  358. 	umulh	x17,x9,x8		// hi(a[3..7]*a[2])
    359. 

  359. 	adcs	x26,x26,x14
    360. 

  360. 	umulh	x14,x10,x8
    361. 

  361. 	adcs	x19,x19,x15
    362. 

  362. 	umulh	x15,x11,x8
    363. 

  363. 	adcs	x20,x20,x16
    364. 

  364. 	umulh	x16,x12,x8
    365. 

  365. 	stp	x23,x24,[x2],#8*2	// t[4..5]
    366. 

  366. 	adc	x21,xzr,xzr		// t[10]
    367. 

  367. 	adds	x25,x25,x17
    368. 

  368. 	umulh	x17,x13,x8
    369. 

  369. 	adcs	x26,x26,x14
    370. 

  370. 	mul	x14,x10,x9		// lo(a[4..7]*a[3])		(iv)
    371. 

  371. 	adcs	x19,x19,x15
    372. 

  372. 	mul	x15,x11,x9
    373. 

  373. 	adcs	x20,x20,x16
    374. 

  374. 	mul	x16,x12,x9
    375. 

  375. 	adc	x21,x21,x17
    376. 

  376. 

  377. 	mul	x17,x13,x9
    378. 

  378. 	adds	x26,x26,x14
    379. 

  379. 	umulh	x14,x10,x9		// hi(a[4..7]*a[3])
    380. 

  380. 	adcs	x19,x19,x15
    381. 

  381. 	umulh	x15,x11,x9
    382. 

  382. 	adcs	x20,x20,x16
    383. 

  383. 	umulh	x16,x12,x9
    384. 

  384. 	adcs	x21,x21,x17
    385. 

  385. 	umulh	x17,x13,x9
    386. 

  386. 	stp	x25,x26,[x2],#8*2	// t[6..7]
    387. 

  387. 	adc	x22,xzr,xzr		// t[11]
    388. 

  388. 	adds	x19,x19,x14
    389. 

  389. 	mul	x14,x11,x10		// lo(a[5..7]*a[4])		(v)
    390. 

  390. 	adcs	x20,x20,x15
    391. 

  391. 	mul	x15,x12,x10
    392. 

  392. 	adcs	x21,x21,x16
    393. 

  393. 	mul	x16,x13,x10
    394. 

  394. 	adc	x22,x22,x17
    395. 

  395. 

  396. 	umulh	x17,x11,x10		// hi(a[5..7]*a[4])
    397. 

  397. 	adds	x20,x20,x14
    398. 

  398. 	umulh	x14,x12,x10
    399. 

  399. 	adcs	x21,x21,x15
    400. 

  400. 	umulh	x15,x13,x10
    401. 

  401. 	adcs	x22,x22,x16
    402. 

  402. 	mul	x16,x12,x11		// lo(a[6..7]*a[5])		(vi)
    403. 

  403. 	adc	x23,xzr,xzr		// t[12]
    404. 

  404. 	adds	x21,x21,x17
    405. 

  405. 	mul	x17,x13,x11
    406. 

  406. 	adcs	x22,x22,x14
    407. 

  407. 	umulh	x14,x12,x11		// hi(a[6..7]*a[5])
    408. 

  408. 	adc	x23,x23,x15
    409. 

  409. 

  410. 	umulh	x15,x13,x11
    411. 

  411. 	adds	x22,x22,x16
    412. 

  412. 	mul	x16,x13,x12		// lo(a[7]*a[6])		(vii)
    413. 

  413. 	adcs	x23,x23,x17
    414. 

  414. 	umulh	x17,x13,x12		// hi(a[7]*a[6])
    415. 

  415. 	adc	x24,xzr,xzr		// t[13]
    416. 

  416. 	adds	x23,x23,x14
    417. 

  417. 	sub	x27,x3,x1	// done yet?
    418. 

  418. 	adc	x24,x24,x15
    419. 

  419. 

  420. 	adds	x24,x24,x16
    421. 

  421. 	sub	x14,x3,x5	// rewinded ap
    422. 

  422. 	adc	x25,xzr,xzr		// t[14]
    423. 

  423. 	add	x25,x25,x17
    424. 

  424. 

  425. 	cbz	x27,.Lsqr8x_outer_break
    426. 

  426. 

  427. 	mov	x4,x6
    428. 

  428. 	ldp	x6,x7,[x2,#8*0]
    429. 

  429. 	ldp	x8,x9,[x2,#8*2]
    430. 

  430. 	ldp	x10,x11,[x2,#8*4]
    431. 

  431. 	ldp	x12,x13,[x2,#8*6]
    432. 

  432. 	adds	x19,x19,x6
    433. 

  433. 	adcs	x20,x20,x7
    434. 

  434. 	ldp	x6,x7,[x1,#8*0]
    435. 

  435. 	adcs	x21,x21,x8
    436. 

  436. 	adcs	x22,x22,x9
    437. 

  437. 	ldp	x8,x9,[x1,#8*2]
    438. 

  438. 	adcs	x23,x23,x10
    439. 

  439. 	adcs	x24,x24,x11
    440. 

  440. 	ldp	x10,x11,[x1,#8*4]
    441. 

  441. 	adcs	x25,x25,x12
    442. 

  442. 	mov	x0,x1
    443. 

  443. 	adcs	x26,xzr,x13
    444. 

  444. 	ldp	x12,x13,[x1,#8*6]
    445. 

  445. 	add	x1,x1,#8*8
    446. 

  446. 	//adc	x28,xzr,xzr		// moved below
    447. 

  447. 	mov	x27,#-8*8
    448. 

  448. 

  449. 	//                                                         a[8]a[0]
    450. 

  450. 	//                                                     a[9]a[0]
    451. 

  451. 	//                                                 a[a]a[0]
    452. 

  452. 	//                                             a[b]a[0]
    453. 

  453. 	//                                         a[c]a[0]
    454. 

  454. 	//                                     a[d]a[0]
    455. 

  455. 	//                                 a[e]a[0]
    456. 

  456. 	//                             a[f]a[0]
    457. 

  457. 	//                                                     a[8]a[1]
    458. 

  458. 	//                         a[f]a[1]........................
    459. 

  459. 	//                                                 a[8]a[2]
    460. 

  460. 	//                     a[f]a[2]........................
    461. 

  461. 	//                                             a[8]a[3]
    462. 

  462. 	//                 a[f]a[3]........................
    463. 

  463. 	//                                         a[8]a[4]
    464. 

  464. 	//             a[f]a[4]........................
    465. 

  465. 	//                                     a[8]a[5]
    466. 

  466. 	//         a[f]a[5]........................
    467. 

  467. 	//                                 a[8]a[6]
    468. 

  468. 	//     a[f]a[6]........................
    469. 

  469. 	//                             a[8]a[7]
    470. 

  470. 	// a[f]a[7]........................
    471. 

  471. .Lsqr8x_mul:
    472. 

  472. 	mul	x14,x6,x4
    473. 

  473. 	adc	x28,xzr,xzr		// carry bit, modulo-scheduled
    474. 

  474. 	mul	x15,x7,x4
    475. 

  475. 	add	x27,x27,#8
    476. 

  476. 	mul	x16,x8,x4
    477. 

  477. 	mul	x17,x9,x4
    478. 

  478. 	adds	x19,x19,x14
    479. 

  479. 	mul	x14,x10,x4
    480. 

  480. 	adcs	x20,x20,x15
    481. 

  481. 	mul	x15,x11,x4
    482. 

  482. 	adcs	x21,x21,x16
    483. 

  483. 	mul	x16,x12,x4
    484. 

  484. 	adcs	x22,x22,x17
    485. 

  485. 	mul	x17,x13,x4
    486. 

  486. 	adcs	x23,x23,x14
    487. 

  487. 	umulh	x14,x6,x4
    488. 

  488. 	adcs	x24,x24,x15
    489. 

  489. 	umulh	x15,x7,x4
    490. 

  490. 	adcs	x25,x25,x16
    491. 

  491. 	umulh	x16,x8,x4
    492. 

  492. 	adcs	x26,x26,x17
    493. 

  493. 	umulh	x17,x9,x4
    494. 

  494. 	adc	x28,x28,xzr
    495. 

  495. 	str	x19,[x2],#8
    496. 

  496. 	adds	x19,x20,x14
    497. 

  497. 	umulh	x14,x10,x4
    498. 

  498. 	adcs	x20,x21,x15
    499. 

  499. 	umulh	x15,x11,x4
    500. 

  500. 	adcs	x21,x22,x16
    501. 

  501. 	umulh	x16,x12,x4
    502. 

  502. 	adcs	x22,x23,x17
    503. 

  503. 	umulh	x17,x13,x4
    504. 

  504. 	ldr	x4,[x0,x27]
    505. 

  505. 	adcs	x23,x24,x14
    506. 

  506. 	adcs	x24,x25,x15
    507. 

  507. 	adcs	x25,x26,x16
    508. 

  508. 	adcs	x26,x28,x17
    509. 

  509. 	//adc	x28,xzr,xzr		// moved above
    510. 

  510. 	cbnz	x27,.Lsqr8x_mul
    511. 

  511. 					// note that carry flag is guaranteed
    512. 

  512. 					// to be zero at this point
    513. 

  513. 	cmp	x1,x3		// done yet?
    514. 

  514. 	b.eq	.Lsqr8x_break
    515. 

  515. 

  516. 	ldp	x6,x7,[x2,#8*0]
    517. 

  517. 	ldp	x8,x9,[x2,#8*2]
    518. 

  518. 	ldp	x10,x11,[x2,#8*4]
    519. 

  519. 	ldp	x12,x13,[x2,#8*6]
    520. 

  520. 	adds	x19,x19,x6
    521. 

  521. 	ldr	x4,[x0,#-8*8]
    522. 

  522. 	adcs	x20,x20,x7
    523. 

  523. 	ldp	x6,x7,[x1,#8*0]
    524. 

  524. 	adcs	x21,x21,x8
    525. 

  525. 	adcs	x22,x22,x9
    526. 

  526. 	ldp	x8,x9,[x1,#8*2]
    527. 

  527. 	adcs	x23,x23,x10
    528. 

  528. 	adcs	x24,x24,x11
    529. 

  529. 	ldp	x10,x11,[x1,#8*4]
    530. 

  530. 	adcs	x25,x25,x12
    531. 

  531. 	mov	x27,#-8*8
    532. 

  532. 	adcs	x26,x26,x13
    533. 

  533. 	ldp	x12,x13,[x1,#8*6]
    534. 

  534. 	add	x1,x1,#8*8
    535. 

  535. 	//adc	x28,xzr,xzr		// moved above
    536. 

  536. 	b	.Lsqr8x_mul
    537. 

  537. 

  538. .align	4
    539. 

  539. .Lsqr8x_break:
    540. 

  540. 	ldp	x6,x7,[x0,#8*0]
    541. 

  541. 	add	x1,x0,#8*8
    542. 

  542. 	ldp	x8,x9,[x0,#8*2]
    543. 

  543. 	sub	x14,x3,x1		// is it last iteration?
    544. 

  544. 	ldp	x10,x11,[x0,#8*4]
    545. 

  545. 	sub	x15,x2,x14
    546. 

  546. 	ldp	x12,x13,[x0,#8*6]
    547. 

  547. 	cbz	x14,.Lsqr8x_outer_loop
    548. 

  548. 

  549. 	stp	x19,x20,[x2,#8*0]
    550. 

  550. 	ldp	x19,x20,[x15,#8*0]
    551. 

  551. 	stp	x21,x22,[x2,#8*2]
    552. 

  552. 	ldp	x21,x22,[x15,#8*2]
    553. 

  553. 	stp	x23,x24,[x2,#8*4]
    554. 

  554. 	ldp	x23,x24,[x15,#8*4]
    555. 

  555. 	stp	x25,x26,[x2,#8*6]
    556. 

  556. 	mov	x2,x15
    557. 

  557. 	ldp	x25,x26,[x15,#8*6]
    558. 

  558. 	b	.Lsqr8x_outer_loop
    559. 

  559. 

  560. .align	4
    561. 

  561. .Lsqr8x_outer_break:
    562. 

  562. 	// Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0]
    563. 

  563. 	ldp	x7,x9,[x14,#8*0]	// recall that x14 is &a[0]
    564. 

  564. 	ldp	x15,x16,[sp,#8*1]
    565. 

  565. 	ldp	x11,x13,[x14,#8*2]
    566. 

  566. 	add	x1,x14,#8*4
    567. 

  567. 	ldp	x17,x14,[sp,#8*3]
    568. 

  568. 

  569. 	stp	x19,x20,[x2,#8*0]
    570. 

  570. 	mul	x19,x7,x7
    571. 

  571. 	stp	x21,x22,[x2,#8*2]
    572. 

  572. 	umulh	x7,x7,x7
    573. 

  573. 	stp	x23,x24,[x2,#8*4]
    574. 

  574. 	mul	x8,x9,x9
    575. 

  575. 	stp	x25,x26,[x2,#8*6]
    576. 

  576. 	mov	x2,sp
    577. 

  577. 	umulh	x9,x9,x9
    578. 

  578. 	adds	x20,x7,x15,lsl#1
    579. 

  579. 	extr	x15,x16,x15,#63
    580. 

  580. 	sub	x27,x5,#8*4
    581. 

  581. 

  582. .Lsqr4x_shift_n_add:
    583. 

  583. 	adcs	x21,x8,x15
    584. 

  584. 	extr	x16,x17,x16,#63
    585. 

  585. 	sub	x27,x27,#8*4
    586. 

  586. 	adcs	x22,x9,x16
    587. 

  587. 	ldp	x15,x16,[x2,#8*5]
    588. 

  588. 	mul	x10,x11,x11
    589. 

  589. 	ldp	x7,x9,[x1],#8*2
    590. 

  590. 	umulh	x11,x11,x11
    591. 

  591. 	mul	x12,x13,x13
    592. 

  592. 	umulh	x13,x13,x13
    593. 

  593. 	extr	x17,x14,x17,#63
    594. 

  594. 	stp	x19,x20,[x2,#8*0]
    595. 

  595. 	adcs	x23,x10,x17
    596. 

  596. 	extr	x14,x15,x14,#63
    597. 

  597. 	stp	x21,x22,[x2,#8*2]
    598. 

  598. 	adcs	x24,x11,x14
    599. 

  599. 	ldp	x17,x14,[x2,#8*7]
    600. 

  600. 	extr	x15,x16,x15,#63
    601. 

  601. 	adcs	x25,x12,x15
    602. 

  602. 	extr	x16,x17,x16,#63
    603. 

  603. 	adcs	x26,x13,x16
    604. 

  604. 	ldp	x15,x16,[x2,#8*9]
    605. 

  605. 	mul	x6,x7,x7
    606. 

  606. 	ldp	x11,x13,[x1],#8*2
    607. 

  607. 	umulh	x7,x7,x7
    608. 

  608. 	mul	x8,x9,x9
    609. 

  609. 	umulh	x9,x9,x9
    610. 

  610. 	stp	x23,x24,[x2,#8*4]
    611. 

  611. 	extr	x17,x14,x17,#63
    612. 

  612. 	stp	x25,x26,[x2,#8*6]
    613. 

  613. 	add	x2,x2,#8*8
    614. 

  614. 	adcs	x19,x6,x17
    615. 

  615. 	extr	x14,x15,x14,#63
    616. 

  616. 	adcs	x20,x7,x14
    617. 

  617. 	ldp	x17,x14,[x2,#8*3]
    618. 

  618. 	extr	x15,x16,x15,#63
    619. 

  619. 	cbnz	x27,.Lsqr4x_shift_n_add
    620. 

  620. 	ldp	x1,x4,[x29,#104]	// pull np and n0
    621. 

  621. 

  622. 	adcs	x21,x8,x15
    623. 

  623. 	extr	x16,x17,x16,#63
    624. 

  624. 	adcs	x22,x9,x16
    625. 

  625. 	ldp	x15,x16,[x2,#8*5]
    626. 

  626. 	mul	x10,x11,x11
    627. 

  627. 	umulh	x11,x11,x11
    628. 

  628. 	stp	x19,x20,[x2,#8*0]
    629. 

  629. 	mul	x12,x13,x13
    630. 

  630. 	umulh	x13,x13,x13
    631. 

  631. 	stp	x21,x22,[x2,#8*2]
    632. 

  632. 	extr	x17,x14,x17,#63
    633. 

  633. 	adcs	x23,x10,x17
    634. 

  634. 	extr	x14,x15,x14,#63
    635. 

  635. 	ldp	x19,x20,[sp,#8*0]
    636. 

  636. 	adcs	x24,x11,x14
    637. 

  637. 	extr	x15,x16,x15,#63
    638. 

  638. 	ldp	x6,x7,[x1,#8*0]
    639. 

  639. 	adcs	x25,x12,x15
    640. 

  640. 	extr	x16,xzr,x16,#63
    641. 

  641. 	ldp	x8,x9,[x1,#8*2]
    642. 

  642. 	adc	x26,x13,x16
    643. 

  643. 	ldp	x10,x11,[x1,#8*4]
    644. 

  644. 

  645. 	// Reduce by 512 bits per iteration
    646. 

  646. 	mul	x28,x4,x19		// t[0]*n0
    647. 

  647. 	ldp	x12,x13,[x1,#8*6]
    648. 

  648. 	add	x3,x1,x5
    649. 

  649. 	ldp	x21,x22,[sp,#8*2]
    650. 

  650. 	stp	x23,x24,[x2,#8*4]
    651. 

  651. 	ldp	x23,x24,[sp,#8*4]
    652. 

  652. 	stp	x25,x26,[x2,#8*6]
    653. 

  653. 	ldp	x25,x26,[sp,#8*6]
    654. 

  654. 	add	x1,x1,#8*8
    655. 

  655. 	mov	x30,xzr		// initial top-most carry
    656. 

  656. 	mov	x2,sp
    657. 

  657. 	mov	x27,#8
    658. 

  658. 

  659. .Lsqr8x_reduction:
    660. 

  660. 	// (*)	mul	x14,x6,x28	// lo(n[0-7])*lo(t[0]*n0)
    661. 

  661. 	mul	x15,x7,x28
    662. 

  662. 	sub	x27,x27,#1
    663. 

  663. 	mul	x16,x8,x28
    664. 

  664. 	str	x28,[x2],#8		// put aside t[0]*n0 for tail processing
    665. 

  665. 	mul	x17,x9,x28
    666. 

  666. 	// (*)	adds	xzr,x19,x14
    667. 

  667. 	subs	xzr,x19,#1		// (*)
    668. 

  668. 	mul	x14,x10,x28
    669. 

  669. 	adcs	x19,x20,x15
    670. 

  670. 	mul	x15,x11,x28
    671. 

  671. 	adcs	x20,x21,x16
    672. 

  672. 	mul	x16,x12,x28
    673. 

  673. 	adcs	x21,x22,x17
    674. 

  674. 	mul	x17,x13,x28
    675. 

  675. 	adcs	x22,x23,x14
    676. 

  676. 	umulh	x14,x6,x28		// hi(n[0-7])*lo(t[0]*n0)
    677. 

  677. 	adcs	x23,x24,x15
    678. 

  678. 	umulh	x15,x7,x28
    679. 

  679. 	adcs	x24,x25,x16
    680. 

  680. 	umulh	x16,x8,x28
    681. 

  681. 	adcs	x25,x26,x17
    682. 

  682. 	umulh	x17,x9,x28
    683. 

  683. 	adc	x26,xzr,xzr
    684. 

  684. 	adds	x19,x19,x14
    685. 

  685. 	umulh	x14,x10,x28
    686. 

  686. 	adcs	x20,x20,x15
    687. 

  687. 	umulh	x15,x11,x28
    688. 

  688. 	adcs	x21,x21,x16
    689. 

  689. 	umulh	x16,x12,x28
    690. 

  690. 	adcs	x22,x22,x17
    691. 

  691. 	umulh	x17,x13,x28
    692. 

  692. 	mul	x28,x4,x19		// next t[0]*n0
    693. 

  693. 	adcs	x23,x23,x14
    694. 

  694. 	adcs	x24,x24,x15
    695. 

  695. 	adcs	x25,x25,x16
    696. 

  696. 	adc	x26,x26,x17
    697. 

  697. 	cbnz	x27,.Lsqr8x_reduction
    698. 

  698. 

  699. 	ldp	x14,x15,[x2,#8*0]
    700. 

  700. 	ldp	x16,x17,[x2,#8*2]
    701. 

  701. 	mov	x0,x2
    702. 

  702. 	sub	x27,x3,x1	// done yet?
    703. 

  703. 	adds	x19,x19,x14
    704. 

  704. 	adcs	x20,x20,x15
    705. 

  705. 	ldp	x14,x15,[x2,#8*4]
    706. 

  706. 	adcs	x21,x21,x16
    707. 

  707. 	adcs	x22,x22,x17
    708. 

  708. 	ldp	x16,x17,[x2,#8*6]
    709. 

  709. 	adcs	x23,x23,x14
    710. 

  710. 	adcs	x24,x24,x15
    711. 

  711. 	adcs	x25,x25,x16
    712. 

  712. 	adcs	x26,x26,x17
    713. 

  713. 	//adc	x28,xzr,xzr		// moved below
    714. 

  714. 	cbz	x27,.Lsqr8x8_post_condition
    715. 

  715. 

  716. 	ldr	x4,[x2,#-8*8]
    717. 

  717. 	ldp	x6,x7,[x1,#8*0]
    718. 

  718. 	ldp	x8,x9,[x1,#8*2]
    719. 

  719. 	ldp	x10,x11,[x1,#8*4]
    720. 

  720. 	mov	x27,#-8*8
    721. 

  721. 	ldp	x12,x13,[x1,#8*6]
    722. 

  722. 	add	x1,x1,#8*8
    723. 

  723. 

  724. .Lsqr8x_tail:
    725. 

  725. 	mul	x14,x6,x4
    726. 

  726. 	adc	x28,xzr,xzr		// carry bit, modulo-scheduled
    727. 

  727. 	mul	x15,x7,x4
    728. 

  728. 	add	x27,x27,#8
    729. 

  729. 	mul	x16,x8,x4
    730. 

  730. 	mul	x17,x9,x4
    731. 

  731. 	adds	x19,x19,x14
    732. 

  732. 	mul	x14,x10,x4
    733. 

  733. 	adcs	x20,x20,x15
    734. 

  734. 	mul	x15,x11,x4
    735. 

  735. 	adcs	x21,x21,x16
    736. 

  736. 	mul	x16,x12,x4
    737. 

  737. 	adcs	x22,x22,x17
    738. 

  738. 	mul	x17,x13,x4
    739. 

  739. 	adcs	x23,x23,x14
    740. 

  740. 	umulh	x14,x6,x4
    741. 

  741. 	adcs	x24,x24,x15
    742. 

  742. 	umulh	x15,x7,x4
    743. 

  743. 	adcs	x25,x25,x16
    744. 

  744. 	umulh	x16,x8,x4
    745. 

  745. 	adcs	x26,x26,x17
    746. 

  746. 	umulh	x17,x9,x4
    747. 

  747. 	adc	x28,x28,xzr
    748. 

  748. 	str	x19,[x2],#8
    749. 

  749. 	adds	x19,x20,x14
    750. 

  750. 	umulh	x14,x10,x4
    751. 

  751. 	adcs	x20,x21,x15
    752. 

  752. 	umulh	x15,x11,x4
    753. 

  753. 	adcs	x21,x22,x16
    754. 

  754. 	umulh	x16,x12,x4
    755. 

  755. 	adcs	x22,x23,x17
    756. 

  756. 	umulh	x17,x13,x4
    757. 

  757. 	ldr	x4,[x0,x27]
    758. 

  758. 	adcs	x23,x24,x14
    759. 

  759. 	adcs	x24,x25,x15
    760. 

  760. 	adcs	x25,x26,x16
    761. 

  761. 	adcs	x26,x28,x17
    762. 

  762. 	//adc	x28,xzr,xzr		// moved above
    763. 

  763. 	cbnz	x27,.Lsqr8x_tail
    764. 

  764. 					// note that carry flag is guaranteed
    765. 

  765. 					// to be zero at this point
    766. 

  766. 	ldp	x6,x7,[x2,#8*0]
    767. 

  767. 	sub	x27,x3,x1	// done yet?
    768. 

  768. 	sub	x16,x3,x5	// rewinded np
    769. 

  769. 	ldp	x8,x9,[x2,#8*2]
    770. 

  770. 	ldp	x10,x11,[x2,#8*4]
    771. 

  771. 	ldp	x12,x13,[x2,#8*6]
    772. 

  772. 	cbz	x27,.Lsqr8x_tail_break
    773. 

  773. 

  774. 	ldr	x4,[x0,#-8*8]
    775. 

  775. 	adds	x19,x19,x6
    776. 

  776. 	adcs	x20,x20,x7
    777. 

  777. 	ldp	x6,x7,[x1,#8*0]
    778. 

  778. 	adcs	x21,x21,x8
    779. 

  779. 	adcs	x22,x22,x9
    780. 

  780. 	ldp	x8,x9,[x1,#8*2]
    781. 

  781. 	adcs	x23,x23,x10
    782. 

  782. 	adcs	x24,x24,x11
    783. 

  783. 	ldp	x10,x11,[x1,#8*4]
    784. 

  784. 	adcs	x25,x25,x12
    785. 

  785. 	mov	x27,#-8*8
    786. 

  786. 	adcs	x26,x26,x13
    787. 

  787. 	ldp	x12,x13,[x1,#8*6]
    788. 

  788. 	add	x1,x1,#8*8
    789. 

  789. 	//adc	x28,xzr,xzr		// moved above
    790. 

  790. 	b	.Lsqr8x_tail
    791. 

  791. 

  792. .align	4
    793. 

  793. .Lsqr8x_tail_break:
    794. 

  794. 	ldr	x4,[x29,#112]		// pull n0
    795. 

  795. 	add	x27,x2,#8*8		// end of current t[num] window
    796. 

  796. 

  797. 	subs	xzr,x30,#1		// "move" top-most carry to carry bit
    798. 

  798. 	adcs	x14,x19,x6
    799. 

  799. 	adcs	x15,x20,x7
    800. 

  800. 	ldp	x19,x20,[x0,#8*0]
    801. 

  801. 	adcs	x21,x21,x8
    802. 

  802. 	ldp	x6,x7,[x16,#8*0]	// recall that x16 is &n[0]
    803. 

  803. 	adcs	x22,x22,x9
    804. 

  804. 	ldp	x8,x9,[x16,#8*2]
    805. 

  805. 	adcs	x23,x23,x10
    806. 

  806. 	adcs	x24,x24,x11
    807. 

  807. 	ldp	x10,x11,[x16,#8*4]
    808. 

  808. 	adcs	x25,x25,x12
    809. 

  809. 	adcs	x26,x26,x13
    810. 

  810. 	ldp	x12,x13,[x16,#8*6]
    811. 

  811. 	add	x1,x16,#8*8
    812. 

  812. 	adc	x30,xzr,xzr	// top-most carry
    813. 

  813. 	mul	x28,x4,x19
    814. 

  814. 	stp	x14,x15,[x2,#8*0]
    815. 

  815. 	stp	x21,x22,[x2,#8*2]
    816. 

  816. 	ldp	x21,x22,[x0,#8*2]
    817. 

  817. 	stp	x23,x24,[x2,#8*4]
    818. 

  818. 	ldp	x23,x24,[x0,#8*4]
    819. 

  819. 	cmp	x27,x29		// did we hit the bottom?
    820. 

  820. 	stp	x25,x26,[x2,#8*6]
    821. 

  821. 	mov	x2,x0			// slide the window
    822. 

  822. 	ldp	x25,x26,[x0,#8*6]
    823. 

  823. 	mov	x27,#8
    824. 

  824. 	b.ne	.Lsqr8x_reduction
    825. 

  825. 

  826. 	// Final step. We see if result is larger than modulus, and
    827. 

  827. 	// if it is, subtract the modulus. But comparison implies
    828. 

  828. 	// subtraction. So we subtract modulus, see if it borrowed,
    829. 

  829. 	// and conditionally copy original value.
    830. 

  830. 	ldr	x0,[x29,#96]		// pull rp
    831. 

  831. 	add	x2,x2,#8*8
    832. 

  832. 	subs	x14,x19,x6
    833. 

  833. 	sbcs	x15,x20,x7
    834. 

  834. 	sub	x27,x5,#8*8
    835. 

  835. 	mov	x3,x0		// x0 copy
    836. 

  836. 

  837. .Lsqr8x_sub:
    838. 

  838. 	sbcs	x16,x21,x8
    839. 

  839. 	ldp	x6,x7,[x1,#8*0]
    840. 

  840. 	sbcs	x17,x22,x9
    841. 

  841. 	stp	x14,x15,[x0,#8*0]
    842. 

  842. 	sbcs	x14,x23,x10
    843. 

  843. 	ldp	x8,x9,[x1,#8*2]
    844. 

  844. 	sbcs	x15,x24,x11
    845. 

  845. 	stp	x16,x17,[x0,#8*2]
    846. 

  846. 	sbcs	x16,x25,x12
    847. 

  847. 	ldp	x10,x11,[x1,#8*4]
    848. 

  848. 	sbcs	x17,x26,x13
    849. 

  849. 	ldp	x12,x13,[x1,#8*6]
    850. 

  850. 	add	x1,x1,#8*8
    851. 

  851. 	ldp	x19,x20,[x2,#8*0]
    852. 

  852. 	sub	x27,x27,#8*8
    853. 

  853. 	ldp	x21,x22,[x2,#8*2]
    854. 

  854. 	ldp	x23,x24,[x2,#8*4]
    855. 

  855. 	ldp	x25,x26,[x2,#8*6]
    856. 

  856. 	add	x2,x2,#8*8
    857. 

  857. 	stp	x14,x15,[x0,#8*4]
    858. 

  858. 	sbcs	x14,x19,x6
    859. 

  859. 	stp	x16,x17,[x0,#8*6]
    860. 

  860. 	add	x0,x0,#8*8
    861. 

  861. 	sbcs	x15,x20,x7
    862. 

  862. 	cbnz	x27,.Lsqr8x_sub
    863. 

  863. 

  864. 	sbcs	x16,x21,x8
    865. 

  865. 	mov	x2,sp
    866. 

  866. 	add	x1,sp,x5
    867. 

  867. 	ldp	x6,x7,[x3,#8*0]
    868. 

  868. 	sbcs	x17,x22,x9
    869. 

  869. 	stp	x14,x15,[x0,#8*0]
    870. 

  870. 	sbcs	x14,x23,x10
    871. 

  871. 	ldp	x8,x9,[x3,#8*2]
    872. 

  872. 	sbcs	x15,x24,x11
    873. 

  873. 	stp	x16,x17,[x0,#8*2]
    874. 

  874. 	sbcs	x16,x25,x12
    875. 

  875. 	ldp	x19,x20,[x1,#8*0]
    876. 

  876. 	sbcs	x17,x26,x13
    877. 

  877. 	ldp	x21,x22,[x1,#8*2]
    878. 

  878. 	sbcs	xzr,x30,xzr	// did it borrow?
    879. 

  879. 	ldr	x30,[x29,#8]		// pull return address
    880. 

  880. 	stp	x14,x15,[x0,#8*4]
    881. 

  881. 	stp	x16,x17,[x0,#8*6]
    882. 

  882. 

  883. 	sub	x27,x5,#8*4
    884. 

  884. .Lsqr4x_cond_copy:
    885. 

  885. 	sub	x27,x27,#8*4
    886. 

  886. 	csel	x14,x19,x6,lo
    887. 

  887. 	stp	xzr,xzr,[x2,#8*0]
    888. 

  888. 	csel	x15,x20,x7,lo
    889. 

  889. 	ldp	x6,x7,[x3,#8*4]
    890. 

  890. 	ldp	x19,x20,[x1,#8*4]
    891. 

  891. 	csel	x16,x21,x8,lo
    892. 

  892. 	stp	xzr,xzr,[x2,#8*2]
    893. 

  893. 	add	x2,x2,#8*4
    894. 

  894. 	csel	x17,x22,x9,lo
    895. 

  895. 	ldp	x8,x9,[x3,#8*6]
    896. 

  896. 	ldp	x21,x22,[x1,#8*6]
    897. 

  897. 	add	x1,x1,#8*4
    898. 

  898. 	stp	x14,x15,[x3,#8*0]
    899. 

  899. 	stp	x16,x17,[x3,#8*2]
    900. 

  900. 	add	x3,x3,#8*4
    901. 

  901. 	stp	xzr,xzr,[x1,#8*0]
    902. 

  902. 	stp	xzr,xzr,[x1,#8*2]
    903. 

  903. 	cbnz	x27,.Lsqr4x_cond_copy
    904. 

  904. 

  905. 	csel	x14,x19,x6,lo
    906. 

  906. 	stp	xzr,xzr,[x2,#8*0]
    907. 

  907. 	csel	x15,x20,x7,lo
    908. 

  908. 	stp	xzr,xzr,[x2,#8*2]
    909. 

  909. 	csel	x16,x21,x8,lo
    910. 

  910. 	csel	x17,x22,x9,lo
    911. 

  911. 	stp	x14,x15,[x3,#8*0]
    912. 

  912. 	stp	x16,x17,[x3,#8*2]
    913. 

  913. 

  914. 	b	.Lsqr8x_done
    915. 

  915. 

  916. .align	4
    917. 

  917. .Lsqr8x8_post_condition:
    918. 

  918. 	adc	x28,xzr,xzr
    919. 

  919. 	ldr	x30,[x29,#8]		// pull return address
    920. 

  920. 	// x19-7,x28 hold result, x6-7 hold modulus
    921. 

  921. 	subs	x6,x19,x6
    922. 

  922. 	ldr	x1,[x29,#96]		// pull rp
    923. 

  923. 	sbcs	x7,x20,x7
    924. 

  924. 	stp	xzr,xzr,[sp,#8*0]
    925. 

  925. 	sbcs	x8,x21,x8
    926. 

  926. 	stp	xzr,xzr,[sp,#8*2]
    927. 

  927. 	sbcs	x9,x22,x9
    928. 

  928. 	stp	xzr,xzr,[sp,#8*4]
    929. 

  929. 	sbcs	x10,x23,x10
    930. 

  930. 	stp	xzr,xzr,[sp,#8*6]
    931. 

  931. 	sbcs	x11,x24,x11
    932. 

  932. 	stp	xzr,xzr,[sp,#8*8]
    933. 

  933. 	sbcs	x12,x25,x12
    934. 

  934. 	stp	xzr,xzr,[sp,#8*10]
    935. 

  935. 	sbcs	x13,x26,x13
    936. 

  936. 	stp	xzr,xzr,[sp,#8*12]
    937. 

  937. 	sbcs	x28,x28,xzr	// did it borrow?
    938. 

  938. 	stp	xzr,xzr,[sp,#8*14]
    939. 

  939. 

  940. 	// x6-7 hold result-modulus
    941. 

  941. 	csel	x6,x19,x6,lo
    942. 

  942. 	csel	x7,x20,x7,lo
    943. 

  943. 	csel	x8,x21,x8,lo
    944. 

  944. 	csel	x9,x22,x9,lo
    945. 

  945. 	stp	x6,x7,[x1,#8*0]
    946. 

  946. 	csel	x10,x23,x10,lo
    947. 

  947. 	csel	x11,x24,x11,lo
    948. 

  948. 	stp	x8,x9,[x1,#8*2]
    949. 

  949. 	csel	x12,x25,x12,lo
    950. 

  950. 	csel	x13,x26,x13,lo
    951. 

  951. 	stp	x10,x11,[x1,#8*4]
    952. 

  952. 	stp	x12,x13,[x1,#8*6]
    953. 

  953. 

  954. .Lsqr8x_done:
    955. 

  955. 	ldp	x19,x20,[x29,#16]
    956. 

  956. 	mov	sp,x29
    957. 

  957. 	ldp	x21,x22,[x29,#32]
    958. 

  958. 	mov	x0,#1
    959. 

  959. 	ldp	x23,x24,[x29,#48]
    960. 

  960. 	ldp	x25,x26,[x29,#64]
    961. 

  961. 	ldp	x27,x28,[x29,#80]
    962. 

  962. 	ldr	x29,[sp],#128
    963. 

  963. .inst	0xd50323bf		// autiasp
    964. 

  964. 	ret
    965. 

  965. .size	__bn_sqr8x_mont,.-__bn_sqr8x_mont
    966. 

  966. .type	__bn_mul4x_mont,%function
    967. 

  967. .align	5
    968. 

  968. __bn_mul4x_mont:
    969. 

  969. .inst	0xd503233f		// paciasp
    970. 

  970. 	stp	x29,x30,[sp,#-128]!
    971. 

  971. 	add	x29,sp,#0
    972. 

  972. 	stp	x19,x20,[sp,#16]
    973. 

  973. 	stp	x21,x22,[sp,#32]
    974. 

  974. 	stp	x23,x24,[sp,#48]
    975. 

  975. 	stp	x25,x26,[sp,#64]
    976. 

  976. 	stp	x27,x28,[sp,#80]
    977. 

  977. 

  978. 	sub	x26,sp,x5,lsl#3
    979. 

  979. 	lsl	x5,x5,#3
    980. 

  980. 	ldr	x4,[x4]		// *n0
    981. 

  981. 	sub	sp,x26,#8*4		// alloca
    982. 

  982. 

  983. 	add	x10,x2,x5
    984. 

  984. 	add	x27,x1,x5
    985. 

  985. 	stp	x0,x10,[x29,#96]	// offload rp and &b[num]
    986. 

  986. 

  987. 	ldr	x24,[x2,#8*0]		// b[0]
    988. 

  988. 	ldp	x6,x7,[x1,#8*0]	// a[0..3]
    989. 

  989. 	ldp	x8,x9,[x1,#8*2]
    990. 

  990. 	add	x1,x1,#8*4
    991. 

  991. 	mov	x19,xzr
    992. 

  992. 	mov	x20,xzr
    993. 

  993. 	mov	x21,xzr
    994. 

  994. 	mov	x22,xzr
    995. 

  995. 	ldp	x14,x15,[x3,#8*0]	// n[0..3]
    996. 

  996. 	ldp	x16,x17,[x3,#8*2]
    997. 

  997. 	adds	x3,x3,#8*4		// clear carry bit
    998. 

  998. 	mov	x0,xzr
    999. 

  999. 	mov	x28,#0
    1000. 

  1000. 	mov	x26,sp
    1001. 

  1001. 

  1002. .Loop_mul4x_1st_reduction:
    1003. 

  1003. 	mul	x10,x6,x24		// lo(a[0..3]*b[0])
    1004. 

  1004. 	adc	x0,x0,xzr	// modulo-scheduled
    1005. 

  1005. 	mul	x11,x7,x24
    1006. 

  1006. 	add	x28,x28,#8
    1007. 

  1007. 	mul	x12,x8,x24
    1008. 

  1008. 	and	x28,x28,#31
    1009. 

  1009. 	mul	x13,x9,x24
    1010. 

  1010. 	adds	x19,x19,x10
    1011. 

  1011. 	umulh	x10,x6,x24		// hi(a[0..3]*b[0])
    1012. 

  1012. 	adcs	x20,x20,x11
    1013. 

  1013. 	mul	x25,x19,x4		// t[0]*n0
    1014. 

  1014. 	adcs	x21,x21,x12
    1015. 

  1015. 	umulh	x11,x7,x24
    1016. 

  1016. 	adcs	x22,x22,x13
    1017. 

  1017. 	umulh	x12,x8,x24
    1018. 

  1018. 	adc	x23,xzr,xzr
    1019. 

  1019. 	umulh	x13,x9,x24
    1020. 

  1020. 	ldr	x24,[x2,x28]		// next b[i] (or b[0])
    1021. 

  1021. 	adds	x20,x20,x10
    1022. 

  1022. 	// (*)	mul	x10,x14,x25	// lo(n[0..3]*t[0]*n0)
    1023. 

  1023. 	str	x25,[x26],#8		// put aside t[0]*n0 for tail processing
    1024. 

  1024. 	adcs	x21,x21,x11
    1025. 

  1025. 	mul	x11,x15,x25
    1026. 

  1026. 	adcs	x22,x22,x12
    1027. 

  1027. 	mul	x12,x16,x25
    1028. 

  1028. 	adc	x23,x23,x13		// can't overflow
    1029. 

  1029. 	mul	x13,x17,x25
    1030. 

  1030. 	// (*)	adds	xzr,x19,x10
    1031. 

  1031. 	subs	xzr,x19,#1		// (*)
    1032. 

  1032. 	umulh	x10,x14,x25		// hi(n[0..3]*t[0]*n0)
    1033. 

  1033. 	adcs	x19,x20,x11
    1034. 

  1034. 	umulh	x11,x15,x25
    1035. 

  1035. 	adcs	x20,x21,x12
    1036. 

  1036. 	umulh	x12,x16,x25
    1037. 

  1037. 	adcs	x21,x22,x13
    1038. 

  1038. 	umulh	x13,x17,x25
    1039. 

  1039. 	adcs	x22,x23,x0
    1040. 

  1040. 	adc	x0,xzr,xzr
    1041. 

  1041. 	adds	x19,x19,x10
    1042. 

  1042. 	sub	x10,x27,x1
    1043. 

  1043. 	adcs	x20,x20,x11
    1044. 

  1044. 	adcs	x21,x21,x12
    1045. 

  1045. 	adcs	x22,x22,x13
    1046. 

  1046. 	//adc	x0,x0,xzr
    1047. 

  1047. 	cbnz	x28,.Loop_mul4x_1st_reduction
    1048. 

  1048. 

  1049. 	cbz	x10,.Lmul4x4_post_condition
    1050. 

  1050. 

  1051. 	ldp	x6,x7,[x1,#8*0]	// a[4..7]
    1052. 

  1052. 	ldp	x8,x9,[x1,#8*2]
    1053. 

  1053. 	add	x1,x1,#8*4
    1054. 

  1054. 	ldr	x25,[sp]		// a[0]*n0
    1055. 

  1055. 	ldp	x14,x15,[x3,#8*0]	// n[4..7]
    1056. 

  1056. 	ldp	x16,x17,[x3,#8*2]
    1057. 

  1057. 	add	x3,x3,#8*4
    1058. 

  1058. 

  1059. .Loop_mul4x_1st_tail:
    1060. 

  1060. 	mul	x10,x6,x24		// lo(a[4..7]*b[i])
    1061. 

  1061. 	adc	x0,x0,xzr	// modulo-scheduled
    1062. 

  1062. 	mul	x11,x7,x24
    1063. 

  1063. 	add	x28,x28,#8
    1064. 

  1064. 	mul	x12,x8,x24
    1065. 

  1065. 	and	x28,x28,#31
    1066. 

  1066. 	mul	x13,x9,x24
    1067. 

  1067. 	adds	x19,x19,x10
    1068. 

  1068. 	umulh	x10,x6,x24		// hi(a[4..7]*b[i])
    1069. 

  1069. 	adcs	x20,x20,x11
    1070. 

  1070. 	umulh	x11,x7,x24
    1071. 

  1071. 	adcs	x21,x21,x12
    1072. 

  1072. 	umulh	x12,x8,x24
    1073. 

  1073. 	adcs	x22,x22,x13
    1074. 

  1074. 	umulh	x13,x9,x24
    1075. 

  1075. 	adc	x23,xzr,xzr
    1076. 

  1076. 	ldr	x24,[x2,x28]		// next b[i] (or b[0])
    1077. 

  1077. 	adds	x20,x20,x10
    1078. 

  1078. 	mul	x10,x14,x25		// lo(n[4..7]*a[0]*n0)
    1079. 

  1079. 	adcs	x21,x21,x11
    1080. 

  1080. 	mul	x11,x15,x25
    1081. 

  1081. 	adcs	x22,x22,x12
    1082. 

  1082. 	mul	x12,x16,x25
    1083. 

  1083. 	adc	x23,x23,x13		// can't overflow
    1084. 

  1084. 	mul	x13,x17,x25
    1085. 

  1085. 	adds	x19,x19,x10
    1086. 

  1086. 	umulh	x10,x14,x25		// hi(n[4..7]*a[0]*n0)
    1087. 

  1087. 	adcs	x20,x20,x11
    1088. 

  1088. 	umulh	x11,x15,x25
    1089. 

  1089. 	adcs	x21,x21,x12
    1090. 

  1090. 	umulh	x12,x16,x25
    1091. 

  1091. 	adcs	x22,x22,x13
    1092. 

  1092. 	adcs	x23,x23,x0
    1093. 

  1093. 	umulh	x13,x17,x25
    1094. 

  1094. 	adc	x0,xzr,xzr
    1095. 

  1095. 	ldr	x25,[sp,x28]		// next t[0]*n0
    1096. 

  1096. 	str	x19,[x26],#8		// result!!!
    1097. 

  1097. 	adds	x19,x20,x10
    1098. 

  1098. 	sub	x10,x27,x1		// done yet?
    1099. 

  1099. 	adcs	x20,x21,x11
    1100. 

  1100. 	adcs	x21,x22,x12
    1101. 

  1101. 	adcs	x22,x23,x13
    1102. 

  1102. 	//adc	x0,x0,xzr
    1103. 

  1103. 	cbnz	x28,.Loop_mul4x_1st_tail
    1104. 

  1104. 

  1105. 	sub	x11,x27,x5	// rewinded x1
    1106. 

  1106. 	cbz	x10,.Lmul4x_proceed
    1107. 

  1107. 

  1108. 	ldp	x6,x7,[x1,#8*0]
    1109. 

  1109. 	ldp	x8,x9,[x1,#8*2]
    1110. 

  1110. 	add	x1,x1,#8*4
    1111. 

  1111. 	ldp	x14,x15,[x3,#8*0]
    1112. 

  1112. 	ldp	x16,x17,[x3,#8*2]
    1113. 

  1113. 	add	x3,x3,#8*4
    1114. 

  1114. 	b	.Loop_mul4x_1st_tail
    1115. 

  1115. 

  1116. .align	5
    1117. 

  1117. .Lmul4x_proceed:
    1118. 

  1118. 	ldr	x24,[x2,#8*4]!		// *++b
    1119. 

  1119. 	adc	x30,x0,xzr
    1120. 

  1120. 	ldp	x6,x7,[x11,#8*0]	// a[0..3]
    1121. 

  1121. 	sub	x3,x3,x5		// rewind np
    1122. 

  1122. 	ldp	x8,x9,[x11,#8*2]
    1123. 

  1123. 	add	x1,x11,#8*4
    1124. 

  1124. 

  1125. 	stp	x19,x20,[x26,#8*0]	// result!!!
    1126. 

  1126. 	ldp	x19,x20,[sp,#8*4]	// t[0..3]
    1127. 

  1127. 	stp	x21,x22,[x26,#8*2]	// result!!!
    1128. 

  1128. 	ldp	x21,x22,[sp,#8*6]
    1129. 

  1129. 

  1130. 	ldp	x14,x15,[x3,#8*0]	// n[0..3]
    1131. 

  1131. 	mov	x26,sp
    1132. 

  1132. 	ldp	x16,x17,[x3,#8*2]
    1133. 

  1133. 	adds	x3,x3,#8*4		// clear carry bit
    1134. 

  1134. 	mov	x0,xzr
    1135. 

  1135. 

  1136. .align	4
    1137. 

  1137. .Loop_mul4x_reduction:
    1138. 

  1138. 	mul	x10,x6,x24		// lo(a[0..3]*b[4])
    1139. 

  1139. 	adc	x0,x0,xzr	// modulo-scheduled
    1140. 

  1140. 	mul	x11,x7,x24
    1141. 

  1141. 	add	x28,x28,#8
    1142. 

  1142. 	mul	x12,x8,x24
    1143. 

  1143. 	and	x28,x28,#31
    1144. 

  1144. 	mul	x13,x9,x24
    1145. 

  1145. 	adds	x19,x19,x10
    1146. 

  1146. 	umulh	x10,x6,x24		// hi(a[0..3]*b[4])
    1147. 

  1147. 	adcs	x20,x20,x11
    1148. 

  1148. 	mul	x25,x19,x4		// t[0]*n0
    1149. 

  1149. 	adcs	x21,x21,x12
    1150. 

  1150. 	umulh	x11,x7,x24
    1151. 

  1151. 	adcs	x22,x22,x13
    1152. 

  1152. 	umulh	x12,x8,x24
    1153. 

  1153. 	adc	x23,xzr,xzr
    1154. 

  1154. 	umulh	x13,x9,x24
    1155. 

  1155. 	ldr	x24,[x2,x28]		// next b[i]
    1156. 

  1156. 	adds	x20,x20,x10
    1157. 

  1157. 	// (*)	mul	x10,x14,x25
    1158. 

  1158. 	str	x25,[x26],#8		// put aside t[0]*n0 for tail processing
    1159. 

  1159. 	adcs	x21,x21,x11
    1160. 

  1160. 	mul	x11,x15,x25		// lo(n[0..3]*t[0]*n0
    1161. 

  1161. 	adcs	x22,x22,x12
    1162. 

  1162. 	mul	x12,x16,x25
    1163. 

  1163. 	adc	x23,x23,x13		// can't overflow
    1164. 

  1164. 	mul	x13,x17,x25
    1165. 

  1165. 	// (*)	adds	xzr,x19,x10
    1166. 

  1166. 	subs	xzr,x19,#1		// (*)
    1167. 

  1167. 	umulh	x10,x14,x25		// hi(n[0..3]*t[0]*n0
    1168. 

  1168. 	adcs	x19,x20,x11
    1169. 

  1169. 	umulh	x11,x15,x25
    1170. 

  1170. 	adcs	x20,x21,x12
    1171. 

  1171. 	umulh	x12,x16,x25
    1172. 

  1172. 	adcs	x21,x22,x13
    1173. 

  1173. 	umulh	x13,x17,x25
    1174. 

  1174. 	adcs	x22,x23,x0
    1175. 

  1175. 	adc	x0,xzr,xzr
    1176. 

  1176. 	adds	x19,x19,x10
    1177. 

  1177. 	adcs	x20,x20,x11
    1178. 

  1178. 	adcs	x21,x21,x12
    1179. 

  1179. 	adcs	x22,x22,x13
    1180. 

  1180. 	//adc	x0,x0,xzr
    1181. 

  1181. 	cbnz	x28,.Loop_mul4x_reduction
    1182. 

  1182. 

  1183. 	adc	x0,x0,xzr
    1184. 

  1184. 	ldp	x10,x11,[x26,#8*4]	// t[4..7]
    1185. 

  1185. 	ldp	x12,x13,[x26,#8*6]
    1186. 

  1186. 	ldp	x6,x7,[x1,#8*0]	// a[4..7]
    1187. 

  1187. 	ldp	x8,x9,[x1,#8*2]
    1188. 

  1188. 	add	x1,x1,#8*4
    1189. 

  1189. 	adds	x19,x19,x10
    1190. 

  1190. 	adcs	x20,x20,x11
    1191. 

  1191. 	adcs	x21,x21,x12
    1192. 

  1192. 	adcs	x22,x22,x13
    1193. 

  1193. 	//adc	x0,x0,xzr
    1194. 

  1194. 

  1195. 	ldr	x25,[sp]		// t[0]*n0
    1196. 

  1196. 	ldp	x14,x15,[x3,#8*0]	// n[4..7]
    1197. 

  1197. 	ldp	x16,x17,[x3,#8*2]
    1198. 

  1198. 	add	x3,x3,#8*4
    1199. 

  1199. 

  1200. .align	4
    1201. 

  1201. .Loop_mul4x_tail:
    1202. 

  1202. 	mul	x10,x6,x24		// lo(a[4..7]*b[4])
    1203. 

  1203. 	adc	x0,x0,xzr	// modulo-scheduled
    1204. 

  1204. 	mul	x11,x7,x24
    1205. 

  1205. 	add	x28,x28,#8
    1206. 

  1206. 	mul	x12,x8,x24
    1207. 

  1207. 	and	x28,x28,#31
    1208. 

  1208. 	mul	x13,x9,x24
    1209. 

  1209. 	adds	x19,x19,x10
    1210. 

  1210. 	umulh	x10,x6,x24		// hi(a[4..7]*b[4])
    1211. 

  1211. 	adcs	x20,x20,x11
    1212. 

  1212. 	umulh	x11,x7,x24
    1213. 

  1213. 	adcs	x21,x21,x12
    1214. 

  1214. 	umulh	x12,x8,x24
    1215. 

  1215. 	adcs	x22,x22,x13
    1216. 

  1216. 	umulh	x13,x9,x24
    1217. 

  1217. 	adc	x23,xzr,xzr
    1218. 

  1218. 	ldr	x24,[x2,x28]		// next b[i]
    1219. 

  1219. 	adds	x20,x20,x10
    1220. 

  1220. 	mul	x10,x14,x25		// lo(n[4..7]*t[0]*n0)
    1221. 

  1221. 	adcs	x21,x21,x11
    1222. 

  1222. 	mul	x11,x15,x25
    1223. 

  1223. 	adcs	x22,x22,x12
    1224. 

  1224. 	mul	x12,x16,x25
    1225. 

  1225. 	adc	x23,x23,x13		// can't overflow
    1226. 

  1226. 	mul	x13,x17,x25
    1227. 

  1227. 	adds	x19,x19,x10
    1228. 

  1228. 	umulh	x10,x14,x25		// hi(n[4..7]*t[0]*n0)
    1229. 

  1229. 	adcs	x20,x20,x11
    1230. 

  1230. 	umulh	x11,x15,x25
    1231. 

  1231. 	adcs	x21,x21,x12
    1232. 

  1232. 	umulh	x12,x16,x25
    1233. 

  1233. 	adcs	x22,x22,x13
    1234. 

  1234. 	umulh	x13,x17,x25
    1235. 

  1235. 	adcs	x23,x23,x0
    1236. 

  1236. 	ldr	x25,[sp,x28]		// next a[0]*n0
    1237. 

  1237. 	adc	x0,xzr,xzr
    1238. 

  1238. 	str	x19,[x26],#8		// result!!!
    1239. 

  1239. 	adds	x19,x20,x10
    1240. 

  1240. 	sub	x10,x27,x1		// done yet?
    1241. 

  1241. 	adcs	x20,x21,x11
    1242. 

  1242. 	adcs	x21,x22,x12
    1243. 

  1243. 	adcs	x22,x23,x13
    1244. 

  1244. 	//adc	x0,x0,xzr
    1245. 

  1245. 	cbnz	x28,.Loop_mul4x_tail
    1246. 

  1246. 

  1247. 	sub	x11,x3,x5		// rewinded np?
    1248. 

  1248. 	adc	x0,x0,xzr
    1249. 

  1249. 	cbz	x10,.Loop_mul4x_break
    1250. 

  1250. 

  1251. 	ldp	x10,x11,[x26,#8*4]
    1252. 

  1252. 	ldp	x12,x13,[x26,#8*6]
    1253. 

  1253. 	ldp	x6,x7,[x1,#8*0]
    1254. 

  1254. 	ldp	x8,x9,[x1,#8*2]
    1255. 

  1255. 	add	x1,x1,#8*4
    1256. 

  1256. 	adds	x19,x19,x10
    1257. 

  1257. 	adcs	x20,x20,x11
    1258. 

  1258. 	adcs	x21,x21,x12
    1259. 

  1259. 	adcs	x22,x22,x13
    1260. 

  1260. 	//adc	x0,x0,xzr
    1261. 

  1261. 	ldp	x14,x15,[x3,#8*0]
    1262. 

  1262. 	ldp	x16,x17,[x3,#8*2]
    1263. 

  1263. 	add	x3,x3,#8*4
    1264. 

  1264. 	b	.Loop_mul4x_tail
    1265. 

  1265. 

  1266. .align	4
    1267. 

  1267. .Loop_mul4x_break:
    1268. 

  1268. 	ldp	x12,x13,[x29,#96]	// pull rp and &b[num]
    1269. 

  1269. 	adds	x19,x19,x30
    1270. 

  1270. 	add	x2,x2,#8*4		// bp++
    1271. 

  1271. 	adcs	x20,x20,xzr
    1272. 

  1272. 	sub	x1,x1,x5		// rewind ap
    1273. 

  1273. 	adcs	x21,x21,xzr
    1274. 

  1274. 	stp	x19,x20,[x26,#8*0]	// result!!!
    1275. 

  1275. 	adcs	x22,x22,xzr
    1276. 

  1276. 	ldp	x19,x20,[sp,#8*4]	// t[0..3]
    1277. 

  1277. 	adc	x30,x0,xzr
    1278. 

  1278. 	stp	x21,x22,[x26,#8*2]	// result!!!
    1279. 

  1279. 	cmp	x2,x13			// done yet?
    1280. 

  1280. 	ldp	x21,x22,[sp,#8*6]
    1281. 

  1281. 	ldp	x14,x15,[x11,#8*0]	// n[0..3]
    1282. 

  1282. 	ldp	x16,x17,[x11,#8*2]
    1283. 

  1283. 	add	x3,x11,#8*4
    1284. 

  1284. 	b.eq	.Lmul4x_post
    1285. 

  1285. 

  1286. 	ldr	x24,[x2]
    1287. 

  1287. 	ldp	x6,x7,[x1,#8*0]	// a[0..3]
    1288. 

  1288. 	ldp	x8,x9,[x1,#8*2]
    1289. 

  1289. 	adds	x1,x1,#8*4		// clear carry bit
    1290. 

  1290. 	mov	x0,xzr
    1291. 

  1291. 	mov	x26,sp
    1292. 

  1292. 	b	.Loop_mul4x_reduction
    1293. 

  1293. 

  1294. .align	4
    1295. 

  1295. .Lmul4x_post:
    1296. 

  1296. 	// Final step. We see if result is larger than modulus, and
    1297. 

  1297. 	// if it is, subtract the modulus. But comparison implies
    1298. 

  1298. 	// subtraction. So we subtract modulus, see if it borrowed,
    1299. 

  1299. 	// and conditionally copy original value.
    1300. 

  1300. 	mov	x0,x12
    1301. 

  1301. 	mov	x27,x12		// x0 copy
    1302. 

  1302. 	subs	x10,x19,x14
    1303. 

  1303. 	add	x26,sp,#8*8
    1304. 

  1304. 	sbcs	x11,x20,x15
    1305. 

  1305. 	sub	x28,x5,#8*4
    1306. 

  1306. 

  1307. .Lmul4x_sub:
    1308. 

  1308. 	sbcs	x12,x21,x16
    1309. 

  1309. 	ldp	x14,x15,[x3,#8*0]
    1310. 

  1310. 	sub	x28,x28,#8*4
    1311. 

  1311. 	ldp	x19,x20,[x26,#8*0]
    1312. 

  1312. 	sbcs	x13,x22,x17
    1313. 

  1313. 	ldp	x16,x17,[x3,#8*2]
    1314. 

  1314. 	add	x3,x3,#8*4
    1315. 

  1315. 	ldp	x21,x22,[x26,#8*2]
    1316. 

  1316. 	add	x26,x26,#8*4
    1317. 

  1317. 	stp	x10,x11,[x0,#8*0]
    1318. 

  1318. 	sbcs	x10,x19,x14
    1319. 

  1319. 	stp	x12,x13,[x0,#8*2]
    1320. 

  1320. 	add	x0,x0,#8*4
    1321. 

  1321. 	sbcs	x11,x20,x15
    1322. 

  1322. 	cbnz	x28,.Lmul4x_sub
    1323. 

  1323. 

  1324. 	sbcs	x12,x21,x16
    1325. 

  1325. 	mov	x26,sp
    1326. 

  1326. 	add	x1,sp,#8*4
    1327. 

  1327. 	ldp	x6,x7,[x27,#8*0]
    1328. 

  1328. 	sbcs	x13,x22,x17
    1329. 

  1329. 	stp	x10,x11,[x0,#8*0]
    1330. 

  1330. 	ldp	x8,x9,[x27,#8*2]
    1331. 

  1331. 	stp	x12,x13,[x0,#8*2]
    1332. 

  1332. 	ldp	x19,x20,[x1,#8*0]
    1333. 

  1333. 	ldp	x21,x22,[x1,#8*2]
    1334. 

  1334. 	sbcs	xzr,x30,xzr	// did it borrow?
    1335. 

  1335. 	ldr	x30,[x29,#8]		// pull return address
    1336. 

  1336. 

  1337. 	sub	x28,x5,#8*4
    1338. 

  1338. .Lmul4x_cond_copy:
    1339. 

  1339. 	sub	x28,x28,#8*4
    1340. 

  1340. 	csel	x10,x19,x6,lo
    1341. 

  1341. 	stp	xzr,xzr,[x26,#8*0]
    1342. 

  1342. 	csel	x11,x20,x7,lo
    1343. 

  1343. 	ldp	x6,x7,[x27,#8*4]
    1344. 

  1344. 	ldp	x19,x20,[x1,#8*4]
    1345. 

  1345. 	csel	x12,x21,x8,lo
    1346. 

  1346. 	stp	xzr,xzr,[x26,#8*2]
    1347. 

  1347. 	add	x26,x26,#8*4
    1348. 

  1348. 	csel	x13,x22,x9,lo
    1349. 

  1349. 	ldp	x8,x9,[x27,#8*6]
    1350. 

  1350. 	ldp	x21,x22,[x1,#8*6]
    1351. 

  1351. 	add	x1,x1,#8*4
    1352. 

  1352. 	stp	x10,x11,[x27,#8*0]
    1353. 

  1353. 	stp	x12,x13,[x27,#8*2]
    1354. 

  1354. 	add	x27,x27,#8*4
    1355. 

  1355. 	cbnz	x28,.Lmul4x_cond_copy
    1356. 

  1356. 

  1357. 	csel	x10,x19,x6,lo
    1358. 

  1358. 	stp	xzr,xzr,[x26,#8*0]
    1359. 

  1359. 	csel	x11,x20,x7,lo
    1360. 

  1360. 	stp	xzr,xzr,[x26,#8*2]
    1361. 

  1361. 	csel	x12,x21,x8,lo
    1362. 

  1362. 	stp	xzr,xzr,[x26,#8*3]
    1363. 

  1363. 	csel	x13,x22,x9,lo
    1364. 

  1364. 	stp	xzr,xzr,[x26,#8*4]
    1365. 

  1365. 	stp	x10,x11,[x27,#8*0]
    1366. 

  1366. 	stp	x12,x13,[x27,#8*2]
    1367. 

  1367. 

  1368. 	b	.Lmul4x_done
    1369. 

  1369. 

  1370. .align	4
    1371. 

  1371. .Lmul4x4_post_condition:
    1372. 

  1372. 	adc	x0,x0,xzr
    1373. 

  1373. 	ldr	x1,[x29,#96]		// pull rp
    1374. 

  1374. 	// x19-3,x0 hold result, x14-7 hold modulus
    1375. 

  1375. 	subs	x6,x19,x14
    1376. 

  1376. 	ldr	x30,[x29,#8]		// pull return address
    1377. 

  1377. 	sbcs	x7,x20,x15
    1378. 

  1378. 	stp	xzr,xzr,[sp,#8*0]
    1379. 

  1379. 	sbcs	x8,x21,x16
    1380. 

  1380. 	stp	xzr,xzr,[sp,#8*2]
    1381. 

  1381. 	sbcs	x9,x22,x17
    1382. 

  1382. 	stp	xzr,xzr,[sp,#8*4]
    1383. 

  1383. 	sbcs	xzr,x0,xzr		// did it borrow?
    1384. 

  1384. 	stp	xzr,xzr,[sp,#8*6]
    1385. 

  1385. 

  1386. 	// x6-3 hold result-modulus
    1387. 

  1387. 	csel	x6,x19,x6,lo
    1388. 

  1388. 	csel	x7,x20,x7,lo
    1389. 

  1389. 	csel	x8,x21,x8,lo
    1390. 

  1390. 	csel	x9,x22,x9,lo
    1391. 

  1391. 	stp	x6,x7,[x1,#8*0]
    1392. 

  1392. 	stp	x8,x9,[x1,#8*2]
    1393. 

  1393. 

  1394. .Lmul4x_done:
    1395. 

  1395. 	ldp	x19,x20,[x29,#16]
    1396. 

  1396. 	mov	sp,x29
    1397. 

  1397. 	ldp	x21,x22,[x29,#32]
    1398. 

  1398. 	mov	x0,#1
    1399. 

  1399. 	ldp	x23,x24,[x29,#48]
    1400. 

  1400. 	ldp	x25,x26,[x29,#64]
    1401. 

  1401. 	ldp	x27,x28,[x29,#80]
    1402. 

  1402. 	ldr	x29,[sp],#128
    1403. 

  1403. .inst	0xd50323bf		// autiasp
    1404. 

  1404. 	ret
    1405. 

  1405. .size	__bn_mul4x_mont,.-__bn_mul4x_mont
    1406. 

  1406. .byte	77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
    1407. 

  1407. .align	2
    1408. 

  1408. .align	4
    1409.