1 /// -*- mode: asm; asm-comment-char: ?/ -*-
3 /// Fancy SIMD implementation of ChaCha
5 /// (c) 2015 Straylight/Edgeware
8 ///----- Licensing notice ---------------------------------------------------
10 /// This file is part of Catacomb.
12 /// Catacomb is free software; you can redistribute it and/or modify
13 /// it under the terms of the GNU Library General Public License as
14 /// published by the Free Software Foundation; either version 2 of the
15 /// License, or (at your option) any later version.
17 /// Catacomb is distributed in the hope that it will be useful,
18 /// but WITHOUT ANY WARRANTY; without even the implied warranty of
19 /// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 /// GNU Library General Public License for more details.
22 /// You should have received a copy of the GNU Library General Public
23 /// License along with Catacomb; if not, write to the Free
24 /// Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 /// MA 02111-1307, USA.
27 ///--------------------------------------------------------------------------
28 /// External definitions.
31 #include "asm-common.h"
33 ///--------------------------------------------------------------------------
36 // Magic constants for shuffling.
41 ///--------------------------------------------------------------------------
47 FUNC(chacha_core_x86_sse2)
49 // Initial state. We have three arguments:
50 // [ebp + 8] is the number of rounds to do
51 // [ebp + 12] points to the input matrix
52 // [ebp + 16] points to the output matrix
59 // First job is to slurp the matrix into XMM registers. Be careful:
60 // the input matrix isn't likely to be properly aligned.
62 // [ 0 1 2 3] (a, xmm0)
63 // [ 4 5 6 7] (b, xmm1)
64 // [ 8 9 10 11] (c, xmm2)
65 // [12 13 14 15] (d, xmm3)
66 movdqu xmm0, [edx + 0]
67 movdqu xmm1, [edx + 16]
68 movdqu xmm2, [edx + 32]
69 movdqu xmm3, [edx + 48]
71 // Prepare for the main loop.
74 // Take a copy for later. This one is aligned properly, by
82 // Apply a column quarterround to each of the columns simultaneously.
83 // Alas, there doesn't seem to be a packed doubleword rotate, so we
84 // have to synthesize it.
86 // a += b; d ^= a; d <<<= 16
94 // c += d; b ^= c; b <<<= 12
102 // a += b; d ^= a; d <<<= 8
110 // c += d; b ^= c; b <<<= 7
112 pshufd xmm3, xmm3, ROTL
114 pshufd xmm2, xmm2, ROT2
120 // The not-quite-transpose conveniently only involves reordering
121 // elements of individual rows, which can be done quite easily. It
122 // doesn't involve any movement of elements between rows, or even
123 // renaming of the rows.
125 // [ 0 1 2 3] [ 0 1 2 3] (a, xmm0)
126 // [ 4 5 6 7] --> [ 5 6 7 4] (b, xmm1)
127 // [ 8 9 10 11] [10 11 8 9] (c, xmm2)
128 // [12 13 14 15] [15 12 13 14] (d, xmm3)
130 // The shuffles have quite high latency, so they've mostly been
131 // pushed upwards. The remaining one can't be moved, though.
132 pshufd xmm1, xmm1, ROTR
134 // Apply the diagonal quarterround to each of the columns
137 // a += b; d ^= a; d <<<= 16
145 // c += d; b ^= c; b <<<= 12
153 // a += b; d ^= a; d <<<= 8
161 // c += d; b ^= c; b <<<= 7
163 pshufd xmm3, xmm3, ROTR
165 pshufd xmm2, xmm2, ROT2
171 // Finally, finish off undoing the transpose, and we're done for this
172 // doubleround. Again, most of this was done above so we don't have
173 // to wait for the shuffles.
174 pshufd xmm1, xmm1, ROTL
176 // Decrement the loop counter and see if we should go round again.
180 // Almost there. Firstly, the feedforward addition.
187 // And now we write out the result. This one won't be aligned
189 movdqu [edx + 0], xmm0
190 movdqu [edx + 16], xmm1
191 movdqu [edx + 32], xmm2
192 movdqu [edx + 48], xmm3
198 // And with that, we're done.
203 ///----- That's all, folks --------------------------------------------------
~mdw / catacomb / blob