Acasă Explorează Ajutor
Autentificare
lenn
/
grpc1.45.2
1
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: bef6e57d0d
Ramuri Etichete
grpc1.45.2
/
third_party
/
boringssl-with-bazel
/
linux-aarch64
/
crypto
/
fipsmodule
/
armv8-mont.S

armv8-mont.S 31 KB
Istoric Crud

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436 
  1. // This file is generated from a similarly-named Perl script in the BoringSSL
    2. 

  2. // source tree. Do not edit by hand.
    3. 

  3. 

  4. #if !defined(__has_feature)
    5. 

  5. #define __has_feature(x) 0
    6. 

  6. #endif
    7. 

  7. #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
    8. 

  8. #define OPENSSL_NO_ASM
    9. 

  9. #endif
    10. 

  10. 

  11. #if !defined(OPENSSL_NO_ASM)
    12. 

  12. #if defined(__aarch64__)
    13. 

  13. #if defined(BORINGSSL_PREFIX)
    14. 

  14. #include <boringssl_prefix_symbols_asm.h>
    15. 

  15. #endif
    16. 

  16. #include <openssl/arm_arch.h>
    17. 

  17. 

  18. .text
    19. 

  19. 

  20. .globl	bn_mul_mont
    21. 

  21. .hidden	bn_mul_mont
    22. 

  22. .type	bn_mul_mont,%function
    23. 

  23. .align	5
    24. 

  24. bn_mul_mont:
    25. 

  25. 	AARCH64_SIGN_LINK_REGISTER
    26. 

  26. 	tst	x5,#7
    27. 

  27. 	b.eq	__bn_sqr8x_mont
    28. 

  28. 	tst	x5,#3
    29. 

  29. 	b.eq	__bn_mul4x_mont
    30. 

  30. .Lmul_mont:
    31. 

  31. 	stp	x29,x30,[sp,#-64]!
    32. 

  32. 	add	x29,sp,#0
    33. 

  33. 	stp	x19,x20,[sp,#16]
    34. 

  34. 	stp	x21,x22,[sp,#32]
    35. 

  35. 	stp	x23,x24,[sp,#48]
    36. 

  36. 

  37. 	ldr	x9,[x2],#8		// bp[0]
    38. 

  38. 	sub	x22,sp,x5,lsl#3
    39. 

  39. 	ldp	x7,x8,[x1],#16	// ap[0..1]
    40. 

  40. 	lsl	x5,x5,#3
    41. 

  41. 	ldr	x4,[x4]		// *n0
    42. 

  42. 	and	x22,x22,#-16		// ABI says so
    43. 

  43. 	ldp	x13,x14,[x3],#16	// np[0..1]
    44. 

  44. 

  45. 	mul	x6,x7,x9		// ap[0]*bp[0]
    46. 

  46. 	sub	x21,x5,#16		// j=num-2
    47. 

  47. 	umulh	x7,x7,x9
    48. 

  48. 	mul	x10,x8,x9		// ap[1]*bp[0]
    49. 

  49. 	umulh	x11,x8,x9
    50. 

  50. 

  51. 	mul	x15,x6,x4		// "tp[0]"*n0
    52. 

  52. 	mov	sp,x22			// alloca
    53. 

  53. 

  54. 	// (*)	mul	x12,x13,x15	// np[0]*m1
    55. 

  55. 	umulh	x13,x13,x15
    56. 

  56. 	mul	x16,x14,x15		// np[1]*m1
    57. 

  57. 	// (*)	adds	x12,x12,x6	// discarded
    58. 

  58. 	// (*)	As for removal of first multiplication and addition
    59. 

  59. 	//	instructions. The outcome of first addition is
    60. 

  60. 	//	guaranteed to be zero, which leaves two computationally
    61. 

  61. 	//	significant outcomes: it either carries or not. Then
    62. 

  62. 	//	question is when does it carry? Is there alternative
    63. 

  63. 	//	way to deduce it? If you follow operations, you can
    64. 

  64. 	//	observe that condition for carry is quite simple:
    65. 

  65. 	//	x6 being non-zero. So that carry can be calculated
    66. 

  66. 	//	by adding -1 to x6. That's what next instruction does.
    67. 

  67. 	subs	xzr,x6,#1		// (*)
    68. 

  68. 	umulh	x17,x14,x15
    69. 

  69. 	adc	x13,x13,xzr
    70. 

  70. 	cbz	x21,.L1st_skip
    71. 

  71. 

  72. .L1st:
    73. 

  73. 	ldr	x8,[x1],#8
    74. 

  74. 	adds	x6,x10,x7
    75. 

  75. 	sub	x21,x21,#8		// j--
    76. 

  76. 	adc	x7,x11,xzr
    77. 

  77. 

  78. 	ldr	x14,[x3],#8
    79. 

  79. 	adds	x12,x16,x13
    80. 

  80. 	mul	x10,x8,x9		// ap[j]*bp[0]
    81. 

  81. 	adc	x13,x17,xzr
    82. 

  82. 	umulh	x11,x8,x9
    83. 

  83. 

  84. 	adds	x12,x12,x6
    85. 

  85. 	mul	x16,x14,x15		// np[j]*m1
    86. 

  86. 	adc	x13,x13,xzr
    87. 

  87. 	umulh	x17,x14,x15
    88. 

  88. 	str	x12,[x22],#8		// tp[j-1]
    89. 

  89. 	cbnz	x21,.L1st
    90. 

  90. 

  91. .L1st_skip:
    92. 

  92. 	adds	x6,x10,x7
    93. 

  93. 	sub	x1,x1,x5		// rewind x1
    94. 

  94. 	adc	x7,x11,xzr
    95. 

  95. 

  96. 	adds	x12,x16,x13
    97. 

  97. 	sub	x3,x3,x5		// rewind x3
    98. 

  98. 	adc	x13,x17,xzr
    99. 

  99. 

  100. 	adds	x12,x12,x6
    101. 

  101. 	sub	x20,x5,#8		// i=num-1
    102. 

  102. 	adcs	x13,x13,x7
    103. 

  103. 

  104. 	adc	x19,xzr,xzr		// upmost overflow bit
    105. 

  105. 	stp	x12,x13,[x22]
    106. 

  106. 

  107. .Louter:
    108. 

  108. 	ldr	x9,[x2],#8		// bp[i]
    109. 

  109. 	ldp	x7,x8,[x1],#16
    110. 

  110. 	ldr	x23,[sp]		// tp[0]
    111. 

  111. 	add	x22,sp,#8
    112. 

  112. 

  113. 	mul	x6,x7,x9		// ap[0]*bp[i]
    114. 

  114. 	sub	x21,x5,#16		// j=num-2
    115. 

  115. 	umulh	x7,x7,x9
    116. 

  116. 	ldp	x13,x14,[x3],#16
    117. 

  117. 	mul	x10,x8,x9		// ap[1]*bp[i]
    118. 

  118. 	adds	x6,x6,x23
    119. 

  119. 	umulh	x11,x8,x9
    120. 

  120. 	adc	x7,x7,xzr
    121. 

  121. 

  122. 	mul	x15,x6,x4
    123. 

  123. 	sub	x20,x20,#8		// i--
    124. 

  124. 

  125. 	// (*)	mul	x12,x13,x15	// np[0]*m1
    126. 

  126. 	umulh	x13,x13,x15
    127. 

  127. 	mul	x16,x14,x15		// np[1]*m1
    128. 

  128. 	// (*)	adds	x12,x12,x6
    129. 

  129. 	subs	xzr,x6,#1		// (*)
    130. 

  130. 	umulh	x17,x14,x15
    131. 

  131. 	cbz	x21,.Linner_skip
    132. 

  132. 

  133. .Linner:
    134. 

  134. 	ldr	x8,[x1],#8
    135. 

  135. 	adc	x13,x13,xzr
    136. 

  136. 	ldr	x23,[x22],#8		// tp[j]
    137. 

  137. 	adds	x6,x10,x7
    138. 

  138. 	sub	x21,x21,#8		// j--
    139. 

  139. 	adc	x7,x11,xzr
    140. 

  140. 

  141. 	adds	x12,x16,x13
    142. 

  142. 	ldr	x14,[x3],#8
    143. 

  143. 	adc	x13,x17,xzr
    144. 

  144. 

  145. 	mul	x10,x8,x9		// ap[j]*bp[i]
    146. 

  146. 	adds	x6,x6,x23
    147. 

  147. 	umulh	x11,x8,x9
    148. 

  148. 	adc	x7,x7,xzr
    149. 

  149. 

  150. 	mul	x16,x14,x15		// np[j]*m1
    151. 

  151. 	adds	x12,x12,x6
    152. 

  152. 	umulh	x17,x14,x15
    153. 

  153. 	str	x12,[x22,#-16]		// tp[j-1]
    154. 

  154. 	cbnz	x21,.Linner
    155. 

  155. 

  156. .Linner_skip:
    157. 

  157. 	ldr	x23,[x22],#8		// tp[j]
    158. 

  158. 	adc	x13,x13,xzr
    159. 

  159. 	adds	x6,x10,x7
    160. 

  160. 	sub	x1,x1,x5		// rewind x1
    161. 

  161. 	adc	x7,x11,xzr
    162. 

  162. 

  163. 	adds	x12,x16,x13
    164. 

  164. 	sub	x3,x3,x5		// rewind x3
    165. 

  165. 	adcs	x13,x17,x19
    166. 

  166. 	adc	x19,xzr,xzr
    167. 

  167. 

  168. 	adds	x6,x6,x23
    169. 

  169. 	adc	x7,x7,xzr
    170. 

  170. 

  171. 	adds	x12,x12,x6
    172. 

  172. 	adcs	x13,x13,x7
    173. 

  173. 	adc	x19,x19,xzr		// upmost overflow bit
    174. 

  174. 	stp	x12,x13,[x22,#-16]
    175. 

  175. 

  176. 	cbnz	x20,.Louter
    177. 

  177. 

  178. 	// Final step. We see if result is larger than modulus, and
    179. 

  179. 	// if it is, subtract the modulus. But comparison implies
    180. 

  180. 	// subtraction. So we subtract modulus, see if it borrowed,
    181. 

  181. 	// and conditionally copy original value.
    182. 

  182. 	ldr	x23,[sp]		// tp[0]
    183. 

  183. 	add	x22,sp,#8
    184. 

  184. 	ldr	x14,[x3],#8		// np[0]
    185. 

  185. 	subs	x21,x5,#8		// j=num-1 and clear borrow
    186. 

  186. 	mov	x1,x0
    187. 

  187. .Lsub:
    188. 

  188. 	sbcs	x8,x23,x14		// tp[j]-np[j]
    189. 

  189. 	ldr	x23,[x22],#8
    190. 

  190. 	sub	x21,x21,#8		// j--
    191. 

  191. 	ldr	x14,[x3],#8
    192. 

  192. 	str	x8,[x1],#8		// rp[j]=tp[j]-np[j]
    193. 

  193. 	cbnz	x21,.Lsub
    194. 

  194. 

  195. 	sbcs	x8,x23,x14
    196. 

  196. 	sbcs	x19,x19,xzr		// did it borrow?
    197. 

  197. 	str	x8,[x1],#8		// rp[num-1]
    198. 

  198. 

  199. 	ldr	x23,[sp]		// tp[0]
    200. 

  200. 	add	x22,sp,#8
    201. 

  201. 	ldr	x8,[x0],#8		// rp[0]
    202. 

  202. 	sub	x5,x5,#8		// num--
    203. 

  203. 	nop
    204. 

  204. .Lcond_copy:
    205. 

  205. 	sub	x5,x5,#8		// num--
    206. 

  206. 	csel	x14,x23,x8,lo		// did it borrow?
    207. 

  207. 	ldr	x23,[x22],#8
    208. 

  208. 	ldr	x8,[x0],#8
    209. 

  209. 	str	xzr,[x22,#-16]		// wipe tp
    210. 

  210. 	str	x14,[x0,#-16]
    211. 

  211. 	cbnz	x5,.Lcond_copy
    212. 

  212. 

  213. 	csel	x14,x23,x8,lo
    214. 

  214. 	str	xzr,[x22,#-8]		// wipe tp
    215. 

  215. 	str	x14,[x0,#-8]
    216. 

  216. 

  217. 	ldp	x19,x20,[x29,#16]
    218. 

  218. 	mov	sp,x29
    219. 

  219. 	ldp	x21,x22,[x29,#32]
    220. 

  220. 	mov	x0,#1
    221. 

  221. 	ldp	x23,x24,[x29,#48]
    222. 

  222. 	ldr	x29,[sp],#64
    223. 

  223. 	AARCH64_VALIDATE_LINK_REGISTER
    224. 

  224. 	ret
    225. 

  225. .size	bn_mul_mont,.-bn_mul_mont
    226. 

  226. .type	__bn_sqr8x_mont,%function
    227. 

  227. .align	5
    228. 

  228. __bn_sqr8x_mont:
    229. 

  229. 	// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to
    230. 

  230. 	// only from bn_mul_mont which has already signed the return address.
    231. 

  231. 	cmp	x1,x2
    232. 

  232. 	b.ne	__bn_mul4x_mont
    233. 

  233. .Lsqr8x_mont:
    234. 

  234. 	stp	x29,x30,[sp,#-128]!
    235. 

  235. 	add	x29,sp,#0
    236. 

  236. 	stp	x19,x20,[sp,#16]
    237. 

  237. 	stp	x21,x22,[sp,#32]
    238. 

  238. 	stp	x23,x24,[sp,#48]
    239. 

  239. 	stp	x25,x26,[sp,#64]
    240. 

  240. 	stp	x27,x28,[sp,#80]
    241. 

  241. 	stp	x0,x3,[sp,#96]	// offload rp and np
    242. 

  242. 

  243. 	ldp	x6,x7,[x1,#8*0]
    244. 

  244. 	ldp	x8,x9,[x1,#8*2]
    245. 

  245. 	ldp	x10,x11,[x1,#8*4]
    246. 

  246. 	ldp	x12,x13,[x1,#8*6]
    247. 

  247. 

  248. 	sub	x2,sp,x5,lsl#4
    249. 

  249. 	lsl	x5,x5,#3
    250. 

  250. 	ldr	x4,[x4]		// *n0
    251. 

  251. 	mov	sp,x2			// alloca
    252. 

  252. 	sub	x27,x5,#8*8
    253. 

  253. 	b	.Lsqr8x_zero_start
    254. 

  254. 

  255. .Lsqr8x_zero:
    256. 

  256. 	sub	x27,x27,#8*8
    257. 

  257. 	stp	xzr,xzr,[x2,#8*0]
    258. 

  258. 	stp	xzr,xzr,[x2,#8*2]
    259. 

  259. 	stp	xzr,xzr,[x2,#8*4]
    260. 

  260. 	stp	xzr,xzr,[x2,#8*6]
    261. 

  261. .Lsqr8x_zero_start:
    262. 

  262. 	stp	xzr,xzr,[x2,#8*8]
    263. 

  263. 	stp	xzr,xzr,[x2,#8*10]
    264. 

  264. 	stp	xzr,xzr,[x2,#8*12]
    265. 

  265. 	stp	xzr,xzr,[x2,#8*14]
    266. 

  266. 	add	x2,x2,#8*16
    267. 

  267. 	cbnz	x27,.Lsqr8x_zero
    268. 

  268. 

  269. 	add	x3,x1,x5
    270. 

  270. 	add	x1,x1,#8*8
    271. 

  271. 	mov	x19,xzr
    272. 

  272. 	mov	x20,xzr
    273. 

  273. 	mov	x21,xzr
    274. 

  274. 	mov	x22,xzr
    275. 

  275. 	mov	x23,xzr
    276. 

  276. 	mov	x24,xzr
    277. 

  277. 	mov	x25,xzr
    278. 

  278. 	mov	x26,xzr
    279. 

  279. 	mov	x2,sp
    280. 

  280. 	str	x4,[x29,#112]		// offload n0
    281. 

  281. 

  282. 	// Multiply everything but a[i]*a[i]
    283. 

  283. .align	4
    284. 

  284. .Lsqr8x_outer_loop:
    285. 

  285.         //                                                 a[1]a[0]	(i)
    286. 

  286.         //                                             a[2]a[0]
    287. 

  287.         //                                         a[3]a[0]
    288. 

  288.         //                                     a[4]a[0]
    289. 

  289.         //                                 a[5]a[0]
    290. 

  290.         //                             a[6]a[0]
    291. 

  291.         //                         a[7]a[0]
    292. 

  292.         //                                         a[2]a[1]		(ii)
    293. 

  293.         //                                     a[3]a[1]
    294. 

  294.         //                                 a[4]a[1]
    295. 

  295.         //                             a[5]a[1]
    296. 

  296.         //                         a[6]a[1]
    297. 

  297.         //                     a[7]a[1]
    298. 

  298.         //                                 a[3]a[2]			(iii)
    299. 

  299.         //                             a[4]a[2]
    300. 

  300.         //                         a[5]a[2]
    301. 

  301.         //                     a[6]a[2]
    302. 

  302.         //                 a[7]a[2]
    303. 

  303.         //                         a[4]a[3]				(iv)
    304. 

  304.         //                     a[5]a[3]
    305. 

  305.         //                 a[6]a[3]
    306. 

  306.         //             a[7]a[3]
    307. 

  307.         //                 a[5]a[4]					(v)
    308. 

  308.         //             a[6]a[4]
    309. 

  309.         //         a[7]a[4]
    310. 

  310.         //         a[6]a[5]						(vi)
    311. 

  311.         //     a[7]a[5]
    312. 

  312.         // a[7]a[6]							(vii)
    313. 

  313. 

  314. 	mul	x14,x7,x6		// lo(a[1..7]*a[0])		(i)
    315. 

  315. 	mul	x15,x8,x6
    316. 

  316. 	mul	x16,x9,x6
    317. 

  317. 	mul	x17,x10,x6
    318. 

  318. 	adds	x20,x20,x14		// t[1]+lo(a[1]*a[0])
    319. 

  319. 	mul	x14,x11,x6
    320. 

  320. 	adcs	x21,x21,x15
    321. 

  321. 	mul	x15,x12,x6
    322. 

  322. 	adcs	x22,x22,x16
    323. 

  323. 	mul	x16,x13,x6
    324. 

  324. 	adcs	x23,x23,x17
    325. 

  325. 	umulh	x17,x7,x6		// hi(a[1..7]*a[0])
    326. 

  326. 	adcs	x24,x24,x14
    327. 

  327. 	umulh	x14,x8,x6
    328. 

  328. 	adcs	x25,x25,x15
    329. 

  329. 	umulh	x15,x9,x6
    330. 

  330. 	adcs	x26,x26,x16
    331. 

  331. 	umulh	x16,x10,x6
    332. 

  332. 	stp	x19,x20,[x2],#8*2	// t[0..1]
    333. 

  333. 	adc	x19,xzr,xzr		// t[8]
    334. 

  334. 	adds	x21,x21,x17		// t[2]+lo(a[1]*a[0])
    335. 

  335. 	umulh	x17,x11,x6
    336. 

  336. 	adcs	x22,x22,x14
    337. 

  337. 	umulh	x14,x12,x6
    338. 

  338. 	adcs	x23,x23,x15
    339. 

  339. 	umulh	x15,x13,x6
    340. 

  340. 	adcs	x24,x24,x16
    341. 

  341. 	mul	x16,x8,x7		// lo(a[2..7]*a[1])		(ii)
    342. 

  342. 	adcs	x25,x25,x17
    343. 

  343. 	mul	x17,x9,x7
    344. 

  344. 	adcs	x26,x26,x14
    345. 

  345. 	mul	x14,x10,x7
    346. 

  346. 	adc	x19,x19,x15
    347. 

  347. 

  348. 	mul	x15,x11,x7
    349. 

  349. 	adds	x22,x22,x16
    350. 

  350. 	mul	x16,x12,x7
    351. 

  351. 	adcs	x23,x23,x17
    352. 

  352. 	mul	x17,x13,x7
    353. 

  353. 	adcs	x24,x24,x14
    354. 

  354. 	umulh	x14,x8,x7		// hi(a[2..7]*a[1])
    355. 

  355. 	adcs	x25,x25,x15
    356. 

  356. 	umulh	x15,x9,x7
    357. 

  357. 	adcs	x26,x26,x16
    358. 

  358. 	umulh	x16,x10,x7
    359. 

  359. 	adcs	x19,x19,x17
    360. 

  360. 	umulh	x17,x11,x7
    361. 

  361. 	stp	x21,x22,[x2],#8*2	// t[2..3]
    362. 

  362. 	adc	x20,xzr,xzr		// t[9]
    363. 

  363. 	adds	x23,x23,x14
    364. 

  364. 	umulh	x14,x12,x7
    365. 

  365. 	adcs	x24,x24,x15
    366. 

  366. 	umulh	x15,x13,x7
    367. 

  367. 	adcs	x25,x25,x16
    368. 

  368. 	mul	x16,x9,x8		// lo(a[3..7]*a[2])		(iii)
    369. 

  369. 	adcs	x26,x26,x17
    370. 

  370. 	mul	x17,x10,x8
    371. 

  371. 	adcs	x19,x19,x14
    372. 

  372. 	mul	x14,x11,x8
    373. 

  373. 	adc	x20,x20,x15
    374. 

  374. 

  375. 	mul	x15,x12,x8
    376. 

  376. 	adds	x24,x24,x16
    377. 

  377. 	mul	x16,x13,x8
    378. 

  378. 	adcs	x25,x25,x17
    379. 

  379. 	umulh	x17,x9,x8		// hi(a[3..7]*a[2])
    380. 

  380. 	adcs	x26,x26,x14
    381. 

  381. 	umulh	x14,x10,x8
    382. 

  382. 	adcs	x19,x19,x15
    383. 

  383. 	umulh	x15,x11,x8
    384. 

  384. 	adcs	x20,x20,x16
    385. 

  385. 	umulh	x16,x12,x8
    386. 

  386. 	stp	x23,x24,[x2],#8*2	// t[4..5]
    387. 

  387. 	adc	x21,xzr,xzr		// t[10]
    388. 

  388. 	adds	x25,x25,x17
    389. 

  389. 	umulh	x17,x13,x8
    390. 

  390. 	adcs	x26,x26,x14
    391. 

  391. 	mul	x14,x10,x9		// lo(a[4..7]*a[3])		(iv)
    392. 

  392. 	adcs	x19,x19,x15
    393. 

  393. 	mul	x15,x11,x9
    394. 

  394. 	adcs	x20,x20,x16
    395. 

  395. 	mul	x16,x12,x9
    396. 

  396. 	adc	x21,x21,x17
    397. 

  397. 

  398. 	mul	x17,x13,x9
    399. 

  399. 	adds	x26,x26,x14
    400. 

  400. 	umulh	x14,x10,x9		// hi(a[4..7]*a[3])
    401. 

  401. 	adcs	x19,x19,x15
    402. 

  402. 	umulh	x15,x11,x9
    403. 

  403. 	adcs	x20,x20,x16
    404. 

  404. 	umulh	x16,x12,x9
    405. 

  405. 	adcs	x21,x21,x17
    406. 

  406. 	umulh	x17,x13,x9
    407. 

  407. 	stp	x25,x26,[x2],#8*2	// t[6..7]
    408. 

  408. 	adc	x22,xzr,xzr		// t[11]
    409. 

  409. 	adds	x19,x19,x14
    410. 

  410. 	mul	x14,x11,x10		// lo(a[5..7]*a[4])		(v)
    411. 

  411. 	adcs	x20,x20,x15
    412. 

  412. 	mul	x15,x12,x10
    413. 

  413. 	adcs	x21,x21,x16
    414. 

  414. 	mul	x16,x13,x10
    415. 

  415. 	adc	x22,x22,x17
    416. 

  416. 

  417. 	umulh	x17,x11,x10		// hi(a[5..7]*a[4])
    418. 

  418. 	adds	x20,x20,x14
    419. 

  419. 	umulh	x14,x12,x10
    420. 

  420. 	adcs	x21,x21,x15
    421. 

  421. 	umulh	x15,x13,x10
    422. 

  422. 	adcs	x22,x22,x16
    423. 

  423. 	mul	x16,x12,x11		// lo(a[6..7]*a[5])		(vi)
    424. 

  424. 	adc	x23,xzr,xzr		// t[12]
    425. 

  425. 	adds	x21,x21,x17
    426. 

  426. 	mul	x17,x13,x11
    427. 

  427. 	adcs	x22,x22,x14
    428. 

  428. 	umulh	x14,x12,x11		// hi(a[6..7]*a[5])
    429. 

  429. 	adc	x23,x23,x15
    430. 

  430. 

  431. 	umulh	x15,x13,x11
    432. 

  432. 	adds	x22,x22,x16
    433. 

  433. 	mul	x16,x13,x12		// lo(a[7]*a[6])		(vii)
    434. 

  434. 	adcs	x23,x23,x17
    435. 

  435. 	umulh	x17,x13,x12		// hi(a[7]*a[6])
    436. 

  436. 	adc	x24,xzr,xzr		// t[13]
    437. 

  437. 	adds	x23,x23,x14
    438. 

  438. 	sub	x27,x3,x1	// done yet?
    439. 

  439. 	adc	x24,x24,x15
    440. 

  440. 

  441. 	adds	x24,x24,x16
    442. 

  442. 	sub	x14,x3,x5	// rewinded ap
    443. 

  443. 	adc	x25,xzr,xzr		// t[14]
    444. 

  444. 	add	x25,x25,x17
    445. 

  445. 

  446. 	cbz	x27,.Lsqr8x_outer_break
    447. 

  447. 

  448. 	mov	x4,x6
    449. 

  449. 	ldp	x6,x7,[x2,#8*0]
    450. 

  450. 	ldp	x8,x9,[x2,#8*2]
    451. 

  451. 	ldp	x10,x11,[x2,#8*4]
    452. 

  452. 	ldp	x12,x13,[x2,#8*6]
    453. 

  453. 	adds	x19,x19,x6
    454. 

  454. 	adcs	x20,x20,x7
    455. 

  455. 	ldp	x6,x7,[x1,#8*0]
    456. 

  456. 	adcs	x21,x21,x8
    457. 

  457. 	adcs	x22,x22,x9
    458. 

  458. 	ldp	x8,x9,[x1,#8*2]
    459. 

  459. 	adcs	x23,x23,x10
    460. 

  460. 	adcs	x24,x24,x11
    461. 

  461. 	ldp	x10,x11,[x1,#8*4]
    462. 

  462. 	adcs	x25,x25,x12
    463. 

  463. 	mov	x0,x1
    464. 

  464. 	adcs	x26,xzr,x13
    465. 

  465. 	ldp	x12,x13,[x1,#8*6]
    466. 

  466. 	add	x1,x1,#8*8
    467. 

  467. 	//adc	x28,xzr,xzr		// moved below
    468. 

  468. 	mov	x27,#-8*8
    469. 

  469. 

  470. 	//                                                         a[8]a[0]
    471. 

  471. 	//                                                     a[9]a[0]
    472. 

  472. 	//                                                 a[a]a[0]
    473. 

  473. 	//                                             a[b]a[0]
    474. 

  474. 	//                                         a[c]a[0]
    475. 

  475. 	//                                     a[d]a[0]
    476. 

  476. 	//                                 a[e]a[0]
    477. 

  477. 	//                             a[f]a[0]
    478. 

  478. 	//                                                     a[8]a[1]
    479. 

  479. 	//                         a[f]a[1]........................
    480. 

  480. 	//                                                 a[8]a[2]
    481. 

  481. 	//                     a[f]a[2]........................
    482. 

  482. 	//                                             a[8]a[3]
    483. 

  483. 	//                 a[f]a[3]........................
    484. 

  484. 	//                                         a[8]a[4]
    485. 

  485. 	//             a[f]a[4]........................
    486. 

  486. 	//                                     a[8]a[5]
    487. 

  487. 	//         a[f]a[5]........................
    488. 

  488. 	//                                 a[8]a[6]
    489. 

  489. 	//     a[f]a[6]........................
    490. 

  490. 	//                             a[8]a[7]
    491. 

  491. 	// a[f]a[7]........................
    492. 

  492. .Lsqr8x_mul:
    493. 

  493. 	mul	x14,x6,x4
    494. 

  494. 	adc	x28,xzr,xzr		// carry bit, modulo-scheduled
    495. 

  495. 	mul	x15,x7,x4
    496. 

  496. 	add	x27,x27,#8
    497. 

  497. 	mul	x16,x8,x4
    498. 

  498. 	mul	x17,x9,x4
    499. 

  499. 	adds	x19,x19,x14
    500. 

  500. 	mul	x14,x10,x4
    501. 

  501. 	adcs	x20,x20,x15
    502. 

  502. 	mul	x15,x11,x4
    503. 

  503. 	adcs	x21,x21,x16
    504. 

  504. 	mul	x16,x12,x4
    505. 

  505. 	adcs	x22,x22,x17
    506. 

  506. 	mul	x17,x13,x4
    507. 

  507. 	adcs	x23,x23,x14
    508. 

  508. 	umulh	x14,x6,x4
    509. 

  509. 	adcs	x24,x24,x15
    510. 

  510. 	umulh	x15,x7,x4
    511. 

  511. 	adcs	x25,x25,x16
    512. 

  512. 	umulh	x16,x8,x4
    513. 

  513. 	adcs	x26,x26,x17
    514. 

  514. 	umulh	x17,x9,x4
    515. 

  515. 	adc	x28,x28,xzr
    516. 

  516. 	str	x19,[x2],#8
    517. 

  517. 	adds	x19,x20,x14
    518. 

  518. 	umulh	x14,x10,x4
    519. 

  519. 	adcs	x20,x21,x15
    520. 

  520. 	umulh	x15,x11,x4
    521. 

  521. 	adcs	x21,x22,x16
    522. 

  522. 	umulh	x16,x12,x4
    523. 

  523. 	adcs	x22,x23,x17
    524. 

  524. 	umulh	x17,x13,x4
    525. 

  525. 	ldr	x4,[x0,x27]
    526. 

  526. 	adcs	x23,x24,x14
    527. 

  527. 	adcs	x24,x25,x15
    528. 

  528. 	adcs	x25,x26,x16
    529. 

  529. 	adcs	x26,x28,x17
    530. 

  530. 	//adc	x28,xzr,xzr		// moved above
    531. 

  531. 	cbnz	x27,.Lsqr8x_mul
    532. 

  532. 					// note that carry flag is guaranteed
    533. 

  533. 					// to be zero at this point
    534. 

  534. 	cmp	x1,x3		// done yet?
    535. 

  535. 	b.eq	.Lsqr8x_break
    536. 

  536. 

  537. 	ldp	x6,x7,[x2,#8*0]
    538. 

  538. 	ldp	x8,x9,[x2,#8*2]
    539. 

  539. 	ldp	x10,x11,[x2,#8*4]
    540. 

  540. 	ldp	x12,x13,[x2,#8*6]
    541. 

  541. 	adds	x19,x19,x6
    542. 

  542. 	ldr	x4,[x0,#-8*8]
    543. 

  543. 	adcs	x20,x20,x7
    544. 

  544. 	ldp	x6,x7,[x1,#8*0]
    545. 

  545. 	adcs	x21,x21,x8
    546. 

  546. 	adcs	x22,x22,x9
    547. 

  547. 	ldp	x8,x9,[x1,#8*2]
    548. 

  548. 	adcs	x23,x23,x10
    549. 

  549. 	adcs	x24,x24,x11
    550. 

  550. 	ldp	x10,x11,[x1,#8*4]
    551. 

  551. 	adcs	x25,x25,x12
    552. 

  552. 	mov	x27,#-8*8
    553. 

  553. 	adcs	x26,x26,x13
    554. 

  554. 	ldp	x12,x13,[x1,#8*6]
    555. 

  555. 	add	x1,x1,#8*8
    556. 

  556. 	//adc	x28,xzr,xzr		// moved above
    557. 

  557. 	b	.Lsqr8x_mul
    558. 

  558. 

  559. .align	4
    560. 

  560. .Lsqr8x_break:
    561. 

  561. 	ldp	x6,x7,[x0,#8*0]
    562. 

  562. 	add	x1,x0,#8*8
    563. 

  563. 	ldp	x8,x9,[x0,#8*2]
    564. 

  564. 	sub	x14,x3,x1		// is it last iteration?
    565. 

  565. 	ldp	x10,x11,[x0,#8*4]
    566. 

  566. 	sub	x15,x2,x14
    567. 

  567. 	ldp	x12,x13,[x0,#8*6]
    568. 

  568. 	cbz	x14,.Lsqr8x_outer_loop
    569. 

  569. 

  570. 	stp	x19,x20,[x2,#8*0]
    571. 

  571. 	ldp	x19,x20,[x15,#8*0]
    572. 

  572. 	stp	x21,x22,[x2,#8*2]
    573. 

  573. 	ldp	x21,x22,[x15,#8*2]
    574. 

  574. 	stp	x23,x24,[x2,#8*4]
    575. 

  575. 	ldp	x23,x24,[x15,#8*4]
    576. 

  576. 	stp	x25,x26,[x2,#8*6]
    577. 

  577. 	mov	x2,x15
    578. 

  578. 	ldp	x25,x26,[x15,#8*6]
    579. 

  579. 	b	.Lsqr8x_outer_loop
    580. 

  580. 

  581. .align	4
    582. 

  582. .Lsqr8x_outer_break:
    583. 

  583. 	// Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0]
    584. 

  584. 	ldp	x7,x9,[x14,#8*0]	// recall that x14 is &a[0]
    585. 

  585. 	ldp	x15,x16,[sp,#8*1]
    586. 

  586. 	ldp	x11,x13,[x14,#8*2]
    587. 

  587. 	add	x1,x14,#8*4
    588. 

  588. 	ldp	x17,x14,[sp,#8*3]
    589. 

  589. 

  590. 	stp	x19,x20,[x2,#8*0]
    591. 

  591. 	mul	x19,x7,x7
    592. 

  592. 	stp	x21,x22,[x2,#8*2]
    593. 

  593. 	umulh	x7,x7,x7
    594. 

  594. 	stp	x23,x24,[x2,#8*4]
    595. 

  595. 	mul	x8,x9,x9
    596. 

  596. 	stp	x25,x26,[x2,#8*6]
    597. 

  597. 	mov	x2,sp
    598. 

  598. 	umulh	x9,x9,x9
    599. 

  599. 	adds	x20,x7,x15,lsl#1
    600. 

  600. 	extr	x15,x16,x15,#63
    601. 

  601. 	sub	x27,x5,#8*4
    602. 

  602. 

  603. .Lsqr4x_shift_n_add:
    604. 

  604. 	adcs	x21,x8,x15
    605. 

  605. 	extr	x16,x17,x16,#63
    606. 

  606. 	sub	x27,x27,#8*4
    607. 

  607. 	adcs	x22,x9,x16
    608. 

  608. 	ldp	x15,x16,[x2,#8*5]
    609. 

  609. 	mul	x10,x11,x11
    610. 

  610. 	ldp	x7,x9,[x1],#8*2
    611. 

  611. 	umulh	x11,x11,x11
    612. 

  612. 	mul	x12,x13,x13
    613. 

  613. 	umulh	x13,x13,x13
    614. 

  614. 	extr	x17,x14,x17,#63
    615. 

  615. 	stp	x19,x20,[x2,#8*0]
    616. 

  616. 	adcs	x23,x10,x17
    617. 

  617. 	extr	x14,x15,x14,#63
    618. 

  618. 	stp	x21,x22,[x2,#8*2]
    619. 

  619. 	adcs	x24,x11,x14
    620. 

  620. 	ldp	x17,x14,[x2,#8*7]
    621. 

  621. 	extr	x15,x16,x15,#63
    622. 

  622. 	adcs	x25,x12,x15
    623. 

  623. 	extr	x16,x17,x16,#63
    624. 

  624. 	adcs	x26,x13,x16
    625. 

  625. 	ldp	x15,x16,[x2,#8*9]
    626. 

  626. 	mul	x6,x7,x7
    627. 

  627. 	ldp	x11,x13,[x1],#8*2
    628. 

  628. 	umulh	x7,x7,x7
    629. 

  629. 	mul	x8,x9,x9
    630. 

  630. 	umulh	x9,x9,x9
    631. 

  631. 	stp	x23,x24,[x2,#8*4]
    632. 

  632. 	extr	x17,x14,x17,#63
    633. 

  633. 	stp	x25,x26,[x2,#8*6]
    634. 

  634. 	add	x2,x2,#8*8
    635. 

  635. 	adcs	x19,x6,x17
    636. 

  636. 	extr	x14,x15,x14,#63
    637. 

  637. 	adcs	x20,x7,x14
    638. 

  638. 	ldp	x17,x14,[x2,#8*3]
    639. 

  639. 	extr	x15,x16,x15,#63
    640. 

  640. 	cbnz	x27,.Lsqr4x_shift_n_add
    641. 

  641. 	ldp	x1,x4,[x29,#104]	// pull np and n0
    642. 

  642. 

  643. 	adcs	x21,x8,x15
    644. 

  644. 	extr	x16,x17,x16,#63
    645. 

  645. 	adcs	x22,x9,x16
    646. 

  646. 	ldp	x15,x16,[x2,#8*5]
    647. 

  647. 	mul	x10,x11,x11
    648. 

  648. 	umulh	x11,x11,x11
    649. 

  649. 	stp	x19,x20,[x2,#8*0]
    650. 

  650. 	mul	x12,x13,x13
    651. 

  651. 	umulh	x13,x13,x13
    652. 

  652. 	stp	x21,x22,[x2,#8*2]
    653. 

  653. 	extr	x17,x14,x17,#63
    654. 

  654. 	adcs	x23,x10,x17
    655. 

  655. 	extr	x14,x15,x14,#63
    656. 

  656. 	ldp	x19,x20,[sp,#8*0]
    657. 

  657. 	adcs	x24,x11,x14
    658. 

  658. 	extr	x15,x16,x15,#63
    659. 

  659. 	ldp	x6,x7,[x1,#8*0]
    660. 

  660. 	adcs	x25,x12,x15
    661. 

  661. 	extr	x16,xzr,x16,#63
    662. 

  662. 	ldp	x8,x9,[x1,#8*2]
    663. 

  663. 	adc	x26,x13,x16
    664. 

  664. 	ldp	x10,x11,[x1,#8*4]
    665. 

  665. 

  666. 	// Reduce by 512 bits per iteration
    667. 

  667. 	mul	x28,x4,x19		// t[0]*n0
    668. 

  668. 	ldp	x12,x13,[x1,#8*6]
    669. 

  669. 	add	x3,x1,x5
    670. 

  670. 	ldp	x21,x22,[sp,#8*2]
    671. 

  671. 	stp	x23,x24,[x2,#8*4]
    672. 

  672. 	ldp	x23,x24,[sp,#8*4]
    673. 

  673. 	stp	x25,x26,[x2,#8*6]
    674. 

  674. 	ldp	x25,x26,[sp,#8*6]
    675. 

  675. 	add	x1,x1,#8*8
    676. 

  676. 	mov	x30,xzr		// initial top-most carry
    677. 

  677. 	mov	x2,sp
    678. 

  678. 	mov	x27,#8
    679. 

  679. 

  680. .Lsqr8x_reduction:
    681. 

  681. 	// (*)	mul	x14,x6,x28	// lo(n[0-7])*lo(t[0]*n0)
    682. 

  682. 	mul	x15,x7,x28
    683. 

  683. 	sub	x27,x27,#1
    684. 

  684. 	mul	x16,x8,x28
    685. 

  685. 	str	x28,[x2],#8		// put aside t[0]*n0 for tail processing
    686. 

  686. 	mul	x17,x9,x28
    687. 

  687. 	// (*)	adds	xzr,x19,x14
    688. 

  688. 	subs	xzr,x19,#1		// (*)
    689. 

  689. 	mul	x14,x10,x28
    690. 

  690. 	adcs	x19,x20,x15
    691. 

  691. 	mul	x15,x11,x28
    692. 

  692. 	adcs	x20,x21,x16
    693. 

  693. 	mul	x16,x12,x28
    694. 

  694. 	adcs	x21,x22,x17
    695. 

  695. 	mul	x17,x13,x28
    696. 

  696. 	adcs	x22,x23,x14
    697. 

  697. 	umulh	x14,x6,x28		// hi(n[0-7])*lo(t[0]*n0)
    698. 

  698. 	adcs	x23,x24,x15
    699. 

  699. 	umulh	x15,x7,x28
    700. 

  700. 	adcs	x24,x25,x16
    701. 

  701. 	umulh	x16,x8,x28
    702. 

  702. 	adcs	x25,x26,x17
    703. 

  703. 	umulh	x17,x9,x28
    704. 

  704. 	adc	x26,xzr,xzr
    705. 

  705. 	adds	x19,x19,x14
    706. 

  706. 	umulh	x14,x10,x28
    707. 

  707. 	adcs	x20,x20,x15
    708. 

  708. 	umulh	x15,x11,x28
    709. 

  709. 	adcs	x21,x21,x16
    710. 

  710. 	umulh	x16,x12,x28
    711. 

  711. 	adcs	x22,x22,x17
    712. 

  712. 	umulh	x17,x13,x28
    713. 

  713. 	mul	x28,x4,x19		// next t[0]*n0
    714. 

  714. 	adcs	x23,x23,x14
    715. 

  715. 	adcs	x24,x24,x15
    716. 

  716. 	adcs	x25,x25,x16
    717. 

  717. 	adc	x26,x26,x17
    718. 

  718. 	cbnz	x27,.Lsqr8x_reduction
    719. 

  719. 

  720. 	ldp	x14,x15,[x2,#8*0]
    721. 

  721. 	ldp	x16,x17,[x2,#8*2]
    722. 

  722. 	mov	x0,x2
    723. 

  723. 	sub	x27,x3,x1	// done yet?
    724. 

  724. 	adds	x19,x19,x14
    725. 

  725. 	adcs	x20,x20,x15
    726. 

  726. 	ldp	x14,x15,[x2,#8*4]
    727. 

  727. 	adcs	x21,x21,x16
    728. 

  728. 	adcs	x22,x22,x17
    729. 

  729. 	ldp	x16,x17,[x2,#8*6]
    730. 

  730. 	adcs	x23,x23,x14
    731. 

  731. 	adcs	x24,x24,x15
    732. 

  732. 	adcs	x25,x25,x16
    733. 

  733. 	adcs	x26,x26,x17
    734. 

  734. 	//adc	x28,xzr,xzr		// moved below
    735. 

  735. 	cbz	x27,.Lsqr8x8_post_condition
    736. 

  736. 

  737. 	ldr	x4,[x2,#-8*8]
    738. 

  738. 	ldp	x6,x7,[x1,#8*0]
    739. 

  739. 	ldp	x8,x9,[x1,#8*2]
    740. 

  740. 	ldp	x10,x11,[x1,#8*4]
    741. 

  741. 	mov	x27,#-8*8
    742. 

  742. 	ldp	x12,x13,[x1,#8*6]
    743. 

  743. 	add	x1,x1,#8*8
    744. 

  744. 

  745. .Lsqr8x_tail:
    746. 

  746. 	mul	x14,x6,x4
    747. 

  747. 	adc	x28,xzr,xzr		// carry bit, modulo-scheduled
    748. 

  748. 	mul	x15,x7,x4
    749. 

  749. 	add	x27,x27,#8
    750. 

  750. 	mul	x16,x8,x4
    751. 

  751. 	mul	x17,x9,x4
    752. 

  752. 	adds	x19,x19,x14
    753. 

  753. 	mul	x14,x10,x4
    754. 

  754. 	adcs	x20,x20,x15
    755. 

  755. 	mul	x15,x11,x4
    756. 

  756. 	adcs	x21,x21,x16
    757. 

  757. 	mul	x16,x12,x4
    758. 

  758. 	adcs	x22,x22,x17
    759. 

  759. 	mul	x17,x13,x4
    760. 

  760. 	adcs	x23,x23,x14
    761. 

  761. 	umulh	x14,x6,x4
    762. 

  762. 	adcs	x24,x24,x15
    763. 

  763. 	umulh	x15,x7,x4
    764. 

  764. 	adcs	x25,x25,x16
    765. 

  765. 	umulh	x16,x8,x4
    766. 

  766. 	adcs	x26,x26,x17
    767. 

  767. 	umulh	x17,x9,x4
    768. 

  768. 	adc	x28,x28,xzr
    769. 

  769. 	str	x19,[x2],#8
    770. 

  770. 	adds	x19,x20,x14
    771. 

  771. 	umulh	x14,x10,x4
    772. 

  772. 	adcs	x20,x21,x15
    773. 

  773. 	umulh	x15,x11,x4
    774. 

  774. 	adcs	x21,x22,x16
    775. 

  775. 	umulh	x16,x12,x4
    776. 

  776. 	adcs	x22,x23,x17
    777. 

  777. 	umulh	x17,x13,x4
    778. 

  778. 	ldr	x4,[x0,x27]
    779. 

  779. 	adcs	x23,x24,x14
    780. 

  780. 	adcs	x24,x25,x15
    781. 

  781. 	adcs	x25,x26,x16
    782. 

  782. 	adcs	x26,x28,x17
    783. 

  783. 	//adc	x28,xzr,xzr		// moved above
    784. 

  784. 	cbnz	x27,.Lsqr8x_tail
    785. 

  785. 					// note that carry flag is guaranteed
    786. 

  786. 					// to be zero at this point
    787. 

  787. 	ldp	x6,x7,[x2,#8*0]
    788. 

  788. 	sub	x27,x3,x1	// done yet?
    789. 

  789. 	sub	x16,x3,x5	// rewinded np
    790. 

  790. 	ldp	x8,x9,[x2,#8*2]
    791. 

  791. 	ldp	x10,x11,[x2,#8*4]
    792. 

  792. 	ldp	x12,x13,[x2,#8*6]
    793. 

  793. 	cbz	x27,.Lsqr8x_tail_break
    794. 

  794. 

  795. 	ldr	x4,[x0,#-8*8]
    796. 

  796. 	adds	x19,x19,x6
    797. 

  797. 	adcs	x20,x20,x7
    798. 

  798. 	ldp	x6,x7,[x1,#8*0]
    799. 

  799. 	adcs	x21,x21,x8
    800. 

  800. 	adcs	x22,x22,x9
    801. 

  801. 	ldp	x8,x9,[x1,#8*2]
    802. 

  802. 	adcs	x23,x23,x10
    803. 

  803. 	adcs	x24,x24,x11
    804. 

  804. 	ldp	x10,x11,[x1,#8*4]
    805. 

  805. 	adcs	x25,x25,x12
    806. 

  806. 	mov	x27,#-8*8
    807. 

  807. 	adcs	x26,x26,x13
    808. 

  808. 	ldp	x12,x13,[x1,#8*6]
    809. 

  809. 	add	x1,x1,#8*8
    810. 

  810. 	//adc	x28,xzr,xzr		// moved above
    811. 

  811. 	b	.Lsqr8x_tail
    812. 

  812. 

  813. .align	4
    814. 

  814. .Lsqr8x_tail_break:
    815. 

  815. 	ldr	x4,[x29,#112]		// pull n0
    816. 

  816. 	add	x27,x2,#8*8		// end of current t[num] window
    817. 

  817. 

  818. 	subs	xzr,x30,#1		// "move" top-most carry to carry bit
    819. 

  819. 	adcs	x14,x19,x6
    820. 

  820. 	adcs	x15,x20,x7
    821. 

  821. 	ldp	x19,x20,[x0,#8*0]
    822. 

  822. 	adcs	x21,x21,x8
    823. 

  823. 	ldp	x6,x7,[x16,#8*0]	// recall that x16 is &n[0]
    824. 

  824. 	adcs	x22,x22,x9
    825. 

  825. 	ldp	x8,x9,[x16,#8*2]
    826. 

  826. 	adcs	x23,x23,x10
    827. 

  827. 	adcs	x24,x24,x11
    828. 

  828. 	ldp	x10,x11,[x16,#8*4]
    829. 

  829. 	adcs	x25,x25,x12
    830. 

  830. 	adcs	x26,x26,x13
    831. 

  831. 	ldp	x12,x13,[x16,#8*6]
    832. 

  832. 	add	x1,x16,#8*8
    833. 

  833. 	adc	x30,xzr,xzr	// top-most carry
    834. 

  834. 	mul	x28,x4,x19
    835. 

  835. 	stp	x14,x15,[x2,#8*0]
    836. 

  836. 	stp	x21,x22,[x2,#8*2]
    837. 

  837. 	ldp	x21,x22,[x0,#8*2]
    838. 

  838. 	stp	x23,x24,[x2,#8*4]
    839. 

  839. 	ldp	x23,x24,[x0,#8*4]
    840. 

  840. 	cmp	x27,x29		// did we hit the bottom?
    841. 

  841. 	stp	x25,x26,[x2,#8*6]
    842. 

  842. 	mov	x2,x0			// slide the window
    843. 

  843. 	ldp	x25,x26,[x0,#8*6]
    844. 

  844. 	mov	x27,#8
    845. 

  845. 	b.ne	.Lsqr8x_reduction
    846. 

  846. 

  847. 	// Final step. We see if result is larger than modulus, and
    848. 

  848. 	// if it is, subtract the modulus. But comparison implies
    849. 

  849. 	// subtraction. So we subtract modulus, see if it borrowed,
    850. 

  850. 	// and conditionally copy original value.
    851. 

  851. 	ldr	x0,[x29,#96]		// pull rp
    852. 

  852. 	add	x2,x2,#8*8
    853. 

  853. 	subs	x14,x19,x6
    854. 

  854. 	sbcs	x15,x20,x7
    855. 

  855. 	sub	x27,x5,#8*8
    856. 

  856. 	mov	x3,x0		// x0 copy
    857. 

  857. 

  858. .Lsqr8x_sub:
    859. 

  859. 	sbcs	x16,x21,x8
    860. 

  860. 	ldp	x6,x7,[x1,#8*0]
    861. 

  861. 	sbcs	x17,x22,x9
    862. 

  862. 	stp	x14,x15,[x0,#8*0]
    863. 

  863. 	sbcs	x14,x23,x10
    864. 

  864. 	ldp	x8,x9,[x1,#8*2]
    865. 

  865. 	sbcs	x15,x24,x11
    866. 

  866. 	stp	x16,x17,[x0,#8*2]
    867. 

  867. 	sbcs	x16,x25,x12
    868. 

  868. 	ldp	x10,x11,[x1,#8*4]
    869. 

  869. 	sbcs	x17,x26,x13
    870. 

  870. 	ldp	x12,x13,[x1,#8*6]
    871. 

  871. 	add	x1,x1,#8*8
    872. 

  872. 	ldp	x19,x20,[x2,#8*0]
    873. 

  873. 	sub	x27,x27,#8*8
    874. 

  874. 	ldp	x21,x22,[x2,#8*2]
    875. 

  875. 	ldp	x23,x24,[x2,#8*4]
    876. 

  876. 	ldp	x25,x26,[x2,#8*6]
    877. 

  877. 	add	x2,x2,#8*8
    878. 

  878. 	stp	x14,x15,[x0,#8*4]
    879. 

  879. 	sbcs	x14,x19,x6
    880. 

  880. 	stp	x16,x17,[x0,#8*6]
    881. 

  881. 	add	x0,x0,#8*8
    882. 

  882. 	sbcs	x15,x20,x7
    883. 

  883. 	cbnz	x27,.Lsqr8x_sub
    884. 

  884. 

  885. 	sbcs	x16,x21,x8
    886. 

  886. 	mov	x2,sp
    887. 

  887. 	add	x1,sp,x5
    888. 

  888. 	ldp	x6,x7,[x3,#8*0]
    889. 

  889. 	sbcs	x17,x22,x9
    890. 

  890. 	stp	x14,x15,[x0,#8*0]
    891. 

  891. 	sbcs	x14,x23,x10
    892. 

  892. 	ldp	x8,x9,[x3,#8*2]
    893. 

  893. 	sbcs	x15,x24,x11
    894. 

  894. 	stp	x16,x17,[x0,#8*2]
    895. 

  895. 	sbcs	x16,x25,x12
    896. 

  896. 	ldp	x19,x20,[x1,#8*0]
    897. 

  897. 	sbcs	x17,x26,x13
    898. 

  898. 	ldp	x21,x22,[x1,#8*2]
    899. 

  899. 	sbcs	xzr,x30,xzr	// did it borrow?
    900. 

  900. 	ldr	x30,[x29,#8]		// pull return address
    901. 

  901. 	stp	x14,x15,[x0,#8*4]
    902. 

  902. 	stp	x16,x17,[x0,#8*6]
    903. 

  903. 

  904. 	sub	x27,x5,#8*4
    905. 

  905. .Lsqr4x_cond_copy:
    906. 

  906. 	sub	x27,x27,#8*4
    907. 

  907. 	csel	x14,x19,x6,lo
    908. 

  908. 	stp	xzr,xzr,[x2,#8*0]
    909. 

  909. 	csel	x15,x20,x7,lo
    910. 

  910. 	ldp	x6,x7,[x3,#8*4]
    911. 

  911. 	ldp	x19,x20,[x1,#8*4]
    912. 

  912. 	csel	x16,x21,x8,lo
    913. 

  913. 	stp	xzr,xzr,[x2,#8*2]
    914. 

  914. 	add	x2,x2,#8*4
    915. 

  915. 	csel	x17,x22,x9,lo
    916. 

  916. 	ldp	x8,x9,[x3,#8*6]
    917. 

  917. 	ldp	x21,x22,[x1,#8*6]
    918. 

  918. 	add	x1,x1,#8*4
    919. 

  919. 	stp	x14,x15,[x3,#8*0]
    920. 

  920. 	stp	x16,x17,[x3,#8*2]
    921. 

  921. 	add	x3,x3,#8*4
    922. 

  922. 	stp	xzr,xzr,[x1,#8*0]
    923. 

  923. 	stp	xzr,xzr,[x1,#8*2]
    924. 

  924. 	cbnz	x27,.Lsqr4x_cond_copy
    925. 

  925. 

  926. 	csel	x14,x19,x6,lo
    927. 

  927. 	stp	xzr,xzr,[x2,#8*0]
    928. 

  928. 	csel	x15,x20,x7,lo
    929. 

  929. 	stp	xzr,xzr,[x2,#8*2]
    930. 

  930. 	csel	x16,x21,x8,lo
    931. 

  931. 	csel	x17,x22,x9,lo
    932. 

  932. 	stp	x14,x15,[x3,#8*0]
    933. 

  933. 	stp	x16,x17,[x3,#8*2]
    934. 

  934. 

  935. 	b	.Lsqr8x_done
    936. 

  936. 

  937. .align	4
    938. 

  938. .Lsqr8x8_post_condition:
    939. 

  939. 	adc	x28,xzr,xzr
    940. 

  940. 	ldr	x30,[x29,#8]		// pull return address
    941. 

  941. 	// x19-7,x28 hold result, x6-7 hold modulus
    942. 

  942. 	subs	x6,x19,x6
    943. 

  943. 	ldr	x1,[x29,#96]		// pull rp
    944. 

  944. 	sbcs	x7,x20,x7
    945. 

  945. 	stp	xzr,xzr,[sp,#8*0]
    946. 

  946. 	sbcs	x8,x21,x8
    947. 

  947. 	stp	xzr,xzr,[sp,#8*2]
    948. 

  948. 	sbcs	x9,x22,x9
    949. 

  949. 	stp	xzr,xzr,[sp,#8*4]
    950. 

  950. 	sbcs	x10,x23,x10
    951. 

  951. 	stp	xzr,xzr,[sp,#8*6]
    952. 

  952. 	sbcs	x11,x24,x11
    953. 

  953. 	stp	xzr,xzr,[sp,#8*8]
    954. 

  954. 	sbcs	x12,x25,x12
    955. 

  955. 	stp	xzr,xzr,[sp,#8*10]
    956. 

  956. 	sbcs	x13,x26,x13
    957. 

  957. 	stp	xzr,xzr,[sp,#8*12]
    958. 

  958. 	sbcs	x28,x28,xzr	// did it borrow?
    959. 

  959. 	stp	xzr,xzr,[sp,#8*14]
    960. 

  960. 

  961. 	// x6-7 hold result-modulus
    962. 

  962. 	csel	x6,x19,x6,lo
    963. 

  963. 	csel	x7,x20,x7,lo
    964. 

  964. 	csel	x8,x21,x8,lo
    965. 

  965. 	csel	x9,x22,x9,lo
    966. 

  966. 	stp	x6,x7,[x1,#8*0]
    967. 

  967. 	csel	x10,x23,x10,lo
    968. 

  968. 	csel	x11,x24,x11,lo
    969. 

  969. 	stp	x8,x9,[x1,#8*2]
    970. 

  970. 	csel	x12,x25,x12,lo
    971. 

  971. 	csel	x13,x26,x13,lo
    972. 

  972. 	stp	x10,x11,[x1,#8*4]
    973. 

  973. 	stp	x12,x13,[x1,#8*6]
    974. 

  974. 

  975. .Lsqr8x_done:
    976. 

  976. 	ldp	x19,x20,[x29,#16]
    977. 

  977. 	mov	sp,x29
    978. 

  978. 	ldp	x21,x22,[x29,#32]
    979. 

  979. 	mov	x0,#1
    980. 

  980. 	ldp	x23,x24,[x29,#48]
    981. 

  981. 	ldp	x25,x26,[x29,#64]
    982. 

  982. 	ldp	x27,x28,[x29,#80]
    983. 

  983. 	ldr	x29,[sp],#128
    984. 

  984. 	// x30 is popped earlier
    985. 

  985. 	AARCH64_VALIDATE_LINK_REGISTER
    986. 

  986. 	ret
    987. 

  987. .size	__bn_sqr8x_mont,.-__bn_sqr8x_mont
    988. 

  988. .type	__bn_mul4x_mont,%function
    989. 

  989. .align	5
    990. 

  990. __bn_mul4x_mont:
    991. 

  991. 	// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to
    992. 

  992. 	// only from bn_mul_mont or __bn_mul8x_mont which have already signed the
    993. 

  993. 	// return address.
    994. 

  994. 	stp	x29,x30,[sp,#-128]!
    995. 

  995. 	add	x29,sp,#0
    996. 

  996. 	stp	x19,x20,[sp,#16]
    997. 

  997. 	stp	x21,x22,[sp,#32]
    998. 

  998. 	stp	x23,x24,[sp,#48]
    999. 

  999. 	stp	x25,x26,[sp,#64]
    1000. 

  1000. 	stp	x27,x28,[sp,#80]
    1001. 

  1001. 

  1002. 	sub	x26,sp,x5,lsl#3
    1003. 

  1003. 	lsl	x5,x5,#3
    1004. 

  1004. 	ldr	x4,[x4]		// *n0
    1005. 

  1005. 	sub	sp,x26,#8*4		// alloca
    1006. 

  1006. 

  1007. 	add	x10,x2,x5
    1008. 

  1008. 	add	x27,x1,x5
    1009. 

  1009. 	stp	x0,x10,[x29,#96]	// offload rp and &b[num]
    1010. 

  1010. 

  1011. 	ldr	x24,[x2,#8*0]		// b[0]
    1012. 

  1012. 	ldp	x6,x7,[x1,#8*0]	// a[0..3]
    1013. 

  1013. 	ldp	x8,x9,[x1,#8*2]
    1014. 

  1014. 	add	x1,x1,#8*4
    1015. 

  1015. 	mov	x19,xzr
    1016. 

  1016. 	mov	x20,xzr
    1017. 

  1017. 	mov	x21,xzr
    1018. 

  1018. 	mov	x22,xzr
    1019. 

  1019. 	ldp	x14,x15,[x3,#8*0]	// n[0..3]
    1020. 

  1020. 	ldp	x16,x17,[x3,#8*2]
    1021. 

  1021. 	adds	x3,x3,#8*4		// clear carry bit
    1022. 

  1022. 	mov	x0,xzr
    1023. 

  1023. 	mov	x28,#0
    1024. 

  1024. 	mov	x26,sp
    1025. 

  1025. 

  1026. .Loop_mul4x_1st_reduction:
    1027. 

  1027. 	mul	x10,x6,x24		// lo(a[0..3]*b[0])
    1028. 

  1028. 	adc	x0,x0,xzr	// modulo-scheduled
    1029. 

  1029. 	mul	x11,x7,x24
    1030. 

  1030. 	add	x28,x28,#8
    1031. 

  1031. 	mul	x12,x8,x24
    1032. 

  1032. 	and	x28,x28,#31
    1033. 

  1033. 	mul	x13,x9,x24
    1034. 

  1034. 	adds	x19,x19,x10
    1035. 

  1035. 	umulh	x10,x6,x24		// hi(a[0..3]*b[0])
    1036. 

  1036. 	adcs	x20,x20,x11
    1037. 

  1037. 	mul	x25,x19,x4		// t[0]*n0
    1038. 

  1038. 	adcs	x21,x21,x12
    1039. 

  1039. 	umulh	x11,x7,x24
    1040. 

  1040. 	adcs	x22,x22,x13
    1041. 

  1041. 	umulh	x12,x8,x24
    1042. 

  1042. 	adc	x23,xzr,xzr
    1043. 

  1043. 	umulh	x13,x9,x24
    1044. 

  1044. 	ldr	x24,[x2,x28]		// next b[i] (or b[0])
    1045. 

  1045. 	adds	x20,x20,x10
    1046. 

  1046. 	// (*)	mul	x10,x14,x25	// lo(n[0..3]*t[0]*n0)
    1047. 

  1047. 	str	x25,[x26],#8		// put aside t[0]*n0 for tail processing
    1048. 

  1048. 	adcs	x21,x21,x11
    1049. 

  1049. 	mul	x11,x15,x25
    1050. 

  1050. 	adcs	x22,x22,x12
    1051. 

  1051. 	mul	x12,x16,x25
    1052. 

  1052. 	adc	x23,x23,x13		// can't overflow
    1053. 

  1053. 	mul	x13,x17,x25
    1054. 

  1054. 	// (*)	adds	xzr,x19,x10
    1055. 

  1055. 	subs	xzr,x19,#1		// (*)
    1056. 

  1056. 	umulh	x10,x14,x25		// hi(n[0..3]*t[0]*n0)
    1057. 

  1057. 	adcs	x19,x20,x11
    1058. 

  1058. 	umulh	x11,x15,x25
    1059. 

  1059. 	adcs	x20,x21,x12
    1060. 

  1060. 	umulh	x12,x16,x25
    1061. 

  1061. 	adcs	x21,x22,x13
    1062. 

  1062. 	umulh	x13,x17,x25
    1063. 

  1063. 	adcs	x22,x23,x0
    1064. 

  1064. 	adc	x0,xzr,xzr
    1065. 

  1065. 	adds	x19,x19,x10
    1066. 

  1066. 	sub	x10,x27,x1
    1067. 

  1067. 	adcs	x20,x20,x11
    1068. 

  1068. 	adcs	x21,x21,x12
    1069. 

  1069. 	adcs	x22,x22,x13
    1070. 

  1070. 	//adc	x0,x0,xzr
    1071. 

  1071. 	cbnz	x28,.Loop_mul4x_1st_reduction
    1072. 

  1072. 

  1073. 	cbz	x10,.Lmul4x4_post_condition
    1074. 

  1074. 

  1075. 	ldp	x6,x7,[x1,#8*0]	// a[4..7]
    1076. 

  1076. 	ldp	x8,x9,[x1,#8*2]
    1077. 

  1077. 	add	x1,x1,#8*4
    1078. 

  1078. 	ldr	x25,[sp]		// a[0]*n0
    1079. 

  1079. 	ldp	x14,x15,[x3,#8*0]	// n[4..7]
    1080. 

  1080. 	ldp	x16,x17,[x3,#8*2]
    1081. 

  1081. 	add	x3,x3,#8*4
    1082. 

  1082. 

  1083. .Loop_mul4x_1st_tail:
    1084. 

  1084. 	mul	x10,x6,x24		// lo(a[4..7]*b[i])
    1085. 

  1085. 	adc	x0,x0,xzr	// modulo-scheduled
    1086. 

  1086. 	mul	x11,x7,x24
    1087. 

  1087. 	add	x28,x28,#8
    1088. 

  1088. 	mul	x12,x8,x24
    1089. 

  1089. 	and	x28,x28,#31
    1090. 

  1090. 	mul	x13,x9,x24
    1091. 

  1091. 	adds	x19,x19,x10
    1092. 

  1092. 	umulh	x10,x6,x24		// hi(a[4..7]*b[i])
    1093. 

  1093. 	adcs	x20,x20,x11
    1094. 

  1094. 	umulh	x11,x7,x24
    1095. 

  1095. 	adcs	x21,x21,x12
    1096. 

  1096. 	umulh	x12,x8,x24
    1097. 

  1097. 	adcs	x22,x22,x13
    1098. 

  1098. 	umulh	x13,x9,x24
    1099. 

  1099. 	adc	x23,xzr,xzr
    1100. 

  1100. 	ldr	x24,[x2,x28]		// next b[i] (or b[0])
    1101. 

  1101. 	adds	x20,x20,x10
    1102. 

  1102. 	mul	x10,x14,x25		// lo(n[4..7]*a[0]*n0)
    1103. 

  1103. 	adcs	x21,x21,x11
    1104. 

  1104. 	mul	x11,x15,x25
    1105. 

  1105. 	adcs	x22,x22,x12
    1106. 

  1106. 	mul	x12,x16,x25
    1107. 

  1107. 	adc	x23,x23,x13		// can't overflow
    1108. 

  1108. 	mul	x13,x17,x25
    1109. 

  1109. 	adds	x19,x19,x10
    1110. 

  1110. 	umulh	x10,x14,x25		// hi(n[4..7]*a[0]*n0)
    1111. 

  1111. 	adcs	x20,x20,x11
    1112. 

  1112. 	umulh	x11,x15,x25
    1113. 

  1113. 	adcs	x21,x21,x12
    1114. 

  1114. 	umulh	x12,x16,x25
    1115. 

  1115. 	adcs	x22,x22,x13
    1116. 

  1116. 	adcs	x23,x23,x0
    1117. 

  1117. 	umulh	x13,x17,x25
    1118. 

  1118. 	adc	x0,xzr,xzr
    1119. 

  1119. 	ldr	x25,[sp,x28]		// next t[0]*n0
    1120. 

  1120. 	str	x19,[x26],#8		// result!!!
    1121. 

  1121. 	adds	x19,x20,x10
    1122. 

  1122. 	sub	x10,x27,x1		// done yet?
    1123. 

  1123. 	adcs	x20,x21,x11
    1124. 

  1124. 	adcs	x21,x22,x12
    1125. 

  1125. 	adcs	x22,x23,x13
    1126. 

  1126. 	//adc	x0,x0,xzr
    1127. 

  1127. 	cbnz	x28,.Loop_mul4x_1st_tail
    1128. 

  1128. 

  1129. 	sub	x11,x27,x5	// rewinded x1
    1130. 

  1130. 	cbz	x10,.Lmul4x_proceed
    1131. 

  1131. 

  1132. 	ldp	x6,x7,[x1,#8*0]
    1133. 

  1133. 	ldp	x8,x9,[x1,#8*2]
    1134. 

  1134. 	add	x1,x1,#8*4
    1135. 

  1135. 	ldp	x14,x15,[x3,#8*0]
    1136. 

  1136. 	ldp	x16,x17,[x3,#8*2]
    1137. 

  1137. 	add	x3,x3,#8*4
    1138. 

  1138. 	b	.Loop_mul4x_1st_tail
    1139. 

  1139. 

  1140. .align	5
    1141. 

  1141. .Lmul4x_proceed:
    1142. 

  1142. 	ldr	x24,[x2,#8*4]!		// *++b
    1143. 

  1143. 	adc	x30,x0,xzr
    1144. 

  1144. 	ldp	x6,x7,[x11,#8*0]	// a[0..3]
    1145. 

  1145. 	sub	x3,x3,x5		// rewind np
    1146. 

  1146. 	ldp	x8,x9,[x11,#8*2]
    1147. 

  1147. 	add	x1,x11,#8*4
    1148. 

  1148. 

  1149. 	stp	x19,x20,[x26,#8*0]	// result!!!
    1150. 

  1150. 	ldp	x19,x20,[sp,#8*4]	// t[0..3]
    1151. 

  1151. 	stp	x21,x22,[x26,#8*2]	// result!!!
    1152. 

  1152. 	ldp	x21,x22,[sp,#8*6]
    1153. 

  1153. 

  1154. 	ldp	x14,x15,[x3,#8*0]	// n[0..3]
    1155. 

  1155. 	mov	x26,sp
    1156. 

  1156. 	ldp	x16,x17,[x3,#8*2]
    1157. 

  1157. 	adds	x3,x3,#8*4		// clear carry bit
    1158. 

  1158. 	mov	x0,xzr
    1159. 

  1159. 

  1160. .align	4
    1161. 

  1161. .Loop_mul4x_reduction:
    1162. 

  1162. 	mul	x10,x6,x24		// lo(a[0..3]*b[4])
    1163. 

  1163. 	adc	x0,x0,xzr	// modulo-scheduled
    1164. 

  1164. 	mul	x11,x7,x24
    1165. 

  1165. 	add	x28,x28,#8
    1166. 

  1166. 	mul	x12,x8,x24
    1167. 

  1167. 	and	x28,x28,#31
    1168. 

  1168. 	mul	x13,x9,x24
    1169. 

  1169. 	adds	x19,x19,x10
    1170. 

  1170. 	umulh	x10,x6,x24		// hi(a[0..3]*b[4])
    1171. 

  1171. 	adcs	x20,x20,x11
    1172. 

  1172. 	mul	x25,x19,x4		// t[0]*n0
    1173. 

  1173. 	adcs	x21,x21,x12
    1174. 

  1174. 	umulh	x11,x7,x24
    1175. 

  1175. 	adcs	x22,x22,x13
    1176. 

  1176. 	umulh	x12,x8,x24
    1177. 

  1177. 	adc	x23,xzr,xzr
    1178. 

  1178. 	umulh	x13,x9,x24
    1179. 

  1179. 	ldr	x24,[x2,x28]		// next b[i]
    1180. 

  1180. 	adds	x20,x20,x10
    1181. 

  1181. 	// (*)	mul	x10,x14,x25
    1182. 

  1182. 	str	x25,[x26],#8		// put aside t[0]*n0 for tail processing
    1183. 

  1183. 	adcs	x21,x21,x11
    1184. 

  1184. 	mul	x11,x15,x25		// lo(n[0..3]*t[0]*n0
    1185. 

  1185. 	adcs	x22,x22,x12
    1186. 

  1186. 	mul	x12,x16,x25
    1187. 

  1187. 	adc	x23,x23,x13		// can't overflow
    1188. 

  1188. 	mul	x13,x17,x25
    1189. 

  1189. 	// (*)	adds	xzr,x19,x10
    1190. 

  1190. 	subs	xzr,x19,#1		// (*)
    1191. 

  1191. 	umulh	x10,x14,x25		// hi(n[0..3]*t[0]*n0
    1192. 

  1192. 	adcs	x19,x20,x11
    1193. 

  1193. 	umulh	x11,x15,x25
    1194. 

  1194. 	adcs	x20,x21,x12
    1195. 

  1195. 	umulh	x12,x16,x25
    1196. 

  1196. 	adcs	x21,x22,x13
    1197. 

  1197. 	umulh	x13,x17,x25
    1198. 

  1198. 	adcs	x22,x23,x0
    1199. 

  1199. 	adc	x0,xzr,xzr
    1200. 

  1200. 	adds	x19,x19,x10
    1201. 

  1201. 	adcs	x20,x20,x11
    1202. 

  1202. 	adcs	x21,x21,x12
    1203. 

  1203. 	adcs	x22,x22,x13
    1204. 

  1204. 	//adc	x0,x0,xzr
    1205. 

  1205. 	cbnz	x28,.Loop_mul4x_reduction
    1206. 

  1206. 

  1207. 	adc	x0,x0,xzr
    1208. 

  1208. 	ldp	x10,x11,[x26,#8*4]	// t[4..7]
    1209. 

  1209. 	ldp	x12,x13,[x26,#8*6]
    1210. 

  1210. 	ldp	x6,x7,[x1,#8*0]	// a[4..7]
    1211. 

  1211. 	ldp	x8,x9,[x1,#8*2]
    1212. 

  1212. 	add	x1,x1,#8*4
    1213. 

  1213. 	adds	x19,x19,x10
    1214. 

  1214. 	adcs	x20,x20,x11
    1215. 

  1215. 	adcs	x21,x21,x12
    1216. 

  1216. 	adcs	x22,x22,x13
    1217. 

  1217. 	//adc	x0,x0,xzr
    1218. 

  1218. 

  1219. 	ldr	x25,[sp]		// t[0]*n0
    1220. 

  1220. 	ldp	x14,x15,[x3,#8*0]	// n[4..7]
    1221. 

  1221. 	ldp	x16,x17,[x3,#8*2]
    1222. 

  1222. 	add	x3,x3,#8*4
    1223. 

  1223. 

  1224. .align	4
    1225. 

  1225. .Loop_mul4x_tail:
    1226. 

  1226. 	mul	x10,x6,x24		// lo(a[4..7]*b[4])
    1227. 

  1227. 	adc	x0,x0,xzr	// modulo-scheduled
    1228. 

  1228. 	mul	x11,x7,x24
    1229. 

  1229. 	add	x28,x28,#8
    1230. 

  1230. 	mul	x12,x8,x24
    1231. 

  1231. 	and	x28,x28,#31
    1232. 

  1232. 	mul	x13,x9,x24
    1233. 

  1233. 	adds	x19,x19,x10
    1234. 

  1234. 	umulh	x10,x6,x24		// hi(a[4..7]*b[4])
    1235. 

  1235. 	adcs	x20,x20,x11
    1236. 

  1236. 	umulh	x11,x7,x24
    1237. 

  1237. 	adcs	x21,x21,x12
    1238. 

  1238. 	umulh	x12,x8,x24
    1239. 

  1239. 	adcs	x22,x22,x13
    1240. 

  1240. 	umulh	x13,x9,x24
    1241. 

  1241. 	adc	x23,xzr,xzr
    1242. 

  1242. 	ldr	x24,[x2,x28]		// next b[i]
    1243. 

  1243. 	adds	x20,x20,x10
    1244. 

  1244. 	mul	x10,x14,x25		// lo(n[4..7]*t[0]*n0)
    1245. 

  1245. 	adcs	x21,x21,x11
    1246. 

  1246. 	mul	x11,x15,x25
    1247. 

  1247. 	adcs	x22,x22,x12
    1248. 

  1248. 	mul	x12,x16,x25
    1249. 

  1249. 	adc	x23,x23,x13		// can't overflow
    1250. 

  1250. 	mul	x13,x17,x25
    1251. 

  1251. 	adds	x19,x19,x10
    1252. 

  1252. 	umulh	x10,x14,x25		// hi(n[4..7]*t[0]*n0)
    1253. 

  1253. 	adcs	x20,x20,x11
    1254. 

  1254. 	umulh	x11,x15,x25
    1255. 

  1255. 	adcs	x21,x21,x12
    1256. 

  1256. 	umulh	x12,x16,x25
    1257. 

  1257. 	adcs	x22,x22,x13
    1258. 

  1258. 	umulh	x13,x17,x25
    1259. 

  1259. 	adcs	x23,x23,x0
    1260. 

  1260. 	ldr	x25,[sp,x28]		// next a[0]*n0
    1261. 

  1261. 	adc	x0,xzr,xzr
    1262. 

  1262. 	str	x19,[x26],#8		// result!!!
    1263. 

  1263. 	adds	x19,x20,x10
    1264. 

  1264. 	sub	x10,x27,x1		// done yet?
    1265. 

  1265. 	adcs	x20,x21,x11
    1266. 

  1266. 	adcs	x21,x22,x12
    1267. 

  1267. 	adcs	x22,x23,x13
    1268. 

  1268. 	//adc	x0,x0,xzr
    1269. 

  1269. 	cbnz	x28,.Loop_mul4x_tail
    1270. 

  1270. 

  1271. 	sub	x11,x3,x5		// rewinded np?
    1272. 

  1272. 	adc	x0,x0,xzr
    1273. 

  1273. 	cbz	x10,.Loop_mul4x_break
    1274. 

  1274. 

  1275. 	ldp	x10,x11,[x26,#8*4]
    1276. 

  1276. 	ldp	x12,x13,[x26,#8*6]
    1277. 

  1277. 	ldp	x6,x7,[x1,#8*0]
    1278. 

  1278. 	ldp	x8,x9,[x1,#8*2]
    1279. 

  1279. 	add	x1,x1,#8*4
    1280. 

  1280. 	adds	x19,x19,x10
    1281. 

  1281. 	adcs	x20,x20,x11
    1282. 

  1282. 	adcs	x21,x21,x12
    1283. 

  1283. 	adcs	x22,x22,x13
    1284. 

  1284. 	//adc	x0,x0,xzr
    1285. 

  1285. 	ldp	x14,x15,[x3,#8*0]
    1286. 

  1286. 	ldp	x16,x17,[x3,#8*2]
    1287. 

  1287. 	add	x3,x3,#8*4
    1288. 

  1288. 	b	.Loop_mul4x_tail
    1289. 

  1289. 

  1290. .align	4
    1291. 

  1291. .Loop_mul4x_break:
    1292. 

  1292. 	ldp	x12,x13,[x29,#96]	// pull rp and &b[num]
    1293. 

  1293. 	adds	x19,x19,x30
    1294. 

  1294. 	add	x2,x2,#8*4		// bp++
    1295. 

  1295. 	adcs	x20,x20,xzr
    1296. 

  1296. 	sub	x1,x1,x5		// rewind ap
    1297. 

  1297. 	adcs	x21,x21,xzr
    1298. 

  1298. 	stp	x19,x20,[x26,#8*0]	// result!!!
    1299. 

  1299. 	adcs	x22,x22,xzr
    1300. 

  1300. 	ldp	x19,x20,[sp,#8*4]	// t[0..3]
    1301. 

  1301. 	adc	x30,x0,xzr
    1302. 

  1302. 	stp	x21,x22,[x26,#8*2]	// result!!!
    1303. 

  1303. 	cmp	x2,x13			// done yet?
    1304. 

  1304. 	ldp	x21,x22,[sp,#8*6]
    1305. 

  1305. 	ldp	x14,x15,[x11,#8*0]	// n[0..3]
    1306. 

  1306. 	ldp	x16,x17,[x11,#8*2]
    1307. 

  1307. 	add	x3,x11,#8*4
    1308. 

  1308. 	b.eq	.Lmul4x_post
    1309. 

  1309. 

  1310. 	ldr	x24,[x2]
    1311. 

  1311. 	ldp	x6,x7,[x1,#8*0]	// a[0..3]
    1312. 

  1312. 	ldp	x8,x9,[x1,#8*2]
    1313. 

  1313. 	adds	x1,x1,#8*4		// clear carry bit
    1314. 

  1314. 	mov	x0,xzr
    1315. 

  1315. 	mov	x26,sp
    1316. 

  1316. 	b	.Loop_mul4x_reduction
    1317. 

  1317. 

  1318. .align	4
    1319. 

  1319. .Lmul4x_post:
    1320. 

  1320. 	// Final step. We see if result is larger than modulus, and
    1321. 

  1321. 	// if it is, subtract the modulus. But comparison implies
    1322. 

  1322. 	// subtraction. So we subtract modulus, see if it borrowed,
    1323. 

  1323. 	// and conditionally copy original value.
    1324. 

  1324. 	mov	x0,x12
    1325. 

  1325. 	mov	x27,x12		// x0 copy
    1326. 

  1326. 	subs	x10,x19,x14
    1327. 

  1327. 	add	x26,sp,#8*8
    1328. 

  1328. 	sbcs	x11,x20,x15
    1329. 

  1329. 	sub	x28,x5,#8*4
    1330. 

  1330. 

  1331. .Lmul4x_sub:
    1332. 

  1332. 	sbcs	x12,x21,x16
    1333. 

  1333. 	ldp	x14,x15,[x3,#8*0]
    1334. 

  1334. 	sub	x28,x28,#8*4
    1335. 

  1335. 	ldp	x19,x20,[x26,#8*0]
    1336. 

  1336. 	sbcs	x13,x22,x17
    1337. 

  1337. 	ldp	x16,x17,[x3,#8*2]
    1338. 

  1338. 	add	x3,x3,#8*4
    1339. 

  1339. 	ldp	x21,x22,[x26,#8*2]
    1340. 

  1340. 	add	x26,x26,#8*4
    1341. 

  1341. 	stp	x10,x11,[x0,#8*0]
    1342. 

  1342. 	sbcs	x10,x19,x14
    1343. 

  1343. 	stp	x12,x13,[x0,#8*2]
    1344. 

  1344. 	add	x0,x0,#8*4
    1345. 

  1345. 	sbcs	x11,x20,x15
    1346. 

  1346. 	cbnz	x28,.Lmul4x_sub
    1347. 

  1347. 

  1348. 	sbcs	x12,x21,x16
    1349. 

  1349. 	mov	x26,sp
    1350. 

  1350. 	add	x1,sp,#8*4
    1351. 

  1351. 	ldp	x6,x7,[x27,#8*0]
    1352. 

  1352. 	sbcs	x13,x22,x17
    1353. 

  1353. 	stp	x10,x11,[x0,#8*0]
    1354. 

  1354. 	ldp	x8,x9,[x27,#8*2]
    1355. 

  1355. 	stp	x12,x13,[x0,#8*2]
    1356. 

  1356. 	ldp	x19,x20,[x1,#8*0]
    1357. 

  1357. 	ldp	x21,x22,[x1,#8*2]
    1358. 

  1358. 	sbcs	xzr,x30,xzr	// did it borrow?
    1359. 

  1359. 	ldr	x30,[x29,#8]		// pull return address
    1360. 

  1360. 

  1361. 	sub	x28,x5,#8*4
    1362. 

  1362. .Lmul4x_cond_copy:
    1363. 

  1363. 	sub	x28,x28,#8*4
    1364. 

  1364. 	csel	x10,x19,x6,lo
    1365. 

  1365. 	stp	xzr,xzr,[x26,#8*0]
    1366. 

  1366. 	csel	x11,x20,x7,lo
    1367. 

  1367. 	ldp	x6,x7,[x27,#8*4]
    1368. 

  1368. 	ldp	x19,x20,[x1,#8*4]
    1369. 

  1369. 	csel	x12,x21,x8,lo
    1370. 

  1370. 	stp	xzr,xzr,[x26,#8*2]
    1371. 

  1371. 	add	x26,x26,#8*4
    1372. 

  1372. 	csel	x13,x22,x9,lo
    1373. 

  1373. 	ldp	x8,x9,[x27,#8*6]
    1374. 

  1374. 	ldp	x21,x22,[x1,#8*6]
    1375. 

  1375. 	add	x1,x1,#8*4
    1376. 

  1376. 	stp	x10,x11,[x27,#8*0]
    1377. 

  1377. 	stp	x12,x13,[x27,#8*2]
    1378. 

  1378. 	add	x27,x27,#8*4
    1379. 

  1379. 	cbnz	x28,.Lmul4x_cond_copy
    1380. 

  1380. 

  1381. 	csel	x10,x19,x6,lo
    1382. 

  1382. 	stp	xzr,xzr,[x26,#8*0]
    1383. 

  1383. 	csel	x11,x20,x7,lo
    1384. 

  1384. 	stp	xzr,xzr,[x26,#8*2]
    1385. 

  1385. 	csel	x12,x21,x8,lo
    1386. 

  1386. 	stp	xzr,xzr,[x26,#8*3]
    1387. 

  1387. 	csel	x13,x22,x9,lo
    1388. 

  1388. 	stp	xzr,xzr,[x26,#8*4]
    1389. 

  1389. 	stp	x10,x11,[x27,#8*0]
    1390. 

  1390. 	stp	x12,x13,[x27,#8*2]
    1391. 

  1391. 

  1392. 	b	.Lmul4x_done
    1393. 

  1393. 

  1394. .align	4
    1395. 

  1395. .Lmul4x4_post_condition:
    1396. 

  1396. 	adc	x0,x0,xzr
    1397. 

  1397. 	ldr	x1,[x29,#96]		// pull rp
    1398. 

  1398. 	// x19-3,x0 hold result, x14-7 hold modulus
    1399. 

  1399. 	subs	x6,x19,x14
    1400. 

  1400. 	ldr	x30,[x29,#8]		// pull return address
    1401. 

  1401. 	sbcs	x7,x20,x15
    1402. 

  1402. 	stp	xzr,xzr,[sp,#8*0]
    1403. 

  1403. 	sbcs	x8,x21,x16
    1404. 

  1404. 	stp	xzr,xzr,[sp,#8*2]
    1405. 

  1405. 	sbcs	x9,x22,x17
    1406. 

  1406. 	stp	xzr,xzr,[sp,#8*4]
    1407. 

  1407. 	sbcs	xzr,x0,xzr		// did it borrow?
    1408. 

  1408. 	stp	xzr,xzr,[sp,#8*6]
    1409. 

  1409. 

  1410. 	// x6-3 hold result-modulus
    1411. 

  1411. 	csel	x6,x19,x6,lo
    1412. 

  1412. 	csel	x7,x20,x7,lo
    1413. 

  1413. 	csel	x8,x21,x8,lo
    1414. 

  1414. 	csel	x9,x22,x9,lo
    1415. 

  1415. 	stp	x6,x7,[x1,#8*0]
    1416. 

  1416. 	stp	x8,x9,[x1,#8*2]
    1417. 

  1417. 

  1418. .Lmul4x_done:
    1419. 

  1419. 	ldp	x19,x20,[x29,#16]
    1420. 

  1420. 	mov	sp,x29
    1421. 

  1421. 	ldp	x21,x22,[x29,#32]
    1422. 

  1422. 	mov	x0,#1
    1423. 

  1423. 	ldp	x23,x24,[x29,#48]
    1424. 

  1424. 	ldp	x25,x26,[x29,#64]
    1425. 

  1425. 	ldp	x27,x28,[x29,#80]
    1426. 

  1426. 	ldr	x29,[sp],#128
    1427. 

  1427. 	// x30 is popped earlier
    1428. 

  1428. 	AARCH64_VALIDATE_LINK_REGISTER
    1429. 

  1429. 	ret
    1430. 

  1430. .size	__bn_mul4x_mont,.-__bn_mul4x_mont
    1431. 

  1431. .byte	77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
    1432. 

  1432. .align	2
    1433. 

  1433. .align	4
    1434. 

  1434. #endif
    1435. 

  1435. #endif  // !OPENSSL_NO_ASM
    1436. 

  1436. .section	.note.GNU-stack,"",%progbits
    1437.