aes.asm 8.74 KB
Newer Older
1
! -*- mode: asm; asm-comment-char: ?!; -*-  
Niels Möller's avatar
Niels Möller committed
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
! nettle, low-level cryptographics library
! 
! Copyright (C) 2002 Niels Mller
!  
! The nettle library is free software; you can redistribute it and/or modify
! it under the terms of the GNU Lesser General Public License as published by
! the Free Software Foundation; either version 2.1 of the License, or (at your
! option) any later version.
! 
! The nettle library is distributed in the hope that it will be useful, but
! WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
! License for more details.
! 
! You should have received a copy of the GNU Lesser General Public License
! along with the nettle library; see the file COPYING.LIB.  If not, write to
! the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
! MA 02111-1307, USA.

21
22
! NOTE: Some of the %g registers are reserved for operating system etc
! (see gcc/config/sparc.h). We should use only %g1-%g3 to be safe.
Niels Möller's avatar
Niels Möller committed
23
	
24
	! Used registers:	%l0,1,2,3,4,6,7
25
	!			%i0,1,2,3,4 (%i6=%fp, %i7 = return)
26
27
	!			%o0,1,2,,4,7 (%o6=%sp)
	!			%g5
Niels Möller's avatar
Niels Möller committed
28
	
29
	.file	"aes.asm"
Niels Möller's avatar
Niels Möller committed
30
	
31
! Arguments
32
define(ctx, %i0)
33
define(T, %i1)
34
define(length, %i2)
35
define(dst, %i3)
36
define(src, %i4)
37

38
! Loop invariants
39
define(wtxt, %l0)
40
define(tmp, %l1)
41
define(diff, %l2)
42
define(nrounds, %l3)
43
44

! Loop variables
45
define(round, %l4)
46
define(key, %o4)
47

48
49
50
! Further loop invariants
define(T0, %l6)
define(T1, %l7)
51
define(T2, %g5)
52
define(T3, %o7)
53
54

C IDX1 cointains the permutation values * 4 + 2
55
define(IDX1, <T + AES_SIDX1 >)
56
C IDX3 cointains the permutation values * 4
57
define(IDX3, <T + AES_SIDX3 >)
58

59
! Teporaries
60
define(t0, %o0)
61
define(t1, %o1)
62
define(t2, %o2)
63

64
65
66
C AES_LOAD(i)
C Get one word of input, XOR with first subkey, store in wtxt
define(<AES_LOAD>, <
67
68
	ldub	[src+$1], t0
	ldub	[src+$1+1], t1
69
	ldub	[src+$1+2], t2
70
	sll	t1, 8, t1
Niels Möller's avatar
Niels Möller committed
71
	
72
	or	t0, t1, t0	
73
	ldub	[src+$1+3], t1
74
	sll	t2, 16, t2
Niels Möller's avatar
Niels Möller committed
75
	or	t0, t2, t0
76
	
Niels Möller's avatar
Niels Möller committed
77
	sll	t1, 24, t1
78
	! Get subkey
79
	ld	[ctx + $1], t2
Niels Möller's avatar
Niels Möller committed
80
	or	t0, t1, t0
81
	xor	t0, t2, t0
82
	
Niels Möller's avatar
Niels Möller committed
83
	st	t0, [wtxt+$1]>)dnl
84

Niels Möller's avatar
Niels Möller committed
85
86
87
88
89
90
91
92
93
C AES_ROUND(i)
C Compute one word in the round function. 
C Input in wtxt, output stored in tmp + i.
C
C The comments mark which j in T->table[j][ Bj(wtxt[IDXi(i)]) ]
C the instruction is a part of. 
C
C The code uses the register %o[j], aka tj, as the primary 
C register for that sub-expression. True for j==1,3.
94
95
define(<AES_ROUND>, <
	ld	[IDX1+$1], t1		! 1
96
	ldub	[wtxt+$1+3], t0		! 0
97
	ldub	[wtxt+t1], t1		! 1
98
	sll	t0, 2, t0		! 0
99
	
100
	ld	[T0+t0], t0		! 0
101
	sll	t1, 2, t1		! 1
102
	ld	[T1+t1], t1		! 1
103
	ld	[IDX3+$1], t2		! 3
104
105
	
	xor	t0, t1, t0		! 0, 1
106
	! IDX2(j) = j XOR 2
107
108
109
	ldub	[wtxt+eval($1 ^ 8)+1], t1	! 2
	ldub	[wtxt+t2], t2		! 3
	sll	t1, 2, t1		! 2
110
	
111
112
113
114
	ld	[T2+t1], t1		! 2
	sll	t2, 2, t2		! 3
	ld	[T3+t2], t2		! 3
	xor	t0, t1, t0		! 0, 1, 2
115
	
116
117
	! Fetch roundkey
	ld	[key + $1], t1
118
	xor	t0, t2, t0		! 0, 1, 2, 3
119
	xor	t0, t1, t0
120
	st	t0, [tmp + $1]>)dnl
Niels Möller's avatar
Niels Möller committed
121
122
123

C AES_FINAL_ROUND(i)
C Compute one word in the final round function. 
124
C Input in wtxt, output converted to an octet string and stored at dst. 
Niels Möller's avatar
Niels Möller committed
125
126
127
128
129
C
C The comments mark which j in T->table[j][ Bj(wtxt[IDXi(i)]) ]
C the instruction is a part of. 
define(<AES_FINAL_ROUND>, <
	ld	[IDX1+$1], t1		! 1
130
	ldub	[wtxt+$1+3], t0		! 0
Niels Möller's avatar
Niels Möller committed
131
	ldub	[wtxt+t1], t1		! 1
132
	ldub	[T+t0], t0		! 0
133
	
134
	ldub	[T+t1], t1		! 1
135
	ld	[IDX3 + $1], t2		! 3
136
137
138
	sll	t1, 8, t1		! 1
	or	t0, t1, t0		! 0, 1
	
Niels Möller's avatar
Niels Möller committed
139
	! IDX2(j) = j XOR 2
140
	ldub	[wtxt+eval($1 ^ 8)+1], t1	! 2
141
	ldub	[wtxt+t2], t2		! 3
142
	ldub	[T+t1], t1		! 2
143
	ldub	[T+t2], t2		! 3
Niels Möller's avatar
Niels Möller committed
144
	
145
146
147
148
	sll	t1, 16, t1		! 2
	or	t0, t1, t0		! 0, 1, 2
	sll	t2, 24, t2		! 3
	ld	[key + $1], t1
Niels Möller's avatar
Niels Möller committed
149
	
150
151
152
153
	or	t0, t2, t0		! 0, 1, 2, 3
	xor	t0, t1, t0
	srl	t0, 24, t1
	stb	t1, [dst+$1+3]
Niels Möller's avatar
Niels Möller committed
154
	
155
156
	srl	t0, 16, t1
	stb	t1, [dst+$1+2]
Niels Möller's avatar
Niels Möller committed
157
	srl	t0, 8, t1
158
	stb	t1, [dst+$1+1]
Niels Möller's avatar
Niels Möller committed
159
	
160
	stb	t0, [dst+$1]>)dnl
161
	
162
163
164
165
166
167
168
169
C The stack frame looks like
C
C %fp -   4: OS-dependent link field
C %fp -   8: OS-dependent link field
C %fp -  24: tmp, uint32_t[4]
C %fp -  40: wtxt, uint32_t[4]
C %fp - 136: OS register save area. 
define(<FRAME_SIZE>, 136)
170

171
172
173
174
175
176
	.section	".text"
	.align 16
	.global _aes_crypt
	.type	_aes_crypt,#function
	.proc	020
	
177
_aes_crypt:
178
	save	%sp, -FRAME_SIZE, %sp
179
	cmp	length, 0
180
	be	.Lend
181
182
183
184
	! wtxt
	add	%fp, -24, wtxt
	
	add	%fp, -40, tmp
185

186
	ld	[ctx + AES_NROUNDS], nrounds
187
188
	! Compute xor, so that we can swap efficiently.
	xor	wtxt, tmp, diff
189
	! The loop variable will be multiplied by 16.
190
191
	! More loop invariants
	add	T, AES_TABLE0, T0
Niels Möller's avatar
Niels Möller committed
192
	
193
	add	T, AES_TABLE1, T1
194
195
	add	T, AES_TABLE2, T2
	add	T, AES_TABLE3, T3
Niels Möller's avatar
Niels Möller committed
196
	
197
.Lblock_loop:
198
	C  Read src, and add initial subkey
199
200
201
202
	AES_LOAD(0)	! i = 0
	AES_LOAD(4)	! i = 1
	AES_LOAD(8)	! i = 2
	AES_LOAD(12)	! i = 3
203
	add	src, 16, src
204

205
	sub	nrounds, 1, round
206
	add	ctx, 16, key
Niels Möller's avatar
Niels Möller committed
207

208
.Lround_loop:
209

Niels Möller's avatar
Niels Möller committed
210
211
212
213
	AES_ROUND(0)	! i = 0
	AES_ROUND(4)	! i = 1
	AES_ROUND(8)	! i = 2
	AES_ROUND(12)	! i = 3
214
			
215
	! switch roles for tmp and wtxt
216
	xor	wtxt, diff, wtxt
217
	xor	tmp, diff, tmp
218

219
	subcc	round, 1, round
220
	bne	.Lround_loop
Niels Möller's avatar
Niels Möller committed
221
	add	key, 16, key
222

223
	C Final round, and storage of the output
224

Niels Möller's avatar
Niels Möller committed
225
	AES_FINAL_ROUND(0)	! i = 0
Niels Möller's avatar
Niels Möller committed
226
227
228
	AES_FINAL_ROUND(4)	! i = 1
	AES_FINAL_ROUND(8)	! i = 2
	AES_FINAL_ROUND(12)	! i = 3
229
		
230
	addcc	length, -16, length
231
	
232
	bne	.Lblock_loop
233
	add	dst, 16, dst
234

235
.Lend:
236
237
	ret
	restore
238
239
240
241
.LLFE1:
.LLfe1:
	.size	_aes_crypt,.LLfe1-_aes_crypt

242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
	! Benchmarks on my slow sparcstation:	
	! Original C code	
	! aes128 (ECB encrypt): 14.36s, 0.696MB/s
	! aes128 (ECB decrypt): 17.19s, 0.582MB/s
	! aes128 (CBC encrypt): 16.08s, 0.622MB/s
	! aes128 ((CBC decrypt)): 18.79s, 0.532MB/s
	! 
	! aes192 (ECB encrypt): 16.85s, 0.593MB/s
	! aes192 (ECB decrypt): 19.64s, 0.509MB/s
	! aes192 (CBC encrypt): 18.43s, 0.543MB/s
	! aes192 (CBC decrypt): 20.76s, 0.482MB/s
	! 
	! aes256 (ECB encrypt): 19.12s, 0.523MB/s
	! aes256 (ECB decrypt): 22.57s, 0.443MB/s
	! aes256 (CBC encrypt): 20.92s, 0.478MB/s
	! aes256 (CBC decrypt): 23.22s, 0.431MB/s

	! After unrolling key_addition32, and getting rid of
	! some sll x, 2, x, encryption speed is 0.760 MB/s.

	! Next, the C code was optimized to use larger tables and
	! no rotates. New timings:
	! aes128 (ECB encrypt): 13.10s, 0.763MB/s
	! aes128 (ECB decrypt): 11.51s, 0.869MB/s
	! aes128 (CBC encrypt): 15.15s, 0.660MB/s
	! aes128 (CBC decrypt): 13.10s, 0.763MB/s
	! 
	! aes192 (ECB encrypt): 15.68s, 0.638MB/s
	! aes192 (ECB decrypt): 13.59s, 0.736MB/s
	! aes192 (CBC encrypt): 17.65s, 0.567MB/s
	! aes192 (CBC decrypt): 15.31s, 0.653MB/s
	! 
	! aes256 (ECB encrypt): 17.95s, 0.557MB/s
	! aes256 (ECB decrypt): 15.90s, 0.629MB/s
	! aes256 (CBC encrypt): 20.16s, 0.496MB/s
	! aes256 (CBC decrypt): 17.47s, 0.572MB/s

	! After optimization using pre-shifted indices
	! (AES_SIDX[1-3]): 
	! aes128 (ECB encrypt): 12.46s, 0.803MB/s
	! aes128 (ECB decrypt): 10.74s, 0.931MB/s
	! aes128 (CBC encrypt): 17.74s, 0.564MB/s
	! aes128 (CBC decrypt): 12.43s, 0.805MB/s
	! 
	! aes192 (ECB encrypt): 14.59s, 0.685MB/s
	! aes192 (ECB decrypt): 12.76s, 0.784MB/s
	! aes192 (CBC encrypt): 19.97s, 0.501MB/s
	! aes192 (CBC decrypt): 14.46s, 0.692MB/s
	! 
	! aes256 (ECB encrypt): 17.00s, 0.588MB/s
	! aes256 (ECB decrypt): 14.81s, 0.675MB/s
	! aes256 (CBC encrypt): 22.65s, 0.442MB/s
	! aes256 (CBC decrypt): 16.46s, 0.608MB/s
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

	! After implementing double buffering
	! aes128 (ECB encrypt): 12.59s, 0.794MB/s
	! aes128 (ECB decrypt): 10.56s, 0.947MB/s
	! aes128 (CBC encrypt): 17.91s, 0.558MB/s
	! aes128 (CBC decrypt): 12.30s, 0.813MB/s
	! 
	! aes192 (ECB encrypt): 15.03s, 0.665MB/s
	! aes192 (ECB decrypt): 12.56s, 0.796MB/s
	! aes192 (CBC encrypt): 20.30s, 0.493MB/s
	! aes192 (CBC decrypt): 14.26s, 0.701MB/s
	! 
	! aes256 (ECB encrypt): 17.30s, 0.578MB/s
	! aes256 (ECB decrypt): 14.51s, 0.689MB/s
	! aes256 (CBC encrypt): 22.75s, 0.440MB/s
	! aes256 (CBC decrypt): 16.35s, 0.612MB/s
	
	! After reordering aes-encrypt.c and aes-decypt.c
	! (the order probably causes strange cache-effects):
	! aes128 (ECB encrypt): 9.21s, 1.086MB/s
	! aes128 (ECB decrypt): 11.13s, 0.898MB/s
	! aes128 (CBC encrypt): 14.12s, 0.708MB/s
	! aes128 (CBC decrypt): 13.77s, 0.726MB/s
	! 
	! aes192 (ECB encrypt): 10.86s, 0.921MB/s
	! aes192 (ECB decrypt): 13.17s, 0.759MB/s
	! aes192 (CBC encrypt): 15.74s, 0.635MB/s
	! aes192 (CBC decrypt): 15.91s, 0.629MB/s
	! 
	! aes256 (ECB encrypt): 12.71s, 0.787MB/s
	! aes256 (ECB decrypt): 15.38s, 0.650MB/s
	! aes256 (CBC encrypt): 17.49s, 0.572MB/s
	! aes256 (CBC decrypt): 17.87s, 0.560MB/s
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345

	! After further optimizations of the initial and final loops,
	! source_loop and final_loop. 
	! aes128 (ECB encrypt): 8.07s, 1.239MB/s
	! aes128 (ECB decrypt): 9.48s, 1.055MB/s
	! aes128 (CBC encrypt): 12.76s, 0.784MB/s
	! aes128 (CBC decrypt): 12.15s, 0.823MB/s
	! 
	! aes192 (ECB encrypt): 9.43s, 1.060MB/s
	! aes192 (ECB decrypt): 11.20s, 0.893MB/s
	! aes192 (CBC encrypt): 14.19s, 0.705MB/s
	! aes192 (CBC decrypt): 13.97s, 0.716MB/s
	! 
	! aes256 (ECB encrypt): 10.81s, 0.925MB/s
	! aes256 (ECB decrypt): 12.92s, 0.774MB/s
	! aes256 (CBC encrypt): 15.59s, 0.641MB/s
	! aes256 (CBC decrypt): 15.76s, 0.635MB/s