Commit 60dfd8d4 authored by Niels Möller's avatar Niels Möller
Browse files

Cleanup, removing old cruft. Slight improvement to ROUND_F1_NOEXP.

Rev: nettle/x86/sha1-compress.asm:1.8
parent d8e65e43
......@@ -26,7 +26,6 @@ define(<SE>,<%ebp>)
define(<T2>,<%esi>) C Used by SWAP
define(<KVALUE>,<%esi>) C Used by rounds
C Constants
define(<K1VALUE>, <0x5A827999>) C Rounds 0-19
......@@ -42,23 +41,6 @@ define(<SWAP>, <
movl $2, OFFSET($1) (DATA)
C expand(i) is the expansion function
C W[i] = (W[i - 16] ^ W[i - 14] ^ W[i - 8] ^ W[i - 3]) <<< 1
C where W[i] is stored in DATA[i mod 16].
C Result is stored back in W[i], and also left in T1, the only
C register that is used.
define(<EXPAND>, <
movl OFFSET(eval($1 % 16)) (DATA), T1
xorl OFFSET(eval(($1 + 2) % 16)) (DATA), T1
xorl OFFSET(eval(($1 + 8) % 16)) (DATA), T1
xorl OFFSET(eval(($1 + 13) % 16)) (DATA), T1
roll <$>1, T1
movl T1, OFFSET(eval($1 % 16)) (DATA)>)dnl
define(<NOEXPAND>, <OFFSET($1) (DATA)>)dnl
C The f functions,
C f1(x,y,z) = z ^ (x & (y ^ z))
......@@ -103,18 +85,18 @@ define(<ROUND_F1>, <
add T2, $5
C FIXME: Seems to be a slow sequence.
dnl ROUND_F1_NOEXP(a, b, c, d, e, i)
define(<ROUND_F1_NOEXP>, <
mov $4, T2
xor $3, T2
mov $1, T1
and $2, T2
add OFFSET($6) (DATA), $5
xor $4, T2
add OFFSET($6) (DATA), T2
add T2, $5
rol <$>30, $2
mov $1, T1
rol <$>5, T1
lea K1VALUE (T1, $5), $5
add T2, $5
dnl ROUND_F2(a, b, c, d, e, i, k)
......@@ -158,11 +140,6 @@ define(<ROUND_F3>, <
add T2, $5
C As suggested by George Spelvin, write the F3 function as
C (x&y) | (y&z) | (x&z) == (x & (y^z)) + (y&z). Then, we can compute
C and add each term to e, using a single temporary.
.file "sha1-compress.asm"
C _nettle_sha1_compress(uint32_t *state, uint8_t *data)
......@@ -179,7 +156,6 @@ PROLOGUE(_nettle_sha1_compress)
pushl %esi C 68(%esp)
pushl %edi C 64(%esp)
C FIXME: Trim to 64
subl $64, %esp C %esp = W
C Load and byteswap data
......@@ -309,121 +285,3 @@ PROLOGUE(_nettle_sha1_compress)
popl %ebx
C George Spelvin also suggested using lea, with an immediate offset
C for the magic constants. This frees one register, which can be used
C for loosen up dependencies and to more operations in parallel. For
C example, take the rounds involving f2, the simplest round function.
C Currently, we have
C movl 16(%esp), T1
C xorl 24(%esp), T1
C xorl 48(%esp), T1
C xorl 4(%esp), T1
C roll $1, T1
C movl T1, 16(%esp)
C addl KVALUE, SE C 0
C addl T1, SE C 1
C movl SB, T1 C 0
C xorl SC, T1 C 1
C xorl SD, T1 C 2
C addl T1, SE C 3
C movl SA, T1 C 0
C roll $5, T1 C 1
C addl T1, SE C 4
C roll $30, SB C 0
C These 16 instructions could be executed in 5.33 cycles if there were
C no dependencies. The crucial dependencies are from (previous) SE to
C use SA, and (previous) result SB to use SC. (What does this say
C about recurrency chain? Ought to unroll 5 times to see it).
C It would be preferable to accumulate the terms in two or more
C registers, to make dependencies shallower. Something like
C ...expand, put data in W
C movl SD, T1 C 0
C leal K1VALUE(SE, W), SE C 0
C movl SA, T2 C 0
C xorl SC, T1 C 1
C roll $5, T2 C 1
C xorl SB, T1 C 2
C addl T2, T1 C 3
C addl T1, SE C 4
C a + b + c + d + e = ((((a + b) + c) + d) + e), latency 4
C a + b + c + d + e = ((a + b) + c) + (d + e)
C the out-of-order execution. Next iteration
C ...expand...
C roll $1, T1 C 4
C movl T1, 16(%esp) C 5
C addl KVALUE, SD C 0
C addl T1, SD C 5
C movl SA, T1 C 0
C xorl SB, T1 C 1
C xorl SC, T1 C 2
C addl T1, SD C 6
C movl SE, T1 C 8
C roll $5, T1 C 9
C addl T1, SD C 7
C roll $30, SA C 0
C Lets look at the latency. Next iteration will operate on (E, A, B, C, D), so we have recurrencies:
C from result SA to use of SE (none, SA not modified)
C from result of SB to use of SA, result of SC to use of SB
C It's possible to shave of half of the stores to tmp in the evaluation of f3,
C although it's probably not worth the effort. This is the trick:
C round(a,b,c,d,e,f,k) modifies only b,e.
C round(a,b,c,d,e,f3,k)
C round(e,a,b,c,d,f3,k)
C ; f3(b,c,d) = (b & c) | (d & (b | c))
C movl b, tmp
C andl c, tmp
C movl tmp, tmp2
C movl b, tmp
C orl c, tmp
C andl d, tmp
C orl tmp2, tmp
C and corresponding code for f3(a,b,c)
C Use the register allocated for c as a temporary?
C movl c, tmp2
C ; f3(b,c,d) = (b & c) | (d & (b | c))
C movl b, tmp
C orl c, tmp
C andl b, c
C andl d, tmp
C orl c, tmp
C ; f3(a,b,c) = (a & b) | (c & (a | b))
C movl b, tmp
C andl a, tmp
C movl a, c
C orl b, c
C andl tmp2, c
C orl c, tmp
C movl tmp2, c
C Before: 14 instr, 2 store, 2 load
C After: 13 instr, 1 store, 2 load
C Final load can be folded into the next round,
C round(d,e,a,b,c,f3,k)
C c += d <<< 5 + f(e, a, b) + k + w
C if we arrange to have w placed directly into the register
C corresponding to w. That way we save one more instruction, total save
C of two instructions, one of which is a store, per two rounds. For the
C twenty rounds involving f3, that's 20 instructions, 10 of which are
C stores, or about 1.5 %.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment