2 #include "crypto_int64.h"
8 Can overlap h with f or g.
11 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
12 |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
15 |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
19 Notes on implementation strategy:
21 Using schoolbook multiplication.
22 Karatsuba would save a little in some cost models.
24 Most multiplications by 2 and 19 are 32-bit precomputations;
25 cheaper than 64-bit postcomputations.
27 There is one remaining multiplication by 19 in the carry chain;
28 one *19 precomputation can be merged into this,
29 but the resulting data flow is considerably less clean.
31 There are 12 carries below.
32 10 of them are 2-way parallelizable and vectorizable.
33 Can get away with 11 carries, but then data flow is much deeper.
35 With tighter constraints on inputs can squeeze carries into int32.
38 void fe_mul(fe h,fe f,fe g)
40 crypto_int32 f0 = f[0];
41 crypto_int32 f1 = f[1];
42 crypto_int32 f2 = f[2];
43 crypto_int32 f3 = f[3];
44 crypto_int32 f4 = f[4];
45 crypto_int32 f5 = f[5];
46 crypto_int32 f6 = f[6];
47 crypto_int32 f7 = f[7];
48 crypto_int32 f8 = f[8];
49 crypto_int32 f9 = f[9];
50 crypto_int32 g0 = g[0];
51 crypto_int32 g1 = g[1];
52 crypto_int32 g2 = g[2];
53 crypto_int32 g3 = g[3];
54 crypto_int32 g4 = g[4];
55 crypto_int32 g5 = g[5];
56 crypto_int32 g6 = g[6];
57 crypto_int32 g7 = g[7];
58 crypto_int32 g8 = g[8];
59 crypto_int32 g9 = g[9];
60 crypto_int32 g1_19 = 19 * g1; /* 1.4*2^29 */
61 crypto_int32 g2_19 = 19 * g2; /* 1.4*2^30; still ok */
62 crypto_int32 g3_19 = 19 * g3;
63 crypto_int32 g4_19 = 19 * g4;
64 crypto_int32 g5_19 = 19 * g5;
65 crypto_int32 g6_19 = 19 * g6;
66 crypto_int32 g7_19 = 19 * g7;
67 crypto_int32 g8_19 = 19 * g8;
68 crypto_int32 g9_19 = 19 * g9;
69 crypto_int32 f1_2 = 2 * f1;
70 crypto_int32 f3_2 = 2 * f3;
71 crypto_int32 f5_2 = 2 * f5;
72 crypto_int32 f7_2 = 2 * f7;
73 crypto_int32 f9_2 = 2 * f9;
74 crypto_int64 f0g0 = f0 * (crypto_int64) g0;
75 crypto_int64 f0g1 = f0 * (crypto_int64) g1;
76 crypto_int64 f0g2 = f0 * (crypto_int64) g2;
77 crypto_int64 f0g3 = f0 * (crypto_int64) g3;
78 crypto_int64 f0g4 = f0 * (crypto_int64) g4;
79 crypto_int64 f0g5 = f0 * (crypto_int64) g5;
80 crypto_int64 f0g6 = f0 * (crypto_int64) g6;
81 crypto_int64 f0g7 = f0 * (crypto_int64) g7;
82 crypto_int64 f0g8 = f0 * (crypto_int64) g8;
83 crypto_int64 f0g9 = f0 * (crypto_int64) g9;
84 crypto_int64 f1g0 = f1 * (crypto_int64) g0;
85 crypto_int64 f1g1_2 = f1_2 * (crypto_int64) g1;
86 crypto_int64 f1g2 = f1 * (crypto_int64) g2;
87 crypto_int64 f1g3_2 = f1_2 * (crypto_int64) g3;
88 crypto_int64 f1g4 = f1 * (crypto_int64) g4;
89 crypto_int64 f1g5_2 = f1_2 * (crypto_int64) g5;
90 crypto_int64 f1g6 = f1 * (crypto_int64) g6;
91 crypto_int64 f1g7_2 = f1_2 * (crypto_int64) g7;
92 crypto_int64 f1g8 = f1 * (crypto_int64) g8;
93 crypto_int64 f1g9_38 = f1_2 * (crypto_int64) g9_19;
94 crypto_int64 f2g0 = f2 * (crypto_int64) g0;
95 crypto_int64 f2g1 = f2 * (crypto_int64) g1;
96 crypto_int64 f2g2 = f2 * (crypto_int64) g2;
97 crypto_int64 f2g3 = f2 * (crypto_int64) g3;
98 crypto_int64 f2g4 = f2 * (crypto_int64) g4;
99 crypto_int64 f2g5 = f2 * (crypto_int64) g5;
100 crypto_int64 f2g6 = f2 * (crypto_int64) g6;
101 crypto_int64 f2g7 = f2 * (crypto_int64) g7;
102 crypto_int64 f2g8_19 = f2 * (crypto_int64) g8_19;
103 crypto_int64 f2g9_19 = f2 * (crypto_int64) g9_19;
104 crypto_int64 f3g0 = f3 * (crypto_int64) g0;
105 crypto_int64 f3g1_2 = f3_2 * (crypto_int64) g1;
106 crypto_int64 f3g2 = f3 * (crypto_int64) g2;
107 crypto_int64 f3g3_2 = f3_2 * (crypto_int64) g3;
108 crypto_int64 f3g4 = f3 * (crypto_int64) g4;
109 crypto_int64 f3g5_2 = f3_2 * (crypto_int64) g5;
110 crypto_int64 f3g6 = f3 * (crypto_int64) g6;
111 crypto_int64 f3g7_38 = f3_2 * (crypto_int64) g7_19;
112 crypto_int64 f3g8_19 = f3 * (crypto_int64) g8_19;
113 crypto_int64 f3g9_38 = f3_2 * (crypto_int64) g9_19;
114 crypto_int64 f4g0 = f4 * (crypto_int64) g0;
115 crypto_int64 f4g1 = f4 * (crypto_int64) g1;
116 crypto_int64 f4g2 = f4 * (crypto_int64) g2;
117 crypto_int64 f4g3 = f4 * (crypto_int64) g3;
118 crypto_int64 f4g4 = f4 * (crypto_int64) g4;
119 crypto_int64 f4g5 = f4 * (crypto_int64) g5;
120 crypto_int64 f4g6_19 = f4 * (crypto_int64) g6_19;
121 crypto_int64 f4g7_19 = f4 * (crypto_int64) g7_19;
122 crypto_int64 f4g8_19 = f4 * (crypto_int64) g8_19;
123 crypto_int64 f4g9_19 = f4 * (crypto_int64) g9_19;
124 crypto_int64 f5g0 = f5 * (crypto_int64) g0;
125 crypto_int64 f5g1_2 = f5_2 * (crypto_int64) g1;
126 crypto_int64 f5g2 = f5 * (crypto_int64) g2;
127 crypto_int64 f5g3_2 = f5_2 * (crypto_int64) g3;
128 crypto_int64 f5g4 = f5 * (crypto_int64) g4;
129 crypto_int64 f5g5_38 = f5_2 * (crypto_int64) g5_19;
130 crypto_int64 f5g6_19 = f5 * (crypto_int64) g6_19;
131 crypto_int64 f5g7_38 = f5_2 * (crypto_int64) g7_19;
132 crypto_int64 f5g8_19 = f5 * (crypto_int64) g8_19;
133 crypto_int64 f5g9_38 = f5_2 * (crypto_int64) g9_19;
134 crypto_int64 f6g0 = f6 * (crypto_int64) g0;
135 crypto_int64 f6g1 = f6 * (crypto_int64) g1;
136 crypto_int64 f6g2 = f6 * (crypto_int64) g2;
137 crypto_int64 f6g3 = f6 * (crypto_int64) g3;
138 crypto_int64 f6g4_19 = f6 * (crypto_int64) g4_19;
139 crypto_int64 f6g5_19 = f6 * (crypto_int64) g5_19;
140 crypto_int64 f6g6_19 = f6 * (crypto_int64) g6_19;
141 crypto_int64 f6g7_19 = f6 * (crypto_int64) g7_19;
142 crypto_int64 f6g8_19 = f6 * (crypto_int64) g8_19;
143 crypto_int64 f6g9_19 = f6 * (crypto_int64) g9_19;
144 crypto_int64 f7g0 = f7 * (crypto_int64) g0;
145 crypto_int64 f7g1_2 = f7_2 * (crypto_int64) g1;
146 crypto_int64 f7g2 = f7 * (crypto_int64) g2;
147 crypto_int64 f7g3_38 = f7_2 * (crypto_int64) g3_19;
148 crypto_int64 f7g4_19 = f7 * (crypto_int64) g4_19;
149 crypto_int64 f7g5_38 = f7_2 * (crypto_int64) g5_19;
150 crypto_int64 f7g6_19 = f7 * (crypto_int64) g6_19;
151 crypto_int64 f7g7_38 = f7_2 * (crypto_int64) g7_19;
152 crypto_int64 f7g8_19 = f7 * (crypto_int64) g8_19;
153 crypto_int64 f7g9_38 = f7_2 * (crypto_int64) g9_19;
154 crypto_int64 f8g0 = f8 * (crypto_int64) g0;
155 crypto_int64 f8g1 = f8 * (crypto_int64) g1;
156 crypto_int64 f8g2_19 = f8 * (crypto_int64) g2_19;
157 crypto_int64 f8g3_19 = f8 * (crypto_int64) g3_19;
158 crypto_int64 f8g4_19 = f8 * (crypto_int64) g4_19;
159 crypto_int64 f8g5_19 = f8 * (crypto_int64) g5_19;
160 crypto_int64 f8g6_19 = f8 * (crypto_int64) g6_19;
161 crypto_int64 f8g7_19 = f8 * (crypto_int64) g7_19;
162 crypto_int64 f8g8_19 = f8 * (crypto_int64) g8_19;
163 crypto_int64 f8g9_19 = f8 * (crypto_int64) g9_19;
164 crypto_int64 f9g0 = f9 * (crypto_int64) g0;
165 crypto_int64 f9g1_38 = f9_2 * (crypto_int64) g1_19;
166 crypto_int64 f9g2_19 = f9 * (crypto_int64) g2_19;
167 crypto_int64 f9g3_38 = f9_2 * (crypto_int64) g3_19;
168 crypto_int64 f9g4_19 = f9 * (crypto_int64) g4_19;
169 crypto_int64 f9g5_38 = f9_2 * (crypto_int64) g5_19;
170 crypto_int64 f9g6_19 = f9 * (crypto_int64) g6_19;
171 crypto_int64 f9g7_38 = f9_2 * (crypto_int64) g7_19;
172 crypto_int64 f9g8_19 = f9 * (crypto_int64) g8_19;
173 crypto_int64 f9g9_38 = f9_2 * (crypto_int64) g9_19;
174 crypto_int64 h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38;
175 crypto_int64 h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19;
176 crypto_int64 h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38;
177 crypto_int64 h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19;
178 crypto_int64 h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38;
179 crypto_int64 h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19;
180 crypto_int64 h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38;
181 crypto_int64 h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19;
182 crypto_int64 h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38;
183 crypto_int64 h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ;
196 |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
197 i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
198 |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
199 i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
202 carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
203 carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
206 /* |h1| <= 1.51*2^58 */
207 /* |h5| <= 1.51*2^58 */
209 carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
210 carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
211 /* |h1| <= 2^24; from now on fits into int32 */
212 /* |h5| <= 2^24; from now on fits into int32 */
213 /* |h2| <= 1.21*2^59 */
214 /* |h6| <= 1.21*2^59 */
216 carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
217 carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
218 /* |h2| <= 2^25; from now on fits into int32 unchanged */
219 /* |h6| <= 2^25; from now on fits into int32 unchanged */
220 /* |h3| <= 1.51*2^58 */
221 /* |h7| <= 1.51*2^58 */
223 carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
224 carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
225 /* |h3| <= 2^24; from now on fits into int32 unchanged */
226 /* |h7| <= 2^24; from now on fits into int32 unchanged */
227 /* |h4| <= 1.52*2^33 */
228 /* |h8| <= 1.52*2^33 */
230 carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
231 carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
232 /* |h4| <= 2^25; from now on fits into int32 unchanged */
233 /* |h8| <= 2^25; from now on fits into int32 unchanged */
234 /* |h5| <= 1.01*2^24 */
235 /* |h9| <= 1.51*2^58 */
237 carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
238 /* |h9| <= 2^24; from now on fits into int32 unchanged */
239 /* |h0| <= 1.8*2^37 */
241 carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
242 /* |h0| <= 2^25; from now on fits into int32 unchanged */
243 /* |h1| <= 1.01*2^24 */
Code Review / trex.git / blob