Botan 3.10.0
Crypto and TLS for C&
idea_sse2.cpp
Go to the documentation of this file.
1/*
2* IDEA in SSE2
3* (C) 2009 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/idea.h>
9
10#include <botan/internal/ct_utils.h>
11#include <botan/internal/isa_extn.h>
12#include <emmintrin.h>
13
14namespace Botan {
15
16// NOLINTBEGIN(portability-simd-intrinsics) TODO add various helper fns
17
18namespace {
19
20BOTAN_FN_ISA_SSE2 inline __m128i mul(__m128i X, uint16_t K_16) {
21 const __m128i zeros = _mm_set1_epi16(0);
22 const __m128i ones = _mm_set1_epi16(1);
23
24 const __m128i K = _mm_set1_epi16(K_16);
25
26 const __m128i X_is_zero = _mm_cmpeq_epi16(X, zeros);
27 const __m128i K_is_zero = _mm_cmpeq_epi16(K, zeros);
28
29 const __m128i mul_lo = _mm_mullo_epi16(X, K);
30 const __m128i mul_hi = _mm_mulhi_epu16(X, K);
31
32 __m128i T = _mm_sub_epi16(mul_lo, mul_hi);
33
34 // Unsigned compare; cmp = 1 if mul_lo < mul_hi else 0
35 const __m128i subs = _mm_subs_epu16(mul_hi, mul_lo);
36 const __m128i cmp = _mm_min_epu8(_mm_or_si128(subs, _mm_srli_epi16(subs, 8)), ones);
37
38 T = _mm_add_epi16(T, cmp);
39
40 /* Selection: if X[i] is zero then assign 1-K
41 if K is zero then assign 1-X[i]
42
43 Could if() off value of K_16 for the second, but this gives a
44 constant time implementation which is a nice bonus.
45 */
46
47 T = _mm_or_si128(_mm_andnot_si128(X_is_zero, T), _mm_and_si128(_mm_sub_epi16(ones, K), X_is_zero));
48
49 T = _mm_or_si128(_mm_andnot_si128(K_is_zero, T), _mm_and_si128(_mm_sub_epi16(ones, X), K_is_zero));
50
51 return T;
52}
53
54/*
55* 4x8 matrix transpose
56*
57* FIXME: why do I need the extra set of unpack_epi32 here? Inverse in
58* transpose_out doesn't need it. Something with the shuffle? Removing
59* that extra unpack could easily save 3-4 cycles per block, and would
60* also help a lot with register pressure on 32-bit x86
61*/
62BOTAN_FN_ISA_SSE2 void transpose_in(__m128i& B0, __m128i& B1, __m128i& B2, __m128i& B3) {
63 __m128i T0 = _mm_unpackhi_epi32(B0, B1);
64 __m128i T1 = _mm_unpacklo_epi32(B0, B1);
65 __m128i T2 = _mm_unpackhi_epi32(B2, B3);
66 __m128i T3 = _mm_unpacklo_epi32(B2, B3);
67
68 __m128i T4 = _mm_unpacklo_epi32(T0, T1);
69 __m128i T5 = _mm_unpackhi_epi32(T0, T1);
70 __m128i T6 = _mm_unpacklo_epi32(T2, T3);
71 __m128i T7 = _mm_unpackhi_epi32(T2, T3);
72
73 T0 = _mm_shufflehi_epi16(T4, _MM_SHUFFLE(1, 3, 0, 2));
74 T1 = _mm_shufflehi_epi16(T5, _MM_SHUFFLE(1, 3, 0, 2));
75 T2 = _mm_shufflehi_epi16(T6, _MM_SHUFFLE(1, 3, 0, 2));
76 T3 = _mm_shufflehi_epi16(T7, _MM_SHUFFLE(1, 3, 0, 2));
77
78 T0 = _mm_shufflelo_epi16(T0, _MM_SHUFFLE(1, 3, 0, 2));
79 T1 = _mm_shufflelo_epi16(T1, _MM_SHUFFLE(1, 3, 0, 2));
80 T2 = _mm_shufflelo_epi16(T2, _MM_SHUFFLE(1, 3, 0, 2));
81 T3 = _mm_shufflelo_epi16(T3, _MM_SHUFFLE(1, 3, 0, 2));
82
83 T0 = _mm_shuffle_epi32(T0, _MM_SHUFFLE(3, 1, 2, 0));
84 T1 = _mm_shuffle_epi32(T1, _MM_SHUFFLE(3, 1, 2, 0));
85 T2 = _mm_shuffle_epi32(T2, _MM_SHUFFLE(3, 1, 2, 0));
86 T3 = _mm_shuffle_epi32(T3, _MM_SHUFFLE(3, 1, 2, 0));
87
88 B0 = _mm_unpacklo_epi64(T0, T2);
89 B1 = _mm_unpackhi_epi64(T0, T2);
90 B2 = _mm_unpacklo_epi64(T1, T3);
91 B3 = _mm_unpackhi_epi64(T1, T3);
92}
93
94/*
95* 4x8 matrix transpose (reverse)
96*/
97BOTAN_FN_ISA_SSE2 void transpose_out(__m128i& B0, __m128i& B1, __m128i& B2, __m128i& B3) {
98 __m128i T0 = _mm_unpacklo_epi64(B0, B1);
99 __m128i T1 = _mm_unpacklo_epi64(B2, B3);
100 __m128i T2 = _mm_unpackhi_epi64(B0, B1);
101 __m128i T3 = _mm_unpackhi_epi64(B2, B3);
102
103 T0 = _mm_shuffle_epi32(T0, _MM_SHUFFLE(3, 1, 2, 0));
104 T1 = _mm_shuffle_epi32(T1, _MM_SHUFFLE(3, 1, 2, 0));
105 T2 = _mm_shuffle_epi32(T2, _MM_SHUFFLE(3, 1, 2, 0));
106 T3 = _mm_shuffle_epi32(T3, _MM_SHUFFLE(3, 1, 2, 0));
107
108 T0 = _mm_shufflehi_epi16(T0, _MM_SHUFFLE(3, 1, 2, 0));
109 T1 = _mm_shufflehi_epi16(T1, _MM_SHUFFLE(3, 1, 2, 0));
110 T2 = _mm_shufflehi_epi16(T2, _MM_SHUFFLE(3, 1, 2, 0));
111 T3 = _mm_shufflehi_epi16(T3, _MM_SHUFFLE(3, 1, 2, 0));
112
113 T0 = _mm_shufflelo_epi16(T0, _MM_SHUFFLE(3, 1, 2, 0));
114 T1 = _mm_shufflelo_epi16(T1, _MM_SHUFFLE(3, 1, 2, 0));
115 T2 = _mm_shufflelo_epi16(T2, _MM_SHUFFLE(3, 1, 2, 0));
116 T3 = _mm_shufflelo_epi16(T3, _MM_SHUFFLE(3, 1, 2, 0));
117
118 B0 = _mm_unpacklo_epi32(T0, T1);
119 B1 = _mm_unpackhi_epi32(T0, T1);
120 B2 = _mm_unpacklo_epi32(T2, T3);
121 B3 = _mm_unpackhi_epi32(T2, T3);
122}
123
124} // namespace
125
126/*
127* 8 wide IDEA encryption/decryption in SSE2
128*/
129BOTAN_FN_ISA_SSE2 void IDEA::sse2_idea_op_8(const uint8_t in[64], uint8_t out[64], const uint16_t EK[52]) {
130 CT::poison(in, 64);
131 CT::poison(out, 64);
132 CT::poison(EK, 52);
133
134 const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
135
136 __m128i B0 = _mm_loadu_si128(in_mm + 0);
137 __m128i B1 = _mm_loadu_si128(in_mm + 1);
138 __m128i B2 = _mm_loadu_si128(in_mm + 2);
139 __m128i B3 = _mm_loadu_si128(in_mm + 3);
140
141 transpose_in(B0, B1, B2, B3);
142
143 // byte swap
144 B0 = _mm_or_si128(_mm_slli_epi16(B0, 8), _mm_srli_epi16(B0, 8));
145 B1 = _mm_or_si128(_mm_slli_epi16(B1, 8), _mm_srli_epi16(B1, 8));
146 B2 = _mm_or_si128(_mm_slli_epi16(B2, 8), _mm_srli_epi16(B2, 8));
147 B3 = _mm_or_si128(_mm_slli_epi16(B3, 8), _mm_srli_epi16(B3, 8));
148
149 for(size_t i = 0; i != 8; ++i) {
150 B0 = mul(B0, EK[6 * i + 0]);
151 B1 = _mm_add_epi16(B1, _mm_set1_epi16(EK[6 * i + 1]));
152 B2 = _mm_add_epi16(B2, _mm_set1_epi16(EK[6 * i + 2]));
153 B3 = mul(B3, EK[6 * i + 3]);
154
155 __m128i T0 = B2;
156 B2 = _mm_xor_si128(B2, B0);
157 B2 = mul(B2, EK[6 * i + 4]);
158
159 __m128i T1 = B1;
160
161 B1 = _mm_xor_si128(B1, B3);
162 B1 = _mm_add_epi16(B1, B2);
163 B1 = mul(B1, EK[6 * i + 5]);
164
165 B2 = _mm_add_epi16(B2, B1);
166
167 B0 = _mm_xor_si128(B0, B1);
168 B1 = _mm_xor_si128(B1, T0);
169 B3 = _mm_xor_si128(B3, B2);
170 B2 = _mm_xor_si128(B2, T1);
171 }
172
173 B0 = mul(B0, EK[48]);
174 B1 = _mm_add_epi16(B1, _mm_set1_epi16(EK[50]));
175 B2 = _mm_add_epi16(B2, _mm_set1_epi16(EK[49]));
176 B3 = mul(B3, EK[51]);
177
178 // byte swap
179 B0 = _mm_or_si128(_mm_slli_epi16(B0, 8), _mm_srli_epi16(B0, 8));
180 B1 = _mm_or_si128(_mm_slli_epi16(B1, 8), _mm_srli_epi16(B1, 8));
181 B2 = _mm_or_si128(_mm_slli_epi16(B2, 8), _mm_srli_epi16(B2, 8));
182 B3 = _mm_or_si128(_mm_slli_epi16(B3, 8), _mm_srli_epi16(B3, 8));
183
184 transpose_out(B0, B2, B1, B3);
185
186 __m128i* out_mm = reinterpret_cast<__m128i*>(out);
187
188 _mm_storeu_si128(out_mm + 0, B0);
189 _mm_storeu_si128(out_mm + 1, B2);
190 _mm_storeu_si128(out_mm + 2, B1);
191 _mm_storeu_si128(out_mm + 3, B3);
192
193 CT::unpoison(in, 64);
194 CT::unpoison(out, 64);
195 CT::unpoison(EK, 52);
196}
197
198// NOLINTEND(portability-simd-intrinsics)
199
200} // namespace Botan
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:65
Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:54
Generated by doxygen 1.15.0