crypto/internal/nistec: re-enable ppc64le asm for P-256

Add support for ppc64le assembler to p256. Most of the changes
are due to the change in nistec interfaces.

There is a change to p256MovCond based on a reviewer's comment.

LXVD2X replaces the use of LXVW4X in one function.

In addition, some refactoring has been done to this file to
reduce size and improve readability:
- Eliminate the use of defines to switch between V and VSX
registers. V regs can be used for instructions some that
previously required VSX.
- Use XXPERMDI instead of VPERM to swap bytes loaded and
stored with LXVD2X and STXVD2X instructions. This eliminates
the need to load the byte swap string into a vector.
- Use VMRGEW and VMRGOW instead of VPERM in the VMULT
macros. This also avoids the need to load byte strings to
swap the high and low values.

These changes reduce the file by about 10% and shows an
improvement of about 2% at runtime.

For #52182

Change-Id: Ic48050fc81bb273b7b4023e54864f4255dcc2a4f
Reviewed-on: https://go-review.googlesource.com/c/go/+/399755
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: David Chase <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Paul Murphy <[email protected]>

Author: laboger

src/crypto/internal/nistec/generate.go

@@ -40,7 +40,7 @@ var curves = []struct {
 		P:         "P256",
 		Element:   "fiat.P256Element",
 		Params:    elliptic.P256().Params(),
-		BuildTags: "!amd64 && !arm64",
+		BuildTags: "!amd64 && !arm64 && !ppc64le",
 	},
 	{
 		P:       "P384",

src/crypto/internal/nistec/p256.go

@@ -10,7 +10,7 @@
 // https://link.springer.com/article/10.1007%2Fs13389-014-0090-x
 // https://eprint.iacr.org/2013/816.pdf
 
-//go:build amd64 || arm64
+//go:build amd64 || arm64 || ppc64le
 
 package nistec
 
@@ -355,98 +355,6 @@ func p256PointDoubleAsm(res, in *P256Point)
 // Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order.
 type p256OrdElement [4]uint64
 
-// Montgomery multiplication modulo org(G). Sets res = in1 * in2 * R⁻¹.
-//
-//go:noescape
-func p256OrdMul(res, in1, in2 *p256OrdElement)
-
-// Montgomery square modulo org(G), repeated n times (n >= 1).
-//
-//go:noescape
-func p256OrdSqr(res, in *p256OrdElement, n int)
-
-func P256OrdInverse(k []byte) ([]byte, error) {
-	if len(k) != 32 {
-		return nil, errors.New("invalid scalar length")
-	}
-
-	x := new(p256OrdElement)
-	p256OrdBigToLittle(x, (*[32]byte)(k))
-
-	// Inversion is implemented as exponentiation by n - 2, per Fermat's little theorem.
-	//
-	// The sequence of 38 multiplications and 254 squarings is derived from
-	// https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion
-	_1 := new(p256OrdElement)
-	_11 := new(p256OrdElement)
-	_101 := new(p256OrdElement)
-	_111 := new(p256OrdElement)
-	_1111 := new(p256OrdElement)
-	_10101 := new(p256OrdElement)
-	_101111 := new(p256OrdElement)
-	t := new(p256OrdElement)
-
-	// This code operates in the Montgomery domain where R = 2²⁵⁶ mod n and n is
-	// the order of the scalar field. Elements in the Montgomery domain take the
-	// form a×R and p256OrdMul calculates (a × b × R⁻¹) mod n. RR is R in the
-	// domain, or R×R mod n, thus p256OrdMul(x, RR) gives x×R, i.e. converts x
-	// into the Montgomery domain.
-	RR := &p256OrdElement{0x83244c95be79eea2, 0x4699799c49bd6fa6,
-		0x2845b2392b6bec59, 0x66e12d94f3d95620}
-
-	p256OrdMul(_1, x, RR)      // _1
-	p256OrdSqr(x, _1, 1)       // _10
-	p256OrdMul(_11, x, _1)     // _11
-	p256OrdMul(_101, x, _11)   // _101
-	p256OrdMul(_111, x, _101)  // _111
-	p256OrdSqr(x, _101, 1)     // _1010
-	p256OrdMul(_1111, _101, x) // _1111
-
-	p256OrdSqr(t, x, 1)          // _10100
-	p256OrdMul(_10101, t, _1)    // _10101
-	p256OrdSqr(x, _10101, 1)     // _101010
-	p256OrdMul(_101111, _101, x) // _101111
-	p256OrdMul(x, _10101, x)     // _111111 = x6
-	p256OrdSqr(t, x, 2)          // _11111100
-	p256OrdMul(t, t, _11)        // _11111111 = x8
-	p256OrdSqr(x, t, 8)          // _ff00
-	p256OrdMul(x, x, t)          // _ffff = x16
-	p256OrdSqr(t, x, 16)         // _ffff0000
-	p256OrdMul(t, t, x)          // _ffffffff = x32
-
-	p256OrdSqr(x, t, 64)
-	p256OrdMul(x, x, t)
-	p256OrdSqr(x, x, 32)
-	p256OrdMul(x, x, t)
-
-	sqrs := []int{
-		6, 5, 4, 5, 5,
-		4, 3, 3, 5, 9,
-		6, 2, 5, 6, 5,
-		4, 5, 5, 3, 10,
-		2, 5, 5, 3, 7, 6}
-	muls := []*p256OrdElement{
-		_101111, _111, _11, _1111, _10101,
-		_101, _101, _101, _111, _101111,
-		_1111, _1, _1, _1111, _111,
-		_111, _111, _101, _11, _101111,
-		_11, _11, _11, _1, _10101, _1111}
-
-	for i, s := range sqrs {
-		p256OrdSqr(x, x, s)
-		p256OrdMul(x, x, muls[i])
-	}
-
-	// Montgomery multiplication by R⁻¹, or 1 outside the domain as R⁻¹×R = 1,
-	// converts a Montgomery value out of the domain.
-	one := &p256OrdElement{1}
-	p256OrdMul(x, x, one)
-
-	var xOut [32]byte
-	p256OrdLittleToBig(&xOut, x)
-	return xOut[:], nil
-}
-
 // Add sets q = p1 + p2, and returns q. The points may overlap.
 func (q *P256Point) Add(r1, r2 *P256Point) *P256Point {
 	var sum, double P256Point

src/crypto/internal/nistec/p256_asm.go

@@ -0,0 +1,101 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build amd64 || arm64
+
+package nistec
+
+import "errors"
+
+// Montgomery multiplication modulo org(G). Sets res = in1 * in2 * R⁻¹.
+//
+//go:noescape
+func p256OrdMul(res, in1, in2 *p256OrdElement)
+
+// Montgomery square modulo org(G), repeated n times (n >= 1).
+//
+//go:noescape
+func p256OrdSqr(res, in *p256OrdElement, n int)
+
+func P256OrdInverse(k []byte) ([]byte, error) {
+	if len(k) != 32 {
+		return nil, errors.New("invalid scalar length")
+	}
+
+	x := new(p256OrdElement)
+	p256OrdBigToLittle(x, (*[32]byte)(k))
+
+	// Inversion is implemented as exponentiation by n - 2, per Fermat's little theorem.
+	//
+	// The sequence of 38 multiplications and 254 squarings is derived from
+	// https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion
+	_1 := new(p256OrdElement)
+	_11 := new(p256OrdElement)
+	_101 := new(p256OrdElement)
+	_111 := new(p256OrdElement)
+	_1111 := new(p256OrdElement)
+	_10101 := new(p256OrdElement)
+	_101111 := new(p256OrdElement)
+	t := new(p256OrdElement)
+
+	// This code operates in the Montgomery domain where R = 2²⁵⁶ mod n and n is
+	// the order of the scalar field. Elements in the Montgomery domain take the
+	// form a×R and p256OrdMul calculates (a × b × R⁻¹) mod n. RR is R in the
+	// domain, or R×R mod n, thus p256OrdMul(x, RR) gives x×R, i.e. converts x
+	// into the Montgomery domain.
+	RR := &p256OrdElement{0x83244c95be79eea2, 0x4699799c49bd6fa6,
+		0x2845b2392b6bec59, 0x66e12d94f3d95620}
+
+	p256OrdMul(_1, x, RR)      // _1
+	p256OrdSqr(x, _1, 1)       // _10
+	p256OrdMul(_11, x, _1)     // _11
+	p256OrdMul(_101, x, _11)   // _101
+	p256OrdMul(_111, x, _101)  // _111
+	p256OrdSqr(x, _101, 1)     // _1010
+	p256OrdMul(_1111, _101, x) // _1111
+
+	p256OrdSqr(t, x, 1)          // _10100
+	p256OrdMul(_10101, t, _1)    // _10101
+	p256OrdSqr(x, _10101, 1)     // _101010
+	p256OrdMul(_101111, _101, x) // _101111
+	p256OrdMul(x, _10101, x)     // _111111 = x6
+	p256OrdSqr(t, x, 2)          // _11111100
+	p256OrdMul(t, t, _11)        // _11111111 = x8
+	p256OrdSqr(x, t, 8)          // _ff00
+	p256OrdMul(x, x, t)          // _ffff = x16
+	p256OrdSqr(t, x, 16)         // _ffff0000
+	p256OrdMul(t, t, x)          // _ffffffff = x32
+
+	p256OrdSqr(x, t, 64)
+	p256OrdMul(x, x, t)
+	p256OrdSqr(x, x, 32)
+	p256OrdMul(x, x, t)
+
+	sqrs := []int{
+		6, 5, 4, 5, 5,
+		4, 3, 3, 5, 9,
+		6, 2, 5, 6, 5,
+		4, 5, 5, 3, 10,
+		2, 5, 5, 3, 7, 6}
+	muls := []*p256OrdElement{
+		_101111, _111, _11, _1111, _10101,
+		_101, _101, _101, _111, _101111,
+		_1111, _1, _1, _1111, _111,
+		_111, _111, _101, _11, _101111,
+		_11, _11, _11, _1, _10101, _1111}
+
+	for i, s := range sqrs {
+		p256OrdSqr(x, x, s)
+		p256OrdMul(x, x, muls[i])
+	}
+
+	// Montgomery multiplication by R⁻¹, or 1 outside the domain as R⁻¹×R = 1,
+	// converts a Montgomery value out of the domain.
+	one := &p256OrdElement{1}
+	p256OrdMul(x, x, one)
+
+	var xOut [32]byte
+	p256OrdLittleToBig(&xOut, x)
+	return xOut[:], nil
+}