Add simd to scalar_4x64, Add TODOs

Author: Raimo33

src/field_5x52_impl.h

@@ -7,17 +7,17 @@
 #ifndef SECP256K1_FIELD_REPR_IMPL_H
 #define SECP256K1_FIELD_REPR_IMPL_H
 
-#ifdef X86
-# include <immintrin.h>
-#endif
-
 #include "checkmem.h"
 #include "util.h"
 #include "field.h"
 #include "modinv64_impl.h"
 
 #include "field_5x52_int128_impl.h"
 
+#ifdef X86
+# include <immintrin.h>
+#endif
+
 #ifdef VERIFY
 static void secp256k1_fe_impl_verify(const secp256k1_fe *a) {
     const uint64_t *d = a->n;

src/hash_impl.h

@@ -14,6 +14,10 @@
 #include <stdint.h>
 #include <string.h>
 
+#ifdef X86
+# include <immintrin.h>
+#endif
+
 #define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 #define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
 #define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10))

src/modinv32_impl.h

@@ -40,6 +40,7 @@ static void secp256k1_modinv32_mul_30(secp256k1_modinv32_signed30 *r, const secp
 /* Return -1 for a<b*factor, 0 for a==b*factor, 1 for a>b*factor. A consists of alen limbs; b has 9. */
 static int secp256k1_modinv32_mul_cmp_30(const secp256k1_modinv32_signed30 *a, int alen, const secp256k1_modinv32_signed30 *b, int32_t factor) {
     int i;
+    int diff;
     secp256k1_modinv32_signed30 am, bm;
     secp256k1_modinv32_mul_30(&am, a, alen, 1); /* Normalize all but the top limb of a. */
     secp256k1_modinv32_mul_30(&bm, b, 9, factor);

src/scalar_4x64_impl.h

@@ -12,6 +12,10 @@
 #include "modinv64_impl.h"
 #include "util.h"
 
+#ifdef X86
+# include <immintrin.h>
+#endif
+
 /* Limbs of the secp256k1 order. */
 #define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL)
 #define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL)
@@ -143,6 +147,7 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int
 
 static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
     int over;
+
     r->d[0] = secp256k1_read_be64(&b32[24]);
     r->d[1] = secp256k1_read_be64(&b32[16]);
     r->d[2] = secp256k1_read_be64(&b32[8]);
@@ -866,14 +871,27 @@ static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a,
 static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
     SECP256K1_SCALAR_VERIFY(k);
 
+#ifdef __AVX2__
+    {
+      __m128i k_01 = _mm_loadu_si128((__m128i *)k->d);
+      __m128i k_23 = _mm_loadu_si128((__m128i *)(k->d + 2));
+      const __m128i zeros = _mm_setzero_si128(); /* TODO: precompute */
+      _mm_storeu_si128((__m128i*)(r1->d + 2), zeros);
+      _mm_storeu_si128((__m128i*)(r2->d + 2), zeros);
+      _mm_storeu_si128((__m128i*)r1->d, k_01);
+      _mm_storeu_si128((__m128i*)r2->d, k_23);
+    }
+#else
     r1->d[0] = k->d[0];
     r1->d[1] = k->d[1];
     r1->d[2] = 0;
     r1->d[3] = 0;
+
     r2->d[0] = k->d[2];
     r2->d[1] = k->d[3];
     r2->d[2] = 0;
     r2->d[3] = 0;
+#endif
 
     SECP256K1_SCALAR_VERIFY(r1);
     SECP256K1_SCALAR_VERIFY(r2);
@@ -883,7 +901,19 @@ SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const
     SECP256K1_SCALAR_VERIFY(a);
     SECP256K1_SCALAR_VERIFY(b);
 
-    return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3])) == 0;
+#ifdef __AVX2__
+    {
+        __m256i vec_a = _mm256_loadu_si256((__m256i *)a->d);
+        __m256i vec_b = _mm256_loadu_si256((__m256i *)b->d);
+        __m256i vec_xor = _mm256_xor_si256(vec_a, vec_b);
+        return _mm256_testz_si256(vec_xor, vec_xor);
+    }
+#else
+    return (  (a->d[0] ^ b->d[0]) |
+              (a->d[1] ^ b->d[1]) |
+              (a->d[2] ^ b->d[2]) |
+              (a->d[3] ^ b->d[3])  ) == 0;
+#endif
 }
 
 SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift) {
@@ -899,6 +929,9 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
     shiftlimbs = shift >> 6;
     shiftlow = shift & 0x3F;
     shifthigh = 64 - shiftlow;
+
+    /* TODO: parallel? */
+
     r->d[0] = shift < 512 ? (l[0 + shiftlimbs] >> shiftlow | (shift < 448 && shiftlow ? (l[1 + shiftlimbs] << shifthigh) : 0)) : 0;
     r->d[1] = shift < 448 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0;
     r->d[2] = shift < 384 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0;
@@ -909,17 +942,34 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
 }
 
 static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
+#ifdef __AVX2__
+    /* load here to mitigate load latency */
+    __m256i vec_r = _mm256_loadu_si256((__m256i *)(r->d));
+    __m256i vec_a = _mm256_loadu_si256((__m256i *)(a->d));
+#endif
     uint64_t mask0, mask1;
     volatile int vflag = flag;
     SECP256K1_SCALAR_VERIFY(a);
     SECP256K1_CHECKMEM_CHECK_VERIFY(r->d, sizeof(r->d));
 
     mask0 = vflag + ~((uint64_t)0);
     mask1 = ~mask0;
+
+#ifdef __AVX2__
+    {
+        const __m256i vec_mask0 = _mm256_set1_epi64x(mask0); /* TODO: precompute*/
+        const __m256i vec_mask1 = _mm256_set1_epi64x(mask1); /* TODO: precompute*/
+        vec_r = _mm256_and_si256(vec_r, vec_mask0);
+        vec_a = _mm256_and_si256(vec_a, vec_mask1);
+        vec_r = _mm256_or_si256(vec_r, vec_a);
+        _mm256_storeu_si256((__m256i *)(r->d), vec_r);
+    }
+#else
     r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1);
     r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1);
     r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1);
     r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1);
+#endif
 
     SECP256K1_SCALAR_VERIFY(r);
 }
@@ -936,10 +986,23 @@ static void secp256k1_scalar_from_signed62(secp256k1_scalar *r, const secp256k1_
     VERIFY_CHECK(a3 >> 62 == 0);
     VERIFY_CHECK(a4 >> 8 == 0);
 
+#ifdef __AVX2__
+    {
+        __m256i limbs_0123 = _mm256_setr_epi64x(a0, a1, a2, a3);
+        __m256i limbs_1234 = _mm256_setr_epi64x(a1, a2, a3, a4);
+        const __m256i shift_lhs = _mm256_setr_epi64x(0, 2, 4, 6);
+        const __m256i shift_rhs = _mm256_setr_epi64x(62, 60, 58, 56);
+        __m256i lhs = _mm256_srlv_epi64(limbs_0123, shift_lhs);
+        __m256i rhs = _mm256_sllv_epi64(limbs_1234, shift_rhs);
+        __m256i out = _mm256_or_si256(lhs, rhs);
+        _mm256_storeu_si256((__m256i *)(r->d), out);
+    }
+#else
     r->d[0] = a0      | a1 << 62;
     r->d[1] = a1 >> 2 | a2 << 60;
     r->d[2] = a2 >> 4 | a3 << 58;
     r->d[3] = a3 >> 6 | a4 << 56;
+#endif
 
     SECP256K1_SCALAR_VERIFY(r);
 }
@@ -949,10 +1012,25 @@ static void secp256k1_scalar_to_signed62(secp256k1_modinv64_signed62 *r, const s
     const uint64_t a0 = a->d[0], a1 = a->d[1], a2 = a->d[2], a3 = a->d[3];
     SECP256K1_SCALAR_VERIFY(a);
 
+#ifdef __AVX2__
+    {
+        __m256i limbs_0012 = _mm256_setr_epi64x(a0, a0, a1, a2);
+        __m256i limbs_0123 = _mm256_setr_epi64x(a0, a1, a2, a3);
+        const __m256i shift_lhs = _mm256_setr_epi64x(0, 62, 60, 58); /*TODO: precompute */
+        const __m256i shift_rhs = _mm256_setr_epi64x(64, 2, 4, 6); /*TODO: precompute */
+        const __m256i mask62 = _mm256_set1_epi64x(M62); /*TODO: precompute */
+        __m256i lhs = _mm256_srlv_epi64(limbs_0012, shift_lhs);
+        __m256i rhs = _mm256_sllv_epi64(limbs_0123, shift_rhs);
+        __m256i out = _mm256_or_si256(lhs, rhs);
+        out = _mm256_and_si256(out, mask62);
+        _mm256_storeu_si256((__m256i *)r->v, out);
+    }
+#else
     r->v[0] =  a0                   & M62;
     r->v[1] = (a0 >> 62 | a1 <<  2) & M62;
     r->v[2] = (a1 >> 60 | a2 <<  4) & M62;
     r->v[3] = (a2 >> 58 | a3 <<  6) & M62;
+#endif
     r->v[4] =  a3 >> 56;
 }
 

src/scalar_8x32_impl.h

@@ -39,6 +39,9 @@
 #define SECP256K1_N_H_7 ((uint32_t)0x7FFFFFFFUL)
 
 SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v) {
+
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     r->d[0] = v;
     r->d[1] = 0;
     r->d[2] = 0;
@@ -150,6 +153,8 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int
     SECP256K1_SCALAR_VERIFY(r);
     VERIFY_CHECK(bit < 256);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     bit += ((uint32_t) vflag - 1) & 0x100;  /* forcing (bit >> 5) > 7 makes this a noop */
     t = (uint64_t)r->d[0] + (((uint32_t)((bit >> 5) == 0)) << (bit & 0x1F));
     r->d[0] = t & 0xFFFFFFFFULL; t >>= 32;
@@ -174,6 +179,9 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int
 
 static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
     int over;
+
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     r->d[0] = secp256k1_read_be32(&b32[28]);
     r->d[1] = secp256k1_read_be32(&b32[24]);
     r->d[2] = secp256k1_read_be32(&b32[20]);
@@ -193,6 +201,8 @@ static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b
 static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a) {
     SECP256K1_SCALAR_VERIFY(a);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     secp256k1_write_be32(&bin[0], a->d[7]);
     secp256k1_write_be32(&bin[4], a->d[6]);
     secp256k1_write_be32(&bin[8], a->d[5]);
@@ -206,6 +216,8 @@ static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar*
 SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar *a) {
     SECP256K1_SCALAR_VERIFY(a);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     return (a->d[0] | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0;
 }
 
@@ -214,6 +226,8 @@ static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar
     uint64_t t = (uint64_t)(~a->d[0]) + SECP256K1_N_0 + 1;
     SECP256K1_SCALAR_VERIFY(a);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     r->d[0] = t & nonzero; t >>= 32;
     t += (uint64_t)(~a->d[1]) + SECP256K1_N_1;
     r->d[1] = t & nonzero; t >>= 32;
@@ -284,6 +298,8 @@ static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a
 SECP256K1_INLINE static int secp256k1_scalar_is_one(const secp256k1_scalar *a) {
     SECP256K1_SCALAR_VERIFY(a);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0;
 }
 
@@ -652,6 +668,8 @@ static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a,
 static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
     SECP256K1_SCALAR_VERIFY(k);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     r1->d[0] = k->d[0];
     r1->d[1] = k->d[1];
     r1->d[2] = k->d[2];
@@ -689,6 +707,8 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
     SECP256K1_SCALAR_VERIFY(b);
     VERIFY_CHECK(shift >= 256);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     secp256k1_scalar_mul_512(l, a, b);
     shiftlimbs = shift >> 5;
     shiftlow = shift & 0x1F;
@@ -712,6 +732,8 @@ static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const se
     SECP256K1_SCALAR_VERIFY(a);
     SECP256K1_CHECKMEM_CHECK_VERIFY(r->d, sizeof(r->d));
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     mask0 = vflag + ~((uint32_t)0);
     mask1 = ~mask0;
     r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1);
@@ -743,6 +765,8 @@ static void secp256k1_scalar_from_signed30(secp256k1_scalar *r, const secp256k1_
     VERIFY_CHECK(a7 >> 30 == 0);
     VERIFY_CHECK(a8 >> 16 == 0);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     r->d[0] = a0       | a1 << 30;
     r->d[1] = a1 >>  2 | a2 << 28;
     r->d[2] = a2 >>  4 | a3 << 26;
@@ -761,6 +785,8 @@ static void secp256k1_scalar_to_signed30(secp256k1_modinv32_signed30 *r, const s
                    a4 = a->d[4], a5 = a->d[5], a6 = a->d[6], a7 = a->d[7];
     SECP256K1_SCALAR_VERIFY(a);
 
+    /* TODO: parallel, SSE2 (32bit cpu only) */
+
     r->v[0] =  a0                   & M30;
     r->v[1] = (a0 >> 30 | a1 <<  2) & M30;
     r->v[2] = (a1 >> 28 | a2 <<  4) & M30;