curve25519-x86_64: tighten the x25519 assembly

The wide multiplication by 38 in mul_a24_eltfp25519_1w is redundant: (2^256-1) * 121666 / 2^256 is at most 121665, and therefore a 64-bit multiplication can never overflow. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Samuel Neves <sneves@dei.uc.pt> 2018-07-28 05:31:10 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2018-07-28 14:47:25 +0200
commit: 2ff62d8431b18db111c126dd2ef26e5417da1c62 (patch)
tree: 4395434f107a203e4d21f2f3d99c525147c37cc4 /src
parent: 7570a39724d19180ca1c62e4c960e1c19fa0756f (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/crypto/curve25519-x86_64.h b/src/crypto/curve25519-x86_64.h
index a4c958a..fba4f00 100644
--- a/src/crypto/curve25519-x86_64.h
+++ b/src/crypto/curve25519-x86_64.h
@@ -1493,9 +1493,9 @@ static __always_inline void mul_a24_eltfp25519_1w(u64 *const c, const u64 *const
 		/**************************/
 		"adcq    $0, %%rcx ;"
 		"movl   $38, %%edx ;" /* 2*c = 38 = 2^256 mod 2^255-19*/
-		"mulx %%rcx, %%rax, %%rcx ;"
-		"addq %%rax,  %%r8 ;"
-		"adcq %%rcx,  %%r9 ;"
+		"imul %%rdx, %%rcx ;"
+		"addq %%rcx,  %%r8 ;"
+		"adcq    $0,  %%r9 ;"
 		"movq  %%r9,  8(%0) ;"
 		"adcq    $0, %%r10 ;"
 		"movq %%r10, 16(%0) ;"
author	Samuel Neves <sneves@dei.uc.pt>	2018-07-28 05:31:10 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2018-07-28 14:47:25 +0200
commit	2ff62d8431b18db111c126dd2ef26e5417da1c62 (patch)
tree	4395434f107a203e4d21f2f3d99c525147c37cc4 /src
parent	7570a39724d19180ca1c62e4c960e1c19fa0756f (diff)