xref: /external/boringssl/src/crypto/curve25519/asm/x25519-asm-x86_64.S

/* Copyright (c) 2015, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

/* This file is adapted from crypto_scalarmult/curve25519/amd64-51/ in
 * SUPERCOP 20141124 (http://bench.cr.yp.to/supercop.html). That code is public
 * domain licensed but the standard ISC license is included above to keep
 * licensing simple. */

#if !defined(OPENSSL_NO_ASM)
#if defined(__x86_64__)

.data
.p2align 4

#if defined(__APPLE__)
/* OS X's C ABI prefixes functions with underscore. */
#define C_ABI(x) _ ## x
#define HIDDEN .private_extern
#else
#define C_ABI(x) x
#define HIDDEN .hidden
#endif

x25519_x86_64_REDMASK51:   .quad 0x0007FFFFFFFFFFFF
x25519_x86_64_121666_213:  .quad 996687872
x25519_x86_64_2P0:         .quad 0xFFFFFFFFFFFDA
x25519_x86_64_2P1234:      .quad 0xFFFFFFFFFFFFE
x25519_x86_64_4P0:         .quad 0x1FFFFFFFFFFFB4
x25519_x86_64_4P1234:      .quad 0x1FFFFFFFFFFFFC
x25519_x86_64_MU0:         .quad 0xED9CE5A30A2C131B
x25519_x86_64_MU1:         .quad 0x2106215D086329A7
x25519_x86_64_MU2:         .quad 0xFFFFFFFFFFFFFFEB
x25519_x86_64_MU3:         .quad 0xFFFFFFFFFFFFFFFF
x25519_x86_64_MU4:         .quad 0x000000000000000F
x25519_x86_64_ORDER0:      .quad 0x5812631A5CF5D3ED
x25519_x86_64_ORDER1:      .quad 0x14DEF9DEA2F79CD6
x25519_x86_64_ORDER2:      .quad 0x0000000000000000
x25519_x86_64_ORDER3:      .quad 0x1000000000000000
x25519_x86_64_EC2D0:       .quad 1859910466990425
x25519_x86_64_EC2D1:       .quad 932731440258426
x25519_x86_64_EC2D2:       .quad 1072319116312658
x25519_x86_64_EC2D3:       .quad 1815898335770999
x25519_x86_64_EC2D4:       .quad 633789495995903
x25519_x86_64__38:         .quad 38

.text
.p2align 5

.globl C_ABI(x25519_x86_64_freeze)
HIDDEN C_ABI(x25519_x86_64_freeze)
C_ABI(x25519_x86_64_freeze):
.cfi_startproc
/* This is a leaf function and uses the redzone for saving registers. */
movq %r12,-8(%rsp)
.cfi_rel_offset r12, -8
movq   0(%rdi),%rsi
movq   8(%rdi),%rdx
movq   16(%rdi),%rcx
movq   24(%rdi),%r8
movq   32(%rdi),%r9
movq x25519_x86_64_REDMASK51(%rip),%rax
mov  %rax,%r10
sub  $18,%r10
mov  $3,%r11
._reduceloop:
mov  %rsi,%r12
shr  $51,%r12
and  %rax,%rsi
add  %r12,%rdx
mov  %rdx,%r12
shr  $51,%r12
and  %rax,%rdx
add  %r12,%rcx
mov  %rcx,%r12
shr  $51,%r12
and  %rax,%rcx
add  %r12,%r8
mov  %r8,%r12
shr  $51,%r12
and  %rax,%r8
add  %r12,%r9
mov  %r9,%r12
shr  $51,%r12
and  %rax,%r9
imulq  $19,%r12,%r12
add  %r12,%rsi
sub  $1,%r11
ja ._reduceloop
mov  $1,%r12
cmp  %r10,%rsi
cmovl %r11,%r12
cmp  %rax,%rdx
cmovne %r11,%r12
cmp  %rax,%rcx
cmovne %r11,%r12
cmp  %rax,%r8
cmovne %r11,%r12
cmp  %rax,%r9
cmovne %r11,%r12
neg  %r12
and  %r12,%rax
and  %r12,%r10
sub  %r10,%rsi
sub  %rax,%rdx
sub  %rax,%rcx
sub  %rax,%r8
sub  %rax,%r9
movq   %rsi,0(%rdi)
movq   %rdx,8(%rdi)
movq   %rcx,16(%rdi)
movq   %r8,24(%rdi)
movq   %r9,32(%rdi)
movq -8(%rsp),%r12
ret
.cfi_endproc

.p2align 5
.globl C_ABI(x25519_x86_64_mul)
HIDDEN C_ABI(x25519_x86_64_mul)
C_ABI(x25519_x86_64_mul):
.cfi_startproc
/* This is a leaf function and uses the redzone for saving registers. */
movq %r12,-8(%rsp)
.cfi_rel_offset r12, -8
movq %r13,-16(%rsp)
.cfi_rel_offset r13, -16
movq %r14,-24(%rsp)
.cfi_rel_offset r14, -24
movq %r15,-32(%rsp)
.cfi_rel_offset r15, -32
movq %rbx,-40(%rsp)
.cfi_rel_offset rbx, -40
movq %rbp,-48(%rsp)
.cfi_rel_offset rbp, -48
mov  %rdx,%rcx
movq   24(%rsi),%rdx
imulq  $19,%rdx,%rax
movq %rax,-64(%rsp)
mulq  16(%rcx)
mov  %rax,%r8
mov  %rdx,%r9
movq   32(%rsi),%rdx
imulq  $19,%rdx,%rax
movq %rax,-72(%rsp)
mulq  8(%rcx)
add  %rax,%r8
adc %rdx,%r9
movq   0(%rsi),%rax
mulq  0(%rcx)
add  %rax,%r8
adc %rdx,%r9
movq   0(%rsi),%rax
mulq  8(%rcx)
mov  %rax,%r10
mov  %rdx,%r11
movq   0(%rsi),%rax
mulq  16(%rcx)
mov  %rax,%r12
mov  %rdx,%r13
movq   0(%rsi),%rax
mulq  24(%rcx)
mov  %rax,%r14
mov  %rdx,%r15
movq   0(%rsi),%rax
mulq  32(%rcx)
mov  %rax,%rbx
mov  %rdx,%rbp
movq   8(%rsi),%rax
mulq  0(%rcx)
add  %rax,%r10
adc %rdx,%r11
movq   8(%rsi),%rax
mulq  8(%rcx)
add  %rax,%r12
adc %rdx,%r13
movq   8(%rsi),%rax
mulq  16(%rcx)
add  %rax,%r14
adc %rdx,%r15
movq   8(%rsi),%rax
mulq  24(%rcx)
add  %rax,%rbx
adc %rdx,%rbp
movq   8(%rsi),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rcx)
add  %rax,%r8
adc %rdx,%r9
movq   16(%rsi),%rax
mulq  0(%rcx)
add  %rax,%r12
adc %rdx,%r13
movq   16(%rsi),%rax
mulq  8(%rcx)
add  %rax,%r14
adc %rdx,%r15
movq   16(%rsi),%rax
mulq  16(%rcx)
add  %rax,%rbx
adc %rdx,%rbp
movq   16(%rsi),%rdx
imulq  $19,%rdx,%rax
mulq  24(%rcx)
add  %rax,%r8
adc %rdx,%r9
movq   16(%rsi),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rcx)
add  %rax,%r10
adc %rdx,%r11
movq   24(%rsi),%rax
mulq  0(%rcx)
add  %rax,%r14
adc %rdx,%r15
movq   24(%rsi),%rax
mulq  8(%rcx)
add  %rax,%rbx
adc %rdx,%rbp
movq -64(%rsp),%rax
mulq  24(%rcx)
add  %rax,%r10
adc %rdx,%r11
movq -64(%rsp),%rax
mulq  32(%rcx)
add  %rax,%r12
adc %rdx,%r13
movq   32(%rsi),%rax
mulq  0(%rcx)
add  %rax,%rbx
adc %rdx,%rbp
movq -72(%rsp),%rax
mulq  16(%rcx)
add  %rax,%r10
adc %rdx,%r11
movq -72(%rsp),%rax
mulq  24(%rcx)
add  %rax,%r12
adc %rdx,%r13
movq -72(%rsp),%rax
mulq  32(%rcx)
add  %rax,%r14
adc %rdx,%r15
movq x25519_x86_64_REDMASK51(%rip),%rsi
shld $13,%r8,%r9
and  %rsi,%r8
shld $13,%r10,%r11
and  %rsi,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rsi,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rsi,%r14
add  %r13,%r14
shld $13,%rbx,%rbp
and  %rsi,%rbx
add  %r15,%rbx
imulq  $19,%rbp,%rdx
add  %rdx,%r8
mov  %r8,%rdx
shr  $51,%rdx
add  %r10,%rdx
mov  %rdx,%rcx
shr  $51,%rdx
and  %rsi,%r8
add  %r12,%rdx
mov  %rdx,%r9
shr  $51,%rdx
and  %rsi,%rcx
add  %r14,%rdx
mov  %rdx,%rax
shr  $51,%rdx
and  %rsi,%r9
add  %rbx,%rdx
mov  %rdx,%r10
shr  $51,%rdx
and  %rsi,%rax
imulq  $19,%rdx,%rdx
add  %rdx,%r8
and  %rsi,%r10
movq   %r8,0(%rdi)
movq   %rcx,8(%rdi)
movq   %r9,16(%rdi)
movq   %rax,24(%rdi)
movq   %r10,32(%rdi)
movq -8(%rsp),%r12
movq -16(%rsp),%r13
movq -24(%rsp),%r14
movq -32(%rsp),%r15
movq -40(%rsp),%rbx
movq -48(%rsp),%rbp
ret
.cfi_endproc

.p2align 5
.globl C_ABI(x25519_x86_64_square)
HIDDEN C_ABI(x25519_x86_64_square)
C_ABI(x25519_x86_64_square):
.cfi_startproc
/* This is a leaf function and uses the redzone for saving registers. */
movq %r12,-8(%rsp)
.cfi_rel_offset r12, -8
movq %r13,-16(%rsp)
.cfi_rel_offset r13, -16
movq %r14,-24(%rsp)
.cfi_rel_offset r14, -24
movq %r15,-32(%rsp)
.cfi_rel_offset r15, -32
movq %rbx,-40(%rsp)
.cfi_rel_offset rbx, -40
movq   0(%rsi),%rax
mulq  0(%rsi)
mov  %rax,%rcx
mov  %rdx,%r8
movq   0(%rsi),%rax
shl  $1,%rax
mulq  8(%rsi)
mov  %rax,%r9
mov  %rdx,%r10
movq   0(%rsi),%rax
shl  $1,%rax
mulq  16(%rsi)
mov  %rax,%r11
mov  %rdx,%r12
movq   0(%rsi),%rax
shl  $1,%rax
mulq  24(%rsi)
mov  %rax,%r13
mov  %rdx,%r14
movq   0(%rsi),%rax
shl  $1,%rax
mulq  32(%rsi)
mov  %rax,%r15
mov  %rdx,%rbx
movq   8(%rsi),%rax
mulq  8(%rsi)
add  %rax,%r11
adc %rdx,%r12
movq   8(%rsi),%rax
shl  $1,%rax
mulq  16(%rsi)
add  %rax,%r13
adc %rdx,%r14
movq   8(%rsi),%rax
shl  $1,%rax
mulq  24(%rsi)
add  %rax,%r15
adc %rdx,%rbx
movq   8(%rsi),%rdx
imulq  $38,%rdx,%rax
mulq  32(%rsi)
add  %rax,%rcx
adc %rdx,%r8
movq   16(%rsi),%rax
mulq  16(%rsi)
add  %rax,%r15
adc %rdx,%rbx
movq   16(%rsi),%rdx
imulq  $38,%rdx,%rax
mulq  24(%rsi)
add  %rax,%rcx
adc %rdx,%r8
movq   16(%rsi),%rdx
imulq  $38,%rdx,%rax
mulq  32(%rsi)
add  %rax,%r9
adc %rdx,%r10
movq   24(%rsi),%rdx
imulq  $19,%rdx,%rax
mulq  24(%rsi)
add  %rax,%r9
adc %rdx,%r10
movq   24(%rsi),%rdx
imulq  $38,%rdx,%rax
mulq  32(%rsi)
add  %rax,%r11
adc %rdx,%r12
movq   32(%rsi),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rsi)
add  %rax,%r13
adc %rdx,%r14
movq x25519_x86_64_REDMASK51(%rip),%rsi
shld $13,%rcx,%r8
and  %rsi,%rcx
shld $13,%r9,%r10
and  %rsi,%r9
add  %r8,%r9
shld $13,%r11,%r12
and  %rsi,%r11
add  %r10,%r11
shld $13,%r13,%r14
and  %rsi,%r13
add  %r12,%r13
shld $13,%r15,%rbx
and  %rsi,%r15
add  %r14,%r15
imulq  $19,%rbx,%rdx
add  %rdx,%rcx
mov  %rcx,%rdx
shr  $51,%rdx
add  %r9,%rdx
and  %rsi,%rcx
mov  %rdx,%r8
shr  $51,%rdx
add  %r11,%rdx
and  %rsi,%r8
mov  %rdx,%r9
shr  $51,%rdx
add  %r13,%rdx
and  %rsi,%r9
mov  %rdx,%rax
shr  $51,%rdx
add  %r15,%rdx
and  %rsi,%rax
mov  %rdx,%r10
shr  $51,%rdx
imulq  $19,%rdx,%rdx
add  %rdx,%rcx
and  %rsi,%r10
movq   %rcx,0(%rdi)
movq   %r8,8(%rdi)
movq   %r9,16(%rdi)
movq   %rax,24(%rdi)
movq   %r10,32(%rdi)
movq -8(%rsp),%r12
movq -16(%rsp),%r13
movq -24(%rsp),%r14
movq -32(%rsp),%r15
movq -40(%rsp),%rbx
ret
.cfi_endproc

.p2align 5
.globl C_ABI(x25519_x86_64_ladderstep)
HIDDEN C_ABI(x25519_x86_64_ladderstep)
C_ABI(x25519_x86_64_ladderstep):
.cfi_startproc
sub $344,%rsp
.cfi_adjust_cfa_offset 344
movq %r12,296(%rsp)
.cfi_rel_offset r12, 296
movq %r13,304(%rsp)
.cfi_rel_offset r13, 304
movq %r14,312(%rsp)
.cfi_rel_offset r14, 312
movq %r15,320(%rsp)
.cfi_rel_offset r15, 320
movq %rbx,328(%rsp)
.cfi_rel_offset rbx, 328
movq %rbp,336(%rsp)
.cfi_rel_offset rbp, 336
movq   40(%rdi),%rsi
movq   48(%rdi),%rdx
movq   56(%rdi),%rcx
movq   64(%rdi),%r8
movq   72(%rdi),%r9
mov  %rsi,%rax
mov  %rdx,%r10
mov  %rcx,%r11
mov  %r8,%r12
mov  %r9,%r13
add  x25519_x86_64_2P0(%rip),%rax
add  x25519_x86_64_2P1234(%rip),%r10
add  x25519_x86_64_2P1234(%rip),%r11
add  x25519_x86_64_2P1234(%rip),%r12
add  x25519_x86_64_2P1234(%rip),%r13
addq 80(%rdi),%rsi
addq 88(%rdi),%rdx
addq 96(%rdi),%rcx
addq 104(%rdi),%r8
addq 112(%rdi),%r9
subq 80(%rdi),%rax
subq 88(%rdi),%r10
subq 96(%rdi),%r11
subq 104(%rdi),%r12
subq 112(%rdi),%r13
movq %rsi,0(%rsp)
movq %rdx,8(%rsp)
movq %rcx,16(%rsp)
movq %r8,24(%rsp)
movq %r9,32(%rsp)
movq %rax,40(%rsp)
movq %r10,48(%rsp)
movq %r11,56(%rsp)
movq %r12,64(%rsp)
movq %r13,72(%rsp)
movq 40(%rsp),%rax
mulq  40(%rsp)
mov  %rax,%rsi
mov  %rdx,%rcx
movq 40(%rsp),%rax
shl  $1,%rax
mulq  48(%rsp)
mov  %rax,%r8
mov  %rdx,%r9
movq 40(%rsp),%rax
shl  $1,%rax
mulq  56(%rsp)
mov  %rax,%r10
mov  %rdx,%r11
movq 40(%rsp),%rax
shl  $1,%rax
mulq  64(%rsp)
mov  %rax,%r12
mov  %rdx,%r13
movq 40(%rsp),%rax
shl  $1,%rax
mulq  72(%rsp)
mov  %rax,%r14
mov  %rdx,%r15
movq 48(%rsp),%rax
mulq  48(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 48(%rsp),%rax
shl  $1,%rax
mulq  56(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 48(%rsp),%rax
shl  $1,%rax
mulq  64(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 48(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  72(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 56(%rsp),%rax
mulq  56(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 56(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  64(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 56(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  72(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 64(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  64(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 64(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  72(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 72(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  72(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
and  %rdx,%rsi
mov  %rcx,%r8
shr  $51,%rcx
add  %r10,%rcx
and  %rdx,%r8
mov  %rcx,%r9
shr  $51,%rcx
add  %r12,%rcx
and  %rdx,%r9
mov  %rcx,%rax
shr  $51,%rcx
add  %r14,%rcx
and  %rdx,%rax
mov  %rcx,%r10
shr  $51,%rcx
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq %rsi,80(%rsp)
movq %r8,88(%rsp)
movq %r9,96(%rsp)
movq %rax,104(%rsp)
movq %r10,112(%rsp)
movq 0(%rsp),%rax
mulq  0(%rsp)
mov  %rax,%rsi
mov  %rdx,%rcx
movq 0(%rsp),%rax
shl  $1,%rax
mulq  8(%rsp)
mov  %rax,%r8
mov  %rdx,%r9
movq 0(%rsp),%rax
shl  $1,%rax
mulq  16(%rsp)
mov  %rax,%r10
mov  %rdx,%r11
movq 0(%rsp),%rax
shl  $1,%rax
mulq  24(%rsp)
mov  %rax,%r12
mov  %rdx,%r13
movq 0(%rsp),%rax
shl  $1,%rax
mulq  32(%rsp)
mov  %rax,%r14
mov  %rdx,%r15
movq 8(%rsp),%rax
mulq  8(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 8(%rsp),%rax
shl  $1,%rax
mulq  16(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 8(%rsp),%rax
shl  $1,%rax
mulq  24(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 8(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  32(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 16(%rsp),%rax
mulq  16(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 16(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  24(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 16(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  32(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 24(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  24(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 24(%rsp),%rdx
imulq  $38,%rdx,%rax
mulq  32(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 32(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
and  %rdx,%rsi
mov  %rcx,%r8
shr  $51,%rcx
add  %r10,%rcx
and  %rdx,%r8
mov  %rcx,%r9
shr  $51,%rcx
add  %r12,%rcx
and  %rdx,%r9
mov  %rcx,%rax
shr  $51,%rcx
add  %r14,%rcx
and  %rdx,%rax
mov  %rcx,%r10
shr  $51,%rcx
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq %rsi,120(%rsp)
movq %r8,128(%rsp)
movq %r9,136(%rsp)
movq %rax,144(%rsp)
movq %r10,152(%rsp)
mov  %rsi,%rsi
mov  %r8,%rdx
mov  %r9,%rcx
mov  %rax,%r8
mov  %r10,%r9
add  x25519_x86_64_2P0(%rip),%rsi
add  x25519_x86_64_2P1234(%rip),%rdx
add  x25519_x86_64_2P1234(%rip),%rcx
add  x25519_x86_64_2P1234(%rip),%r8
add  x25519_x86_64_2P1234(%rip),%r9
subq 80(%rsp),%rsi
subq 88(%rsp),%rdx
subq 96(%rsp),%rcx
subq 104(%rsp),%r8
subq 112(%rsp),%r9
movq %rsi,160(%rsp)
movq %rdx,168(%rsp)
movq %rcx,176(%rsp)
movq %r8,184(%rsp)
movq %r9,192(%rsp)
movq   120(%rdi),%rsi
movq   128(%rdi),%rdx
movq   136(%rdi),%rcx
movq   144(%rdi),%r8
movq   152(%rdi),%r9
mov  %rsi,%rax
mov  %rdx,%r10
mov  %rcx,%r11
mov  %r8,%r12
mov  %r9,%r13
add  x25519_x86_64_2P0(%rip),%rax
add  x25519_x86_64_2P1234(%rip),%r10
add  x25519_x86_64_2P1234(%rip),%r11
add  x25519_x86_64_2P1234(%rip),%r12
add  x25519_x86_64_2P1234(%rip),%r13
addq 160(%rdi),%rsi
addq 168(%rdi),%rdx
addq 176(%rdi),%rcx
addq 184(%rdi),%r8
addq 192(%rdi),%r9
subq 160(%rdi),%rax
subq 168(%rdi),%r10
subq 176(%rdi),%r11
subq 184(%rdi),%r12
subq 192(%rdi),%r13
movq %rsi,200(%rsp)
movq %rdx,208(%rsp)
movq %rcx,216(%rsp)
movq %r8,224(%rsp)
movq %r9,232(%rsp)
movq %rax,240(%rsp)
movq %r10,248(%rsp)
movq %r11,256(%rsp)
movq %r12,264(%rsp)
movq %r13,272(%rsp)
movq 224(%rsp),%rsi
imulq  $19,%rsi,%rax
movq %rax,280(%rsp)
mulq  56(%rsp)
mov  %rax,%rsi
mov  %rdx,%rcx
movq 232(%rsp),%rdx
imulq  $19,%rdx,%rax
movq %rax,288(%rsp)
mulq  48(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 200(%rsp),%rax
mulq  40(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 200(%rsp),%rax
mulq  48(%rsp)
mov  %rax,%r8
mov  %rdx,%r9
movq 200(%rsp),%rax
mulq  56(%rsp)
mov  %rax,%r10
mov  %rdx,%r11
movq 200(%rsp),%rax
mulq  64(%rsp)
mov  %rax,%r12
mov  %rdx,%r13
movq 200(%rsp),%rax
mulq  72(%rsp)
mov  %rax,%r14
mov  %rdx,%r15
movq 208(%rsp),%rax
mulq  40(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 208(%rsp),%rax
mulq  48(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 208(%rsp),%rax
mulq  56(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 208(%rsp),%rax
mulq  64(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 208(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  72(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 216(%rsp),%rax
mulq  40(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 216(%rsp),%rax
mulq  48(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 216(%rsp),%rax
mulq  56(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 216(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  64(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 216(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  72(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 224(%rsp),%rax
mulq  40(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 224(%rsp),%rax
mulq  48(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 280(%rsp),%rax
mulq  64(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 280(%rsp),%rax
mulq  72(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 232(%rsp),%rax
mulq  40(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 288(%rsp),%rax
mulq  56(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 288(%rsp),%rax
mulq  64(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 288(%rsp),%rax
mulq  72(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
mov  %rcx,%r8
shr  $51,%rcx
and  %rdx,%rsi
add  %r10,%rcx
mov  %rcx,%r9
shr  $51,%rcx
and  %rdx,%r8
add  %r12,%rcx
mov  %rcx,%rax
shr  $51,%rcx
and  %rdx,%r9
add  %r14,%rcx
mov  %rcx,%r10
shr  $51,%rcx
and  %rdx,%rax
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq %rsi,40(%rsp)
movq %r8,48(%rsp)
movq %r9,56(%rsp)
movq %rax,64(%rsp)
movq %r10,72(%rsp)
movq 264(%rsp),%rsi
imulq  $19,%rsi,%rax
movq %rax,200(%rsp)
mulq  16(%rsp)
mov  %rax,%rsi
mov  %rdx,%rcx
movq 272(%rsp),%rdx
imulq  $19,%rdx,%rax
movq %rax,208(%rsp)
mulq  8(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 240(%rsp),%rax
mulq  0(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 240(%rsp),%rax
mulq  8(%rsp)
mov  %rax,%r8
mov  %rdx,%r9
movq 240(%rsp),%rax
mulq  16(%rsp)
mov  %rax,%r10
mov  %rdx,%r11
movq 240(%rsp),%rax
mulq  24(%rsp)
mov  %rax,%r12
mov  %rdx,%r13
movq 240(%rsp),%rax
mulq  32(%rsp)
mov  %rax,%r14
mov  %rdx,%r15
movq 248(%rsp),%rax
mulq  0(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 248(%rsp),%rax
mulq  8(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 248(%rsp),%rax
mulq  16(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 248(%rsp),%rax
mulq  24(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 248(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 256(%rsp),%rax
mulq  0(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 256(%rsp),%rax
mulq  8(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 256(%rsp),%rax
mulq  16(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 256(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  24(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 256(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 264(%rsp),%rax
mulq  0(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 264(%rsp),%rax
mulq  8(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 200(%rsp),%rax
mulq  24(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 200(%rsp),%rax
mulq  32(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 272(%rsp),%rax
mulq  0(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 208(%rsp),%rax
mulq  16(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 208(%rsp),%rax
mulq  24(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 208(%rsp),%rax
mulq  32(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
mov  %rcx,%r8
shr  $51,%rcx
and  %rdx,%rsi
add  %r10,%rcx
mov  %rcx,%r9
shr  $51,%rcx
and  %rdx,%r8
add  %r12,%rcx
mov  %rcx,%rax
shr  $51,%rcx
and  %rdx,%r9
add  %r14,%rcx
mov  %rcx,%r10
shr  $51,%rcx
and  %rdx,%rax
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
mov  %rsi,%rdx
mov  %r8,%rcx
mov  %r9,%r11
mov  %rax,%r12
mov  %r10,%r13
add  x25519_x86_64_2P0(%rip),%rdx
add  x25519_x86_64_2P1234(%rip),%rcx
add  x25519_x86_64_2P1234(%rip),%r11
add  x25519_x86_64_2P1234(%rip),%r12
add  x25519_x86_64_2P1234(%rip),%r13
addq 40(%rsp),%rsi
addq 48(%rsp),%r8
addq 56(%rsp),%r9
addq 64(%rsp),%rax
addq 72(%rsp),%r10
subq 40(%rsp),%rdx
subq 48(%rsp),%rcx
subq 56(%rsp),%r11
subq 64(%rsp),%r12
subq 72(%rsp),%r13
movq   %rsi,120(%rdi)
movq   %r8,128(%rdi)
movq   %r9,136(%rdi)
movq   %rax,144(%rdi)
movq   %r10,152(%rdi)
movq   %rdx,160(%rdi)
movq   %rcx,168(%rdi)
movq   %r11,176(%rdi)
movq   %r12,184(%rdi)
movq   %r13,192(%rdi)
movq   120(%rdi),%rax
mulq  120(%rdi)
mov  %rax,%rsi
mov  %rdx,%rcx
movq   120(%rdi),%rax
shl  $1,%rax
mulq  128(%rdi)
mov  %rax,%r8
mov  %rdx,%r9
movq   120(%rdi),%rax
shl  $1,%rax
mulq  136(%rdi)
mov  %rax,%r10
mov  %rdx,%r11
movq   120(%rdi),%rax
shl  $1,%rax
mulq  144(%rdi)
mov  %rax,%r12
mov  %rdx,%r13
movq   120(%rdi),%rax
shl  $1,%rax
mulq  152(%rdi)
mov  %rax,%r14
mov  %rdx,%r15
movq   128(%rdi),%rax
mulq  128(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   128(%rdi),%rax
shl  $1,%rax
mulq  136(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq   128(%rdi),%rax
shl  $1,%rax
mulq  144(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq   128(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  152(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   136(%rdi),%rax
mulq  136(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq   136(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  144(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   136(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  152(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq   144(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  144(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq   144(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  152(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   152(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  152(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
and  %rdx,%rsi
mov  %rcx,%r8
shr  $51,%rcx
add  %r10,%rcx
and  %rdx,%r8
mov  %rcx,%r9
shr  $51,%rcx
add  %r12,%rcx
and  %rdx,%r9
mov  %rcx,%rax
shr  $51,%rcx
add  %r14,%rcx
and  %rdx,%rax
mov  %rcx,%r10
shr  $51,%rcx
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq   %rsi,120(%rdi)
movq   %r8,128(%rdi)
movq   %r9,136(%rdi)
movq   %rax,144(%rdi)
movq   %r10,152(%rdi)
movq   160(%rdi),%rax
mulq  160(%rdi)
mov  %rax,%rsi
mov  %rdx,%rcx
movq   160(%rdi),%rax
shl  $1,%rax
mulq  168(%rdi)
mov  %rax,%r8
mov  %rdx,%r9
movq   160(%rdi),%rax
shl  $1,%rax
mulq  176(%rdi)
mov  %rax,%r10
mov  %rdx,%r11
movq   160(%rdi),%rax
shl  $1,%rax
mulq  184(%rdi)
mov  %rax,%r12
mov  %rdx,%r13
movq   160(%rdi),%rax
shl  $1,%rax
mulq  192(%rdi)
mov  %rax,%r14
mov  %rdx,%r15
movq   168(%rdi),%rax
mulq  168(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   168(%rdi),%rax
shl  $1,%rax
mulq  176(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq   168(%rdi),%rax
shl  $1,%rax
mulq  184(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq   168(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  192(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   176(%rdi),%rax
mulq  176(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq   176(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  184(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   176(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  192(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq   184(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  184(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq   184(%rdi),%rdx
imulq  $38,%rdx,%rax
mulq  192(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   192(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  192(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
and  %rdx,%rsi
mov  %rcx,%r8
shr  $51,%rcx
add  %r10,%rcx
and  %rdx,%r8
mov  %rcx,%r9
shr  $51,%rcx
add  %r12,%rcx
and  %rdx,%r9
mov  %rcx,%rax
shr  $51,%rcx
add  %r14,%rcx
and  %rdx,%rax
mov  %rcx,%r10
shr  $51,%rcx
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq   %rsi,160(%rdi)
movq   %r8,168(%rdi)
movq   %r9,176(%rdi)
movq   %rax,184(%rdi)
movq   %r10,192(%rdi)
movq   184(%rdi),%rsi
imulq  $19,%rsi,%rax
movq %rax,0(%rsp)
mulq  16(%rdi)
mov  %rax,%rsi
mov  %rdx,%rcx
movq   192(%rdi),%rdx
imulq  $19,%rdx,%rax
movq %rax,8(%rsp)
mulq  8(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   160(%rdi),%rax
mulq  0(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   160(%rdi),%rax
mulq  8(%rdi)
mov  %rax,%r8
mov  %rdx,%r9
movq   160(%rdi),%rax
mulq  16(%rdi)
mov  %rax,%r10
mov  %rdx,%r11
movq   160(%rdi),%rax
mulq  24(%rdi)
mov  %rax,%r12
mov  %rdx,%r13
movq   160(%rdi),%rax
mulq  32(%rdi)
mov  %rax,%r14
mov  %rdx,%r15
movq   168(%rdi),%rax
mulq  0(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq   168(%rdi),%rax
mulq  8(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   168(%rdi),%rax
mulq  16(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq   168(%rdi),%rax
mulq  24(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq   168(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   176(%rdi),%rax
mulq  0(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   176(%rdi),%rax
mulq  8(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq   176(%rdi),%rax
mulq  16(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq   176(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  24(%rdi)
add  %rax,%rsi
adc %rdx,%rcx
movq   176(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  32(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq   184(%rdi),%rax
mulq  0(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq   184(%rdi),%rax
mulq  8(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq 0(%rsp),%rax
mulq  24(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq 0(%rsp),%rax
mulq  32(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq   192(%rdi),%rax
mulq  0(%rdi)
add  %rax,%r14
adc %rdx,%r15
movq 8(%rsp),%rax
mulq  16(%rdi)
add  %rax,%r8
adc %rdx,%r9
movq 8(%rsp),%rax
mulq  24(%rdi)
add  %rax,%r10
adc %rdx,%r11
movq 8(%rsp),%rax
mulq  32(%rdi)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
mov  %rcx,%r8
shr  $51,%rcx
and  %rdx,%rsi
add  %r10,%rcx
mov  %rcx,%r9
shr  $51,%rcx
and  %rdx,%r8
add  %r12,%rcx
mov  %rcx,%rax
shr  $51,%rcx
and  %rdx,%r9
add  %r14,%rcx
mov  %rcx,%r10
shr  $51,%rcx
and  %rdx,%rax
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq   %rsi,160(%rdi)
movq   %r8,168(%rdi)
movq   %r9,176(%rdi)
movq   %rax,184(%rdi)
movq   %r10,192(%rdi)
movq 144(%rsp),%rsi
imulq  $19,%rsi,%rax
movq %rax,0(%rsp)
mulq  96(%rsp)
mov  %rax,%rsi
mov  %rdx,%rcx
movq 152(%rsp),%rdx
imulq  $19,%rdx,%rax
movq %rax,8(%rsp)
mulq  88(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 120(%rsp),%rax
mulq  80(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 120(%rsp),%rax
mulq  88(%rsp)
mov  %rax,%r8
mov  %rdx,%r9
movq 120(%rsp),%rax
mulq  96(%rsp)
mov  %rax,%r10
mov  %rdx,%r11
movq 120(%rsp),%rax
mulq  104(%rsp)
mov  %rax,%r12
mov  %rdx,%r13
movq 120(%rsp),%rax
mulq  112(%rsp)
mov  %rax,%r14
mov  %rdx,%r15
movq 128(%rsp),%rax
mulq  80(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 128(%rsp),%rax
mulq  88(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 128(%rsp),%rax
mulq  96(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 128(%rsp),%rax
mulq  104(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 128(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  112(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 136(%rsp),%rax
mulq  80(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 136(%rsp),%rax
mulq  88(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 136(%rsp),%rax
mulq  96(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 136(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  104(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq 136(%rsp),%rdx
imulq  $19,%rdx,%rax
mulq  112(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 144(%rsp),%rax
mulq  80(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq 144(%rsp),%rax
mulq  88(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 0(%rsp),%rax
mulq  104(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 0(%rsp),%rax
mulq  112(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 152(%rsp),%rax
mulq  80(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 8(%rsp),%rax
mulq  96(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 8(%rsp),%rax
mulq  104(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 8(%rsp),%rax
mulq  112(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
mov  %rcx,%r8
shr  $51,%rcx
and  %rdx,%rsi
add  %r10,%rcx
mov  %rcx,%r9
shr  $51,%rcx
and  %rdx,%r8
add  %r12,%rcx
mov  %rcx,%rax
shr  $51,%rcx
and  %rdx,%r9
add  %r14,%rcx
mov  %rcx,%r10
shr  $51,%rcx
and  %rdx,%rax
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq   %rsi,40(%rdi)
movq   %r8,48(%rdi)
movq   %r9,56(%rdi)
movq   %rax,64(%rdi)
movq   %r10,72(%rdi)
movq 160(%rsp),%rax
mulq  x25519_x86_64_121666_213(%rip)
shr  $13,%rax
mov  %rax,%rsi
mov  %rdx,%rcx
movq 168(%rsp),%rax
mulq  x25519_x86_64_121666_213(%rip)
shr  $13,%rax
add  %rax,%rcx
mov  %rdx,%r8
movq 176(%rsp),%rax
mulq  x25519_x86_64_121666_213(%rip)
shr  $13,%rax
add  %rax,%r8
mov  %rdx,%r9
movq 184(%rsp),%rax
mulq  x25519_x86_64_121666_213(%rip)
shr  $13,%rax
add  %rax,%r9
mov  %rdx,%r10
movq 192(%rsp),%rax
mulq  x25519_x86_64_121666_213(%rip)
shr  $13,%rax
add  %rax,%r10
imulq  $19,%rdx,%rdx
add  %rdx,%rsi
addq 80(%rsp),%rsi
addq 88(%rsp),%rcx
addq 96(%rsp),%r8
addq 104(%rsp),%r9
addq 112(%rsp),%r10
movq   %rsi,80(%rdi)
movq   %rcx,88(%rdi)
movq   %r8,96(%rdi)
movq   %r9,104(%rdi)
movq   %r10,112(%rdi)
movq   104(%rdi),%rsi
imulq  $19,%rsi,%rax
movq %rax,0(%rsp)
mulq  176(%rsp)
mov  %rax,%rsi
mov  %rdx,%rcx
movq   112(%rdi),%rdx
imulq  $19,%rdx,%rax
movq %rax,8(%rsp)
mulq  168(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq   80(%rdi),%rax
mulq  160(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq   80(%rdi),%rax
mulq  168(%rsp)
mov  %rax,%r8
mov  %rdx,%r9
movq   80(%rdi),%rax
mulq  176(%rsp)
mov  %rax,%r10
mov  %rdx,%r11
movq   80(%rdi),%rax
mulq  184(%rsp)
mov  %rax,%r12
mov  %rdx,%r13
movq   80(%rdi),%rax
mulq  192(%rsp)
mov  %rax,%r14
mov  %rdx,%r15
movq   88(%rdi),%rax
mulq  160(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq   88(%rdi),%rax
mulq  168(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq   88(%rdi),%rax
mulq  176(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq   88(%rdi),%rax
mulq  184(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq   88(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  192(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq   96(%rdi),%rax
mulq  160(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq   96(%rdi),%rax
mulq  168(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq   96(%rdi),%rax
mulq  176(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq   96(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  184(%rsp)
add  %rax,%rsi
adc %rdx,%rcx
movq   96(%rdi),%rdx
imulq  $19,%rdx,%rax
mulq  192(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq   104(%rdi),%rax
mulq  160(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq   104(%rdi),%rax
mulq  168(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 0(%rsp),%rax
mulq  184(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 0(%rsp),%rax
mulq  192(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq   112(%rdi),%rax
mulq  160(%rsp)
add  %rax,%r14
adc %rdx,%r15
movq 8(%rsp),%rax
mulq  176(%rsp)
add  %rax,%r8
adc %rdx,%r9
movq 8(%rsp),%rax
mulq  184(%rsp)
add  %rax,%r10
adc %rdx,%r11
movq 8(%rsp),%rax
mulq  192(%rsp)
add  %rax,%r12
adc %rdx,%r13
movq x25519_x86_64_REDMASK51(%rip),%rdx
shld $13,%rsi,%rcx
and  %rdx,%rsi
shld $13,%r8,%r9
and  %rdx,%r8
add  %rcx,%r8
shld $13,%r10,%r11
and  %rdx,%r10
add  %r9,%r10
shld $13,%r12,%r13
and  %rdx,%r12
add  %r11,%r12
shld $13,%r14,%r15
and  %rdx,%r14
add  %r13,%r14
imulq  $19,%r15,%rcx
add  %rcx,%rsi
mov  %rsi,%rcx
shr  $51,%rcx
add  %r8,%rcx
mov  %rcx,%r8
shr  $51,%rcx
and  %rdx,%rsi
add  %r10,%rcx
mov  %rcx,%r9
shr  $51,%rcx
and  %rdx,%r8
add  %r12,%rcx
mov  %rcx,%rax
shr  $51,%rcx
and  %rdx,%r9
add  %r14,%rcx
mov  %rcx,%r10
shr  $51,%rcx
and  %rdx,%rax
imulq  $19,%rcx,%rcx
add  %rcx,%rsi
and  %rdx,%r10
movq   %rsi,80(%rdi)
movq   %r8,88(%rdi)
movq   %r9,96(%rdi)
movq   %rax,104(%rdi)
movq   %r10,112(%rdi)
movq 296(%rsp),%r12
movq 304(%rsp),%r13
movq 312(%rsp),%r14
movq 320(%rsp),%r15
movq 328(%rsp),%rbx
movq 336(%rsp),%rbp
add $344,%rsp
.cfi_adjust_cfa_offset -344
ret
.cfi_endproc

.p2align 5
.globl C_ABI(x25519_x86_64_work_cswap)
HIDDEN C_ABI(x25519_x86_64_work_cswap)
C_ABI(x25519_x86_64_work_cswap):
.cfi_startproc
subq $1,%rsi
notq %rsi
movq %rsi,%xmm15
pshufd $0x44,%xmm15,%xmm15
movdqu 0(%rdi),%xmm0
movdqu 16(%rdi),%xmm2
movdqu 32(%rdi),%xmm4
movdqu 48(%rdi),%xmm6
movdqu 64(%rdi),%xmm8
movdqu 80(%rdi),%xmm1
movdqu 96(%rdi),%xmm3
movdqu 112(%rdi),%xmm5
movdqu 128(%rdi),%xmm7
movdqu 144(%rdi),%xmm9
movdqa %xmm1,%xmm10
movdqa %xmm3,%xmm11
movdqa %xmm5,%xmm12
movdqa %xmm7,%xmm13
movdqa %xmm9,%xmm14
pxor %xmm0,%xmm10
pxor %xmm2,%xmm11
pxor %xmm4,%xmm12
pxor %xmm6,%xmm13
pxor %xmm8,%xmm14
pand %xmm15,%xmm10
pand %xmm15,%xmm11
pand %xmm15,%xmm12
pand %xmm15,%xmm13
pand %xmm15,%xmm14
pxor %xmm10,%xmm0
pxor %xmm10,%xmm1
pxor %xmm11,%xmm2
pxor %xmm11,%xmm3
pxor %xmm12,%xmm4
pxor %xmm12,%xmm5
pxor %xmm13,%xmm6
pxor %xmm13,%xmm7
pxor %xmm14,%xmm8
pxor %xmm14,%xmm9
movdqu %xmm0,0(%rdi)
movdqu %xmm2,16(%rdi)
movdqu %xmm4,32(%rdi)
movdqu %xmm6,48(%rdi)
movdqu %xmm8,64(%rdi)
movdqu %xmm1,80(%rdi)
movdqu %xmm3,96(%rdi)
movdqu %xmm5,112(%rdi)
movdqu %xmm7,128(%rdi)
movdqu %xmm9,144(%rdi)
ret
.cfi_endproc

#endif  /* __x86_64__ */
#endif  /* !OPENSSL_NO_ASM */