RFR: 8316592: RISC-V: implement poly1305 intrinsic [v3]

[Andrew Haley]

On Wed, 1 Nov 2023 18:48:18 GMT, null <duke at openjdk.org> wrote:

>> src/hotspot/cpu/riscv/stubGenerator_riscv.cpp line 4546:
>> 
>>> 4544:       // partial products without any risk of needing to propagate a
>>> 4545:       // carry out.
>>> 4546:       wide_mul(U_0, U_0HI, S_0, R_0);  wide_madd(U_0, U_0HI, S_1, RR_1, tmp1, tmp2); wide_madd(U_0, U_0HI, S_2, RR_0, tmp1, tmp2);
>> 
>> I'm not sure why in aarch64 version it's written in this format, but would it be better to have one line for each instruction?
>
> Fixed.

It's written that way in the AArch64 code because it's (a more compact form of the mathematics) written that way in https://datatracker.ietf.org/doc/html/rfc7539#ref-Poly1305 . The point is to show the correspondence with the original mathematics, so that the reader can see what's happening.

In the paper, it's

r0·h0 + 5·2**−130·r1.h3 + 5·2**−130·r2·h2 + 5·2**−130·r3·h1,
r0·h1 +           r1·h0 + 5·2**−130·r2·h3 + 5·2**−130·r3·h2,
r0·h2 +           r1·h1 +           r2·h0 + 5·2**−130·r3·h3,
r0·h3 +           r1·h2 +           r2·h1 +           r3·h0

This is:

r0·h0 + 5·2**−130·r1.h3 + 5·2**−130·r2·h2,
r0·h1 +           r1·h0 + 5·2**−130·r2·h3,
r0·h2 +           r1·h1 +           r2·h0,

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16417#discussion_r1379990177