- // Almost there. Firstly, the feedforward addition, and then we have
- // to write out the result. Here we have to undo the permutation
- // which was already applied to the input. Shuffling has quite high
- // latency, so arrange to start a new shuffle into a temporary as
- // soon as we've written out the old value.
- paddd xmm0, SAVE0
- pshufd xmm4, xmm0, 0x39
- movd [OUT + 0], xmm0
-
- paddd xmm1, SAVE1
- pshufd xmm5, xmm1, ROTL
- movd [OUT + 16], xmm1
-
- paddd xmm2, SAVE2
- pshufd xmm6, xmm2, ROT2
- movd [OUT + 32], xmm2
-
- paddd xmm3, SAVE3
- pshufd xmm7, xmm3, ROTR
- movd [OUT + 48], xmm3
-
- movd [OUT + 4], xmm7
- pshufd xmm7, xmm3, ROT2
- movd [OUT + 24], xmm7
- pshufd xmm3, xmm3, ROTL
- movd [OUT + 44], xmm3
-
- movd [OUT + 8], xmm6
- pshufd xmm6, xmm2, ROTL
- movd [OUT + 28], xmm6
- pshufd xmm2, xmm2, ROTR
- movd [OUT + 52], xmm2
-
- movd [OUT + 12], xmm5
- pshufd xmm5, xmm1, ROTR
- movd [OUT + 36], xmm5
- pshufd xmm1, xmm1, ROT2
- movd [OUT + 56], xmm1
-
- movd [OUT + 20], xmm4
- pshufd xmm4, xmm0, ROT2
- movd [OUT + 40], xmm4
- pshufd xmm0, xmm0, ROTL
- movd [OUT + 60], xmm0
+ // Almost there. Firstly, the feedforward addition.
+ paddd xmm0, SAVE0 // 0, 5, 10, 15
+ paddd xmm1, SAVE1 // 4, 9, 14, 3
+ paddd xmm2, SAVE2 // 8, 13, 2, 7
+ paddd xmm3, SAVE3 // 12, 1, 6, 11
+
+ // Next we must undo the permutation which was already applied to the
+ // input. This can be done by juggling values in registers, with the
+ // following fancy footwork: some row rotations, a transpose, and
+ // some more rotations.
+ pshufd xmm1, xmm1, SHUF(3, 0, 1, 2) // 3, 4, 9, 14
+ pshufd xmm2, xmm2, SHUF(2, 3, 0, 1) // 2, 7, 8, 13
+ pshufd xmm3, xmm3, SHUF(1, 2, 3, 0) // 1, 6, 11, 12
+
+ movdqa xmm4, xmm0
+ movdqa xmm5, xmm3
+ punpckldq xmm0, xmm2 // 0, 2, 5, 7
+ punpckldq xmm3, xmm1 // 1, 3, 6, 4
+ punpckhdq xmm4, xmm2 // 10, 8, 15, 13
+ punpckhdq xmm5, xmm1 // 11, 9, 12, 14
+
+ movdqa xmm1, xmm0
+ movdqa xmm2, xmm4
+ punpckldq xmm0, xmm3 // 0, 1, 2, 3
+ punpckldq xmm4, xmm5 // 10, 11, 8, 9
+ punpckhdq xmm1, xmm3 // 5, 6, 7, 4
+ punpckhdq xmm2, xmm5 // 15, 12, 13, 14
+
+ pshufd xmm1, xmm1, SHUF(3, 0, 1, 2) // 4, 5, 6, 7
+ pshufd xmm4, xmm4, SHUF(2, 3, 0, 1) // 8, 9, 10, 11
+ pshufd xmm2, xmm2, SHUF(1, 2, 3, 0) // 12, 13, 14, 15
+
+ // Finally we have to write out the result.
+ movdqu [OUT + 0], xmm0
+ movdqu [OUT + 16], xmm1
+ movdqu [OUT + 32], xmm4
+ movdqu [OUT + 48], xmm2