crypto/elliptic: implement P256 for arm64

This patch ports the existing optimized P256 implementation to arm64.

name            old time/op    new time/op    delta
pkg:crypto/ecdsa goos:linux goarch:arm64
SignP256           539µs ±13%      43µs ± 2%  -91.95%  (p=0.000 n=20+20)
SignP384          13.2ms ± 1%    13.2ms ± 1%     ~     (p=0.739 n=10+10)
VerifyP256        1.57ms ± 0%    0.12ms ± 0%  -92.40%  (p=0.000 n=18+20)
KeyGeneration      391µs ± 0%      25µs ± 0%  -93.62%  (p=0.000 n=9+9)
pkg:crypto/elliptic goos:linux goarch:arm64
BaseMult          1.66ms ± 0%    1.65ms ± 1%     ~     (p=0.079 n=9+10)
BaseMultP256       389µs ± 0%      22µs ± 1%  -94.28%  (p=0.000 n=19+20)
ScalarMultP256    1.03ms ± 0%    0.09ms ± 0%  -91.25%  (p=0.000 n=19+20)

name            old alloc/op   new alloc/op   delta
pkg:crypto/ecdsa goos:linux goarch:arm64
SignP256          5.47kB ± 0%    3.20kB ± 0%  -41.50%  (p=0.000 n=20+20)
SignP384          2.32MB ± 0%    2.32MB ± 0%     ~     (p=0.739 n=10+10)
VerifyP256        7.65kB ± 4%    0.98kB ± 0%  -87.24%  (p=0.000 n=20+20)
KeyGeneration     1.41kB ± 0%    0.69kB ± 0%  -51.05%  (p=0.000 n=9+10)
pkg:crypto/elliptic goos:linux goarch:arm64
BaseMult            224B ± 0%      224B ± 0%     ~     (all equal)
BaseMultP256      1.12kB ± 0%    0.29kB ± 0%  -74.29%  (p=0.000 n=20+20)
ScalarMultP256    1.59kB ± 7%    0.26kB ± 0%  -83.91%  (p=0.000 n=20+20)

name            old allocs/op  new allocs/op  delta
pkg:crypto/ecdsa goos:linux goarch:arm64
SignP256            67.0 ± 0%      35.0 ± 0%  -47.76%  (p=0.000 n=20+20)
SignP384           17.5k ± 0%     17.5k ± 0%     ~     (p=0.725 n=10+10)
VerifyP256          97.2 ± 3%      17.0 ± 0%  -82.52%  (p=0.000 n=20+20)
KeyGeneration       21.0 ± 0%      13.0 ± 0%  -38.10%  (p=0.000 n=10+10)
pkg:crypto/elliptic goos:linux goarch:arm64
BaseMult            5.00 ± 0%      5.00 ± 0%     ~     (all equal)
BaseMultP256        16.0 ± 0%       6.0 ± 0%  -62.50%  (p=0.000 n=20+20)
ScalarMultP256      19.9 ± 6%       5.0 ± 0%  -74.87%  (p=0.000 n=20+20)

Fixes #22806

Change-Id: I12b343a27e6544189334f99c84242bb59db70a76
Reviewed-on: https://go-review.googlesource.com/121360
Run-TryBot: Vlad Krasnov <vlad@cloudflare.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Vlad Krasnov <vlad@cloudflare.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

src/crypto/elliptic/fuzz_test.go

+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build amd64 arm64
+
+package elliptic
+
+import (
+	"crypto/rand"
+	"testing"
+	"time"
+)
+
+func TestFuzz(t *testing.T) {
+
+	p256 := P256()
+	p256Generic := p256.Params()
+
+	var scalar1 [32]byte
+	var scalar2 [32]byte
+	var timeout *time.Timer
+
+	if testing.Short() {
+		timeout = time.NewTimer(500 * time.Millisecond)
+	} else {
+		timeout = time.NewTimer(2 * time.Second)
+	}
+
+	for {
+		select {
+		case <-timeout.C:
+			return
+		default:
+		}
+
+		rand.Read(scalar1[:])
+		rand.Read(scalar2[:])
+
+		x, y := p256.ScalarBaseMult(scalar1[:])
+		x2, y2 := p256Generic.ScalarBaseMult(scalar1[:])
+
+		xx, yy := p256.ScalarMult(x, y, scalar2[:])
+		xx2, yy2 := p256Generic.ScalarMult(x2, y2, scalar2[:])
+
+		if x.Cmp(x2) != 0 || y.Cmp(y2) != 0 {
+			t.Fatalf("ScalarBaseMult does not match reference result with scalar: %x, please report this error to security@golang.org", scalar1)
+		}
+
+		if xx.Cmp(xx2) != 0 || yy.Cmp(yy2) != 0 {
+			t.Fatalf("ScalarMult does not match reference result with scalars: %x and %x, please report this error to security@golang.org", scalar1, scalar2)
+		}
+	}
+}

src/crypto/elliptic/p256.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !amd64
+// +build !amd64,!arm64
 
 package elliptic
 

src/crypto/elliptic/p256_amd64.go → src/crypto/elliptic/p256_asm.go

@@ -10,7 +10,7 @@
 // https://link.springer.com/article/10.1007%2Fs13389-014-0090-x
 // https://eprint.iacr.org/2013/816.pdf
 
-// +build amd64
+// +build amd64 arm64
 
 package elliptic
 

src/crypto/elliptic/p256_generic.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !amd64,!s390x
+// +build !amd64,!s390x,!arm64
 
 package elliptic