From c4e63d57f803acf3df1c386c00e113d093e49c7e Mon Sep 17 00:00:00 2001
From: Sun Yimin <emmansun@users.noreply.github.com>
Date: Fri, 23 Feb 2024 08:34:05 +0800
Subject: [PATCH] Updated SM2 MFMM (2) (markdown)

---
 SM2-MFMM-(2).md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/SM2-MFMM-(2).md b/SM2-MFMM-(2).md
index 677021a..75ea688 100644
--- a/SM2-MFMM-(2).md
+++ b/SM2-MFMM-(2).md
@@ -267,6 +267,16 @@ $t_5=t_5 - 0$
 加法：5  
 减法：4 
 
+## SM2 P256 Order表示
+SM2的素数Order=0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123
+
+$$O = O_3 \ast 2^{192} + O_2 \ast 2^{128} + O_1 \ast 2^{64} + O_0$$  
+
+$O_0=0xFFFFFFFEFFFFFFFF$  
+$O_1=0xFFFFFFFF00000000$  
+$O_2=0x7203DF6B21C6052B$  
+$O_3=0x53BBF40939D54123$  
+
 ## Order平方的模约减优化
 假设 $T=a^2$ ：  
 $T=t_7 \ast 2^{448} + t_6 \ast 2^{384} + t_5 \ast 2^{320} + t_4 \ast 2^{256} + t_3 \ast 2^{192} + t_2 \ast 2^{128} + t_1 \ast 2^{64} + t_0 $  
@@ -287,3 +297,59 @@ $Y=T_1 \ast k_0$
 	MOVQ acc0, DX
 	MULXQ p256ordK0<>(SB), t0, AX
 ```
+
+### 方案一：(乘法、加法)
+这个方案和P域的方案类似。  
+$T_2=T_1 \ast P=Y \ast P= (Y \ast p_3) \ast 2^{192} + (Y \ast p_2) \ast 2^{128} + (Y \ast p_1) \ast 2^{64} + (Y \ast p_0)$  
+
+$T_3=T + T_2=t_7 \ast 2^{448} + t_6 \ast 2^{384} + t_5 \ast 2^{320} + t_4 \ast 2^{256} + (t_3+Y \ast p_3) \ast 2^{192} + (t_2+Y \ast p_2) \ast 2^{128} + (t_1+Y \ast p_1) \ast 2^{64} + t_0 + Y \ast p_0 $  
+
+共四次约减，结果表示为 $[t_3,t_2,t_1,t_0]$   
+（下面没有表示出高64位和进位处理）  
+$t_0=t_0 + Y \ast O_0$  
+$t_1=t_1 + Y \ast O_1$  
+$t_2=t_2 + Y \ast O_2$  
+$t_3=t_3 + Y \ast O_3$  
+$t_0=0+0$  
+
+伪代码(第一轮)：  
+```asm
+	// T = [acc0, acc1, acc2, acc3, acc4, acc5, y_ptr, x_ptr]
+	// First reduction step
+	MOVQ acc0, AX
+	MULQ ·np+0x00(SB)
+	MOVQ AX, t0     // Y
+
+	// Calculate next T = T+Y*P
+	MOVQ ·p2+0x00(SB), AX
+	MULQ t0
+	ADDQ AX, acc0   // acc0 is free now
+	ADCQ $0, DX
+	MOVQ DX, t1     // carry
+	XORQ acc0, acc0
+
+	MOVQ ·p2+0x08(SB), AX
+	MULQ t0
+	ADDQ t1, acc1
+	ADCQ $0, DX
+	ADDQ AX, acc1
+	ADCQ $0, DX
+	MOVQ DX, t1     // carry
+
+	MOVQ ·p2+0x10(SB), AX
+	MULQ t0
+	ADDQ t1, acc2
+	ADCQ $0, DX
+	ADDQ AX, acc2
+	ADCQ $0, DX
+	MOVQ DX, t1     // carry
+
+	MOVQ ·p2+0x18(SB), AX
+	MULQ t0
+	ADDQ t1, acc3
+	ADCQ $0, DX
+	ADDQ AX, acc3
+	ADCQ DX, acc0
+```
+乘法: 5  
+加法：14