Make Salsa20 variable-round, allowing for Salsa20/12 to be used for Packet encrypt and decrypt. Profiling analysis found that Salsa20 encrypt was accounting for a nontrivial percentage of CPU time, so it makes sense to cut this load fundamentally. There are no published attacks against Salsa20/12, and DJB believes 20 rounds to be overkill. This should be more than enough for our needs. Obviously incorporating ASM Salsa20 is among the next steps for performance.

1 files changed, 7 insertions, 2 deletions

diff --git a/node/Packet.hpp b/node/Packet.hpp
index 486faebb..aeb5d0bb 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -92,6 +92,11 @@
  */
 #define ZT_PROTO_VERB_FLAG_COMPRESSED 0x80
 
+/**
+ * Rounds used for Salsa20 encryption in ZT
+ */
+#define ZT_PROTO_SALSA20_ROUNDS 12
+
 // Indices of fields in normal packet header -- do not change as this
 // might require both code rework and will break compatibility.
 #define ZT_PACKET_IDX_IV 0
@@ -852,7 +857,7 @@ public:
 		else (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED);
 
 		_mangleKey((const unsigned char *)key,mangledKey);
-		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
+		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS);
 
 		// MAC key is always the first 32 bytes of the Salsa20 key stream
 		// This is the same construction DJB's NaCl library uses
@@ -880,7 +885,7 @@ public:
 		unsigned char *const payload = field(ZT_PACKET_IDX_VERB,payloadLen);
 
 		_mangleKey((const unsigned char *)key,mangledKey);
-		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
+		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS);
 
 		s20.encrypt(ZERO_KEY,macKey,sizeof(macKey));
 		Poly1305::compute(mac,payload,payloadLen,macKey);