Make Salsa20 variable-round, allowing for Salsa20/12 to be used for Packet encrypt and decrypt. Profiling analysis found that Salsa20 encrypt was accounting for a nontrivial percentage of CPU time, so it makes sense to cut this load fundamentally. There are no published attacks against Salsa20/12, and DJB believes 20 rounds to be overkill. This should be more than enough for our needs. Obviously incorporating ASM Salsa20 is among the next steps for performance.

author: Adam Ierymenko <adam.ierymenko@gmail.com> 2013-10-18 17:39:48 -0400
committer: Adam Ierymenko <adam.ierymenko@gmail.com> 2013-10-18 17:39:48 -0400
commit: 8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717 (patch)
tree: d75961901641f1d35ed51e604e3fe0fa7e8cb6a2 /node
parent: 37e3bc3467d0f0648abe9dfb51f558465211fa87 (diff)
download: infinitytier-8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717.tar.gz
infinitytier-8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717.zip
5 files changed, 26 insertions, 11 deletions
diff --git a/node/Identity.cpp b/node/Identity.cpp
index 0ea3dc18..d50c56fe 100644
--- a/node/Identity.cpp
+++ b/node/Identity.cpp
@@ -48,6 +48,9 @@
 // Step distance for mixing genmem[]
 #define ZT_IDENTITY_GEN_MEMORY_MIX_STEP 1024
 
+// Rounds used for Salsa20 step
+#define ZT_IDENTITY_GEN_SALSA20_ROUNDS 20
+
 namespace ZeroTier {
 
 // A memory-hard composition of SHA-512 and Salsa20 for hashcash hashing
@@ -58,7 +61,7 @@ static inline void _computeMemoryHardHash(const void *publicKey,unsigned int pub
 
 	// Generate genmem[] bytes of Salsa20 key stream
 	memset(genmem,0,ZT_IDENTITY_GEN_MEMORY);
-	Salsa20 s20(digest,256,(char *)digest + 32);
+	Salsa20 s20(digest,256,(char *)digest + 32,ZT_IDENTITY_GEN_SALSA20_ROUNDS);
 	s20.encrypt(genmem,genmem,ZT_IDENTITY_GEN_MEMORY);
 
 	// Do something to genmem[] that iteratively makes every value
diff --git a/node/NodeConfig.cpp b/node/NodeConfig.cpp
index 0dda8da7..f26cd8ea 100644
--- a/node/NodeConfig.cpp
+++ b/node/NodeConfig.cpp
@@ -49,6 +49,7 @@
 #include "Logger.hpp"
 #include "Topology.hpp"
 #include "Demarc.hpp"
+#include "Packet.hpp"
 #include "InetAddress.hpp"
 #include "Peer.hpp"
 #include "Salsa20.hpp"
@@ -283,7 +284,7 @@ std::vector< Buffer<ZT_NODECONFIG_MAX_PACKET_SIZE> > NodeConfig::encodeControlMe
 			Utils::getSecureRandom(iv,8);
 			memcpy(packet.field(8,8),iv,8);
 
-			Salsa20 s20(key,256,iv);
+			Salsa20 s20(key,256,iv,ZT_PROTO_SALSA20_ROUNDS);
 			s20.encrypt(packet.field(16,packet.size() - 16),packet.field(16,packet.size() - 16),packet.size() - 16);
 
 			memcpy(keytmp,key,32);
@@ -322,7 +323,7 @@ bool NodeConfig::decodeControlMessagePacket(const void *key,const void *data,uns
 		if (!Utils::secureEq(packet.field(0,8),poly1305tag,8))
 			return false;
 
-		Salsa20 s20(key,256,packet.field(8,8));
+		Salsa20 s20(key,256,packet.field(8,8),ZT_PROTO_SALSA20_ROUNDS);
 		s20.decrypt(packet.field(16,packet.size() - 16),packet.field(16,packet.size() - 16),packet.size() - 16);
 
 		conversationId = packet.at<uint32_t>(16);
diff --git a/node/Packet.hpp b/node/Packet.hpp
index 486faebb..aeb5d0bb 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -92,6 +92,11 @@
  */
 #define ZT_PROTO_VERB_FLAG_COMPRESSED 0x80
 
+/**
+ * Rounds used for Salsa20 encryption in ZT
+ */
+#define ZT_PROTO_SALSA20_ROUNDS 12
+
 // Indices of fields in normal packet header -- do not change as this
 // might require both code rework and will break compatibility.
 #define ZT_PACKET_IDX_IV 0
@@ -852,7 +857,7 @@ public:
 		else (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED);
 
 		_mangleKey((const unsigned char *)key,mangledKey);
-		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
+		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS);
 
 		// MAC key is always the first 32 bytes of the Salsa20 key stream
 		// This is the same construction DJB's NaCl library uses
@@ -880,7 +885,7 @@ public:
 		unsigned char *const payload = field(ZT_PACKET_IDX_VERB,payloadLen);
 
 		_mangleKey((const unsigned char *)key,mangledKey);
-		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
+		Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS);
 
 		s20.encrypt(ZERO_KEY,macKey,sizeof(macKey));
 		Poly1305::compute(mac,payload,payloadLen,macKey);
diff --git a/node/Salsa20.cpp b/node/Salsa20.cpp
index d80ea28d..b634dd69 100644
--- a/node/Salsa20.cpp
+++ b/node/Salsa20.cpp
@@ -29,7 +29,7 @@ namespace ZeroTier {
 static const char *sigma = "expand 32-byte k";
 static const char *tau = "expand 16-byte k";
 
-void Salsa20::init(const void *key,unsigned int kbits,const void *iv)
+void Salsa20::init(const void *key,unsigned int kbits,const void *iv,unsigned int rounds)
 	throw()
 {
 	const char *constants;
@@ -59,6 +59,8 @@ void Salsa20::init(const void *key,unsigned int kbits,const void *iv)
 	_state[5] = U8TO32_LITTLE(constants + 4);
 	_state[10] = U8TO32_LITTLE(constants + 8);
 	_state[15] = U8TO32_LITTLE(constants + 12);
+
+	_roundsDiv2 = rounds / 2;
 }
 
 void Salsa20::encrypt(const void *in,void *out,unsigned int bytes)
@@ -114,7 +116,8 @@ void Salsa20::encrypt(const void *in,void *out,unsigned int bytes)
 		x13 = j13;
 		x14 = j14;
 		x15 = j15;
-		for (i = 20;i > 0;i -= 2) {
+		//for (i = 20;i > 0;i -= 2) {
+		for(i=0;i<_roundsDiv2;++i) {
 			 x4 = XOR( x4,ROTATE(PLUS( x0,x12), 7));
 			 x8 = XOR( x8,ROTATE(PLUS( x4, x0), 9));
 			x12 = XOR(x12,ROTATE(PLUS( x8, x4),13));
diff --git a/node/Salsa20.hpp b/node/Salsa20.hpp
index fa95ed39..9f34ba78 100644
--- a/node/Salsa20.hpp
+++ b/node/Salsa20.hpp
@@ -14,7 +14,7 @@
 namespace ZeroTier {
 
 /**
- * Salsa20/20 stream cipher
+ * Salsa20 stream cipher
  */
 class Salsa20
 {
@@ -25,11 +25,12 @@ public:
 	 * @param key Key bits
 	 * @param kbits Number of key bits: 128 or 256 (recommended)
 	 * @param iv 64-bit initialization vector
+	 * @param rounds Number of rounds: 8, 12, or 20
 	 */
-	Salsa20(const void *key,unsigned int kbits,const void *iv)
+	Salsa20(const void *key,unsigned int kbits,const void *iv,unsigned int rounds)
 		throw()
 	{
-		init(key,kbits,iv);
+		init(key,kbits,iv,rounds);
 	}
 
 	/**
@@ -38,8 +39,9 @@ public:
 	 * @param key Key bits
 	 * @param kbits Number of key bits: 128 or 256 (recommended)
 	 * @param iv 64-bit initialization vector
+	 * @param rounds Number of rounds: 8, 12, or 20
 	 */
-	void init(const void *key,unsigned int kbits,const void *iv)
+	void init(const void *key,unsigned int kbits,const void *iv,unsigned int rounds)
 		throw();
 
 	/**
@@ -67,6 +69,7 @@ public:
 
 private:
 	uint32_t _state[16];
+	unsigned int _roundsDiv2;
 };
 
 } // namespace ZeroTier
author	Adam Ierymenko <adam.ierymenko@gmail.com>	2013-10-18 17:39:48 -0400
committer	Adam Ierymenko <adam.ierymenko@gmail.com>	2013-10-18 17:39:48 -0400
commit	8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717 (patch)
tree	d75961901641f1d35ed51e604e3fe0fa7e8cb6a2 /node
parent	37e3bc3467d0f0648abe9dfb51f558465211fa87 (diff)
download	infinitytier-8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717.tar.gz infinitytier-8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717.zip