diff options
| -rw-r--r-- | node/Identity.cpp | 54 | ||||
| -rw-r--r-- | selftest-crypto-vectors.hpp | 4 |
2 files changed, 42 insertions, 16 deletions
diff --git a/node/Identity.cpp b/node/Identity.cpp index 8dc192ca..c46321e0 100644 --- a/node/Identity.cpp +++ b/node/Identity.cpp @@ -38,26 +38,51 @@ // These can't be changed without a new identity type. They define the // parameters of the hashcash hashing/searching algorithm. + +// Hashcash halting criteria #define ZT_IDENTITY_GEN_HASHCASH_FIRST_BYTE_LESS_THAN 5 + +// Amount of memory for memory-hardness #define ZT_IDENTITY_GEN_MEMORY 8388608 +// Step distance for mixing genmem[] +#define ZT_IDENTITY_GEN_MEMORY_MIX_STEP 128 + namespace ZeroTier { // A memory-hard composition of SHA-512 and Salsa20 for hashcash hashing -static inline void _computeMemoryHardHash(const void *publicKey,unsigned int publicKeyBytes,void *sha512digest,unsigned char *genmem) +static inline void _computeMemoryHardHash(const void *publicKey,unsigned int publicKeyBytes,void *digest,void *genmem) { - // Step 1: hash key to generate Salsa20 key and nonce - SHA512::hash(sha512digest,publicKey,publicKeyBytes); + // Hash publicKey[] to obtain Salsa20 key + SHA512::hash(digest,publicKey,publicKeyBytes); - // Step 2: copy key into genmen[], zero rest, encrypt with Salsa20 - Salsa20 s20(sha512digest,256,((char *)sha512digest) + 32); - memcpy(genmem,publicKey,publicKeyBytes); - memset(genmem + publicKeyBytes,0,ZT_IDENTITY_GEN_MEMORY - publicKeyBytes); + // Generate genmem[] bytes of Salsa20 key stream + memset(genmem,0,ZT_IDENTITY_GEN_MEMORY); + Salsa20 s20(digest,256,(char *)digest + 32); s20.encrypt(genmem,genmem,ZT_IDENTITY_GEN_MEMORY); - // Step 3: hash the encrypted public key and the rest of the - // genmem[] bytes of Salsa20 key stream to yield the final hash. - SHA512::hash(sha512digest,genmem,ZT_IDENTITY_GEN_MEMORY); + // Do something to genmem[] that iteratively makes every value + // possibly dependent on every other value with a nontrivial + // probability. + for(unsigned int i=0;i<ZT_IDENTITY_GEN_MEMORY;i+=ZT_IDENTITY_GEN_MEMORY_MIX_STEP) { + s20.encrypt((char *)genmem + i,(char *)genmem + i,8); + uint64_t x = *((uint64_t *)((char *)genmem + i)); + if ((x / 7ULL) < 0x1249249249249249ULL) { + s20.encrypt(&x,&x,8); // also causes PRNG state to depend on genmem[]'s state + for(unsigned int k=0;k<8;++k,x>>=8) + ++((unsigned char *)genmem)[(uintptr_t)x % ZT_IDENTITY_GEN_MEMORY]; + } else { + for(unsigned int k=0;k<8;++k,x>>=8) + --((unsigned char *)genmem)[(uintptr_t)x % ZT_IDENTITY_GEN_MEMORY]; + } + } + + // Mix in publicKey[] again, ensuring all entropy is used + for(unsigned int i=0;i<publicKeyBytes;++i) + ((unsigned char *)genmem)[i] ^= ((const unsigned char *)publicKey)[i]; + + // Compute final digest from final genmem[] + SHA512::hash(digest,genmem,ZT_IDENTITY_GEN_MEMORY); } // Hashcash generation halting condition -- halt when first byte is less than @@ -65,20 +90,21 @@ static inline void _computeMemoryHardHash(const void *publicKey,unsigned int pub struct _Identity_generate_cond { _Identity_generate_cond() throw() {} - _Identity_generate_cond(unsigned char *sb,unsigned char *gm) throw() : sha512digest(sb),genmem(gm) {} + _Identity_generate_cond(unsigned char *sb,char *gm) throw() : sha512digest(sb),genmem(gm) {} inline bool operator()(const C25519::Pair &kp) const throw() { _computeMemoryHardHash(kp.pub.data,kp.pub.size(),sha512digest,genmem); return (sha512digest[0] < ZT_IDENTITY_GEN_HASHCASH_FIRST_BYTE_LESS_THAN); } - unsigned char *sha512digest,*genmem; + unsigned char *sha512digest; + char *genmem; }; void Identity::generate() { unsigned char sha512digest[64]; - unsigned char *genmem = new unsigned char[ZT_IDENTITY_GEN_MEMORY]; + char *genmem = new char[ZT_IDENTITY_GEN_MEMORY]; C25519::Pair kp; do { @@ -100,7 +126,7 @@ bool Identity::locallyValidate() const return false; unsigned char sha512digest[64]; - unsigned char *genmem = new unsigned char[ZT_IDENTITY_GEN_MEMORY]; + char *genmem = new char[ZT_IDENTITY_GEN_MEMORY]; _computeMemoryHardHash(_publicKey.data,_publicKey.size(),sha512digest,genmem); delete [] genmem; diff --git a/selftest-crypto-vectors.hpp b/selftest-crypto-vectors.hpp index 8000b528..05132804 100644 --- a/selftest-crypto-vectors.hpp +++ b/selftest-crypto-vectors.hpp @@ -3,8 +3,8 @@ #ifndef _ZT_SELFTEST_CRYPTO_VECTORS_H #define _ZT_SELFTEST_CRYPTO_VECTORS_H -#define KNOWN_GOOD_IDENTITY "d7d86de2d8:0:942f03033c0351fdf600301d846c8a1e35b7e03e8f59b91b460a7d411920374f0f5781287ccf90dc50819f91a91434848da76bb8651f97ae65bbacf9da1ca840:6617efdc863fbb009672745b116d5c84ab1ea15744d850b41ddeedf92c4215dc4c149e476aead1a7d40643f8c440ffcd084d8738f405a50309064c296c5dec9b" -#define KNOWN_BAD_IDENTITY "e7d86de2d8:0:942f03033c0351fdf600301d846c8a1e35b7e03e8f59b91b460a7d411920374f0f5781287ccf90dc50819f91a91434848da76bb8651f97ae65bbacf9da1ca840:6617efdc863fbb009672745b116d5c84ab1ea15744d850b41ddeedf92c4215dc4c149e476aead1a7d40643f8c440ffcd084d8738f405a50309064c296c5dec9b" +#define KNOWN_GOOD_IDENTITY "3a1c320b0b:0:47caad9a1926dc8ce26320a6392aea2fef256a773f0f7ccd3c88340f32a12c7811fa6a95866f00a8df5b97014c142fe27c403b28089f1ab1a717b0799523c39f:16dc074a4a00046f28a57cb0f87ccaa00e27c5d3536c278e840ce30a0b00e28d0b066253e6fe86c7e170619e69480da683db289ef19acc68ef53faf0e9f4c050" +#define KNOWN_BAD_IDENTITY "2a1c320b0b:0:47caad9a1926dc8ce26320a6392aea2fef256a773f0f7ccd3c88340f32a12c7811fa6a95866f00a8df5b97014c142fe27c403b28089f1ab1a717b0799523c39f:16dc074a4a00046f28a57cb0f87ccaa00e27c5d3536c278e840ce30a0b00e28d0b066253e6fe86c7e170619e69480da683db289ef19acc68ef53faf0e9f4c050" static const unsigned char s20TV0Key[32] = { 0x0f,0x62,0xb5,0x08,0x5b,0xae,0x01,0x54,0xa7,0xfa,0x4d,0xa0,0xf3,0x46,0x99,0xec,0x3f,0x92,0xe5,0x38,0x8b,0xde,0x31,0x84,0xd7,0x2a,0x7d,0xd0,0x23,0x76,0xc9,0x1c }; static const unsigned char s20TV0Iv[8] = { 0x28,0x8f,0xf6,0x5d,0xc4,0x2b,0x92,0xf9 }; |