From 8c9b73f67b786d9c08ffc98cc4b0f9b7c44b7717 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 18 Oct 2013 17:39:48 -0400 Subject: Make Salsa20 variable-round, allowing for Salsa20/12 to be used for Packet encrypt and decrypt. Profiling analysis found that Salsa20 encrypt was accounting for a nontrivial percentage of CPU time, so it makes sense to cut this load fundamentally. There are no published attacks against Salsa20/12, and DJB believes 20 rounds to be overkill. This should be more than enough for our needs. Obviously incorporating ASM Salsa20 is among the next steps for performance. --- node/Packet.hpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'node/Packet.hpp') diff --git a/node/Packet.hpp b/node/Packet.hpp index 486faebb..aeb5d0bb 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -92,6 +92,11 @@ */ #define ZT_PROTO_VERB_FLAG_COMPRESSED 0x80 +/** + * Rounds used for Salsa20 encryption in ZT + */ +#define ZT_PROTO_SALSA20_ROUNDS 12 + // Indices of fields in normal packet header -- do not change as this // might require both code rework and will break compatibility. #define ZT_PACKET_IDX_IV 0 @@ -852,7 +857,7 @@ public: else (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED); _mangleKey((const unsigned char *)key,mangledKey); - Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8)); + Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS); // MAC key is always the first 32 bytes of the Salsa20 key stream // This is the same construction DJB's NaCl library uses @@ -880,7 +885,7 @@ public: unsigned char *const payload = field(ZT_PACKET_IDX_VERB,payloadLen); _mangleKey((const unsigned char *)key,mangledKey); - Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8)); + Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS); s20.encrypt(ZERO_KEY,macKey,sizeof(macKey)); Poly1305::compute(mac,payload,payloadLen,macKey); -- cgit v1.2.3