Make Salsa20 variable-round, allowing for Salsa20/12 to be used for Packet encrypt and decrypt. Profiling analysis found that Salsa20 encrypt was accounting for a nontrivial percentage of CPU time, so it makes sense to cut this load fundamentally. There are no published attacks against Salsa20/12, and DJB believes 20 rounds to be overkill. This should be more than enough for our needs. Obviously incorporating ASM Salsa20 is among the next steps for performance.

This commit is contained in:
Adam Ierymenko 2013-10-18 17:39:48 -04:00
parent 37e3bc3467
commit 8c9b73f67b
7 changed files with 41 additions and 14 deletions

View file

@ -48,6 +48,9 @@
// Step distance for mixing genmem[]
#define ZT_IDENTITY_GEN_MEMORY_MIX_STEP 1024
// Rounds used for Salsa20 step
#define ZT_IDENTITY_GEN_SALSA20_ROUNDS 20
namespace ZeroTier {
// A memory-hard composition of SHA-512 and Salsa20 for hashcash hashing
@ -58,7 +61,7 @@ static inline void _computeMemoryHardHash(const void *publicKey,unsigned int pub
// Generate genmem[] bytes of Salsa20 key stream
memset(genmem,0,ZT_IDENTITY_GEN_MEMORY);
Salsa20 s20(digest,256,(char *)digest + 32);
Salsa20 s20(digest,256,(char *)digest + 32,ZT_IDENTITY_GEN_SALSA20_ROUNDS);
s20.encrypt(genmem,genmem,ZT_IDENTITY_GEN_MEMORY);
// Do something to genmem[] that iteratively makes every value