Hashcash-based identity, work in progress... committing to test speed on other boxes.
This commit is contained in:
parent
588a47be89
commit
b0187f4472
6 changed files with 51 additions and 114 deletions
|
@ -34,37 +34,50 @@
|
|||
#include "Identity.hpp"
|
||||
#include "SHA512.hpp"
|
||||
#include "Salsa20.hpp"
|
||||
#include "Utils.hpp"
|
||||
|
||||
namespace ZeroTier {
|
||||
|
||||
/*
|
||||
* This is the hashcash criterion
|
||||
*/
|
||||
struct _Identity_generate_cond
|
||||
{
|
||||
_Identity_generate_cond() throw() {}
|
||||
_Identity_generate_cond(char *sb) throw() : sha512buf(sb) {}
|
||||
|
||||
inline bool operator()(const C25519::Pair &kp) const
|
||||
throw()
|
||||
{
|
||||
SHA512::hash(sha512buf,kp.pub.data,kp.pub.size());
|
||||
|
||||
if ((!sha512buf[0])&&(!(sha512buf[1] & 0xf0)))
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
char *sha512buf;
|
||||
};
|
||||
|
||||
void Identity::generate()
|
||||
{
|
||||
char sha512buf[64];
|
||||
|
||||
C25519::Pair kp;
|
||||
do {
|
||||
kp = C25519::generate();
|
||||
_address = deriveAddress(kp.pub.data,kp.pub.size());
|
||||
kp = C25519::generateSatisfying(_Identity_generate_cond(sha512buf));
|
||||
_address.setTo(sha512buf + 59,ZT_ADDRESS_LENGTH); // last 5 bytes are address
|
||||
} while (_address.isReserved());
|
||||
|
||||
_publicKey = kp.pub;
|
||||
if (!_privateKey)
|
||||
_privateKey = new C25519::Private();
|
||||
*_privateKey = kp.priv;
|
||||
|
||||
unsigned char tmp[ZT_ADDRESS_LENGTH + ZT_C25519_PUBLIC_KEY_LEN];
|
||||
_address.copyTo(tmp,ZT_ADDRESS_LENGTH);
|
||||
memcpy(tmp + ZT_ADDRESS_LENGTH,_publicKey.data,ZT_C25519_PUBLIC_KEY_LEN);
|
||||
_signature = C25519::sign(kp,tmp,sizeof(tmp));
|
||||
}
|
||||
|
||||
bool Identity::locallyValidate(bool doAddressDerivationCheck) const
|
||||
{
|
||||
unsigned char tmp[ZT_ADDRESS_LENGTH + ZT_C25519_PUBLIC_KEY_LEN];
|
||||
_address.copyTo(tmp,ZT_ADDRESS_LENGTH);
|
||||
memcpy(tmp + ZT_ADDRESS_LENGTH,_publicKey.data,ZT_C25519_PUBLIC_KEY_LEN);
|
||||
if (!C25519::verify(_publicKey,tmp,sizeof(tmp),_signature))
|
||||
return false;
|
||||
if ((doAddressDerivationCheck)&&(deriveAddress(_publicKey.data,_publicKey.size()) != _address))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -73,10 +86,8 @@ std::string Identity::toString(bool includePrivate) const
|
|||
std::string r;
|
||||
|
||||
r.append(_address.toString());
|
||||
r.append(":2:"); // 2 == IDENTITY_TYPE_C25519
|
||||
r.append(":0:"); // 0 == IDENTITY_TYPE_C25519
|
||||
r.append(Utils::hex(_publicKey.data,_publicKey.size()));
|
||||
r.push_back(':');
|
||||
r.append(Utils::hex(_signature.data,_signature.size()));
|
||||
if ((_privateKey)&&(includePrivate)) {
|
||||
r.push_back(':');
|
||||
r.append(Utils::hex(_privateKey->data,_privateKey->size()));
|
||||
|
@ -104,7 +115,7 @@ bool Identity::fromString(const char *str)
|
|||
return false;
|
||||
break;
|
||||
case 1:
|
||||
if (strcmp(f,"2"))
|
||||
if (f[0] != '0')
|
||||
return false;
|
||||
break;
|
||||
case 2:
|
||||
|
@ -112,10 +123,6 @@ bool Identity::fromString(const char *str)
|
|||
return false;
|
||||
break;
|
||||
case 3:
|
||||
if (Utils::unhex(f,_signature.data,_signature.size()) != _signature.size())
|
||||
return false;
|
||||
break;
|
||||
case 4:
|
||||
_privateKey = new C25519::Private();
|
||||
if (Utils::unhex(f,_privateKey->data,_privateKey->size()) != _privateKey->size())
|
||||
return false;
|
||||
|
@ -130,72 +137,5 @@ bool Identity::fromString(const char *str)
|
|||
return true;
|
||||
}
|
||||
|
||||
// These are fixed parameters and can't be changed without a new
|
||||
// identity type.
|
||||
#define ZT_IDENTITY_DERIVEADDRESS_MEMORY 33554432
|
||||
#define ZT_IDENTITY_DERIVEADDRESS_ROUNDS 50
|
||||
|
||||
Address Identity::deriveAddress(const void *keyBytes,unsigned int keyLen)
|
||||
{
|
||||
/*
|
||||
* Sequential memory-hard algorithm wedding address to public key
|
||||
*
|
||||
* Conventional hashcash with long computations and quick verifications
|
||||
* unfortunately cannot be used here. If that were used, it would be
|
||||
* equivalently costly to simply increment/vary the public key and find
|
||||
* a collision as it would be to find the address. We need something
|
||||
* that creates a costly 1:~1 mapping from key to address, hence this
|
||||
* algorithm.
|
||||
*
|
||||
* Search for "sequential memory hard algorithm" for academic references
|
||||
* to similar concepts.
|
||||
*/
|
||||
|
||||
unsigned char *ram = new unsigned char[ZT_IDENTITY_DERIVEADDRESS_MEMORY];
|
||||
for(unsigned int i=0;i<ZT_IDENTITY_DERIVEADDRESS_MEMORY;++i)
|
||||
ram[i] = ((const unsigned char *)keyBytes)[i % keyLen];
|
||||
|
||||
unsigned char salsaKey[ZT_SHA512_DIGEST_LEN];
|
||||
SHA512::hash(salsaKey,keyBytes,keyLen);
|
||||
|
||||
uint64_t nonce = 0;
|
||||
for(unsigned int r=0;r<ZT_IDENTITY_DERIVEADDRESS_ROUNDS;++r) {
|
||||
nonce = Utils::crc64(nonce,ram,ZT_IDENTITY_DERIVEADDRESS_MEMORY);
|
||||
#if __BYTE_ORDER == __BIG_ENDIAN
|
||||
nonce = ( // swap to little endian -- this was written for a LE system
|
||||
((nonce & 0x00000000000000FFULL) << 56) |
|
||||
((nonce & 0x000000000000FF00ULL) << 40) |
|
||||
((nonce & 0x0000000000FF0000ULL) << 24) |
|
||||
((nonce & 0x00000000FF000000ULL) << 8) |
|
||||
((nonce & 0x000000FF00000000ULL) >> 8) |
|
||||
((nonce & 0x0000FF0000000000ULL) >> 24) |
|
||||
((nonce & 0x00FF000000000000ULL) >> 40) |
|
||||
((nonce & 0xFF00000000000000ULL) >> 56)
|
||||
);
|
||||
#endif
|
||||
Salsa20 s20(salsaKey,256,&nonce);
|
||||
#if __BYTE_ORDER == __BIG_ENDIAN
|
||||
nonce = ( // swap back to big endian
|
||||
((nonce & 0x00000000000000FFULL) << 56) |
|
||||
((nonce & 0x000000000000FF00ULL) << 40) |
|
||||
((nonce & 0x0000000000FF0000ULL) << 24) |
|
||||
((nonce & 0x00000000FF000000ULL) << 8) |
|
||||
((nonce & 0x000000FF00000000ULL) >> 8) |
|
||||
((nonce & 0x0000FF0000000000ULL) >> 24) |
|
||||
((nonce & 0x00FF000000000000ULL) >> 40) |
|
||||
((nonce & 0xFF00000000000000ULL) >> 56)
|
||||
);
|
||||
#endif
|
||||
s20.encrypt(ram,ram,ZT_IDENTITY_DERIVEADDRESS_MEMORY);
|
||||
}
|
||||
|
||||
unsigned char finalDigest[ZT_SHA512_DIGEST_LEN];
|
||||
SHA512::hash(finalDigest,ram,ZT_IDENTITY_DERIVEADDRESS_MEMORY);
|
||||
|
||||
delete [] ram;
|
||||
|
||||
return Address(finalDigest,ZT_ADDRESS_LENGTH);
|
||||
}
|
||||
|
||||
} // namespace ZeroTier
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue