Make Salsa20 variable-round, allowing for Salsa20/12 to be used for Packet encrypt and decrypt. Profiling analysis found that Salsa20 encrypt was accounting for a nontrivial percentage of CPU time, so it makes sense to cut this load fundamentally. There are no published attacks against Salsa20/12, and DJB believes 20 rounds to be overkill. This should be more than enough for our needs. Obviously incorporating ASM Salsa20 is among the next steps for performance.

2025-06-13 04:38:28 +00:00 · 2013-10-18 17:39:48 -04:00
parent 37e3bc3467
commit 8c9b73f67b
7 changed files with 41 additions and 14 deletions
--- a/node/Identity.cpp
+++ b/node/Identity.cpp
@ -48,6 +48,9 @@
 // Step distance for mixing genmem[]
 #define ZT_IDENTITY_GEN_MEMORY_MIX_STEP 1024

+// Rounds used for Salsa20 step
+#define ZT_IDENTITY_GEN_SALSA20_ROUNDS 20
+
 namespace ZeroTier {

 // A memory-hard composition of SHA-512 and Salsa20 for hashcash hashing
@ -58,7 +61,7 @@ static inline void _computeMemoryHardHash(const void *publicKey,unsigned int pub

 	// Generate genmem[] bytes of Salsa20 key stream
 	memset(genmem,0,ZT_IDENTITY_GEN_MEMORY);
-	Salsa20 s20(digest,256,(char *)digest + 32);
+	Salsa20 s20(digest,256,(char *)digest + 32,ZT_IDENTITY_GEN_SALSA20_ROUNDS);
 	s20.encrypt(genmem,genmem,ZT_IDENTITY_GEN_MEMORY);

 	// Do something to genmem[] that iteratively makes every value