Hashcash-based identity, work in progress... committing to test speed on other boxes.

node/C25519.hpp

@@ -101,7 +101,8 @@ public:
 		Utils::getSecureRandom(priv,kp.priv.size());
 		_calcPubED(kp); // do Ed25519 key -- bytes 32-63 of pub and priv
 		do {
-			++*((uint64_t *)priv);
+			++(((uint64_t *)priv)[1]);
+			--(((uint64_t *)priv)[2]);
 			_calcPubDH(kp); // keep regenerating bytes 0-31 until satisfied
 		} while (!cond(kp));
 		return kp;

node/Defaults.cpp

@@ -53,6 +53,7 @@ static inline std::map< Identity,std::vector<InetAddress> > _mkSupernodeMap()
 	// designated as such and trusted to provide WHOIS lookup.
 
 	// cthulhu.zerotier.com - New York, New York, USA
+#if 0
 	addrs.clear();
 	if (!id.fromString("a0fa79d81c:2:0bb348bb38883a29054659a37c204f2c0b082985cb51b36fad31366dfedd616c20aacc5e33ceee2b054670639563238c4fe50bb8716c1ac7996762c0eaefbb23:b7e91f4c77815327c59ff0979f33861e665d002a357448572954c85919be61f768ee6a4d4e42318ffd9cfcc08cadedcd0277a33a950e316a1d7b5bf082919400c44cad1e725fc2035e2d7087d0c8bf51adc5875b643d759a475f899cfbf3e1a4"))
 		throw std::runtime_error("invalid identity in Defaults");
@@ -72,6 +73,7 @@ static inline std::map< Identity,std::vector<InetAddress> > _mkSupernodeMap()
 		throw std::runtime_error("invalid identity in Defaults");
 	addrs.push_back(InetAddress("198.211.127.172",ZT_DEFAULT_UDP_PORT));
 	sn[id] = addrs;
+#endif
 
 	return sn;
 }

node/Identity.cpp

@@ -34,37 +34,50 @@
 #include "Identity.hpp"
 #include "SHA512.hpp"
 #include "Salsa20.hpp"
+#include "Utils.hpp"
 
 namespace ZeroTier {
 
+/*
+ * This is the hashcash criterion
+ */
+struct _Identity_generate_cond
+{
+	_Identity_generate_cond() throw() {}
+	_Identity_generate_cond(char *sb) throw() : sha512buf(sb) {}
+
+	inline bool operator()(const C25519::Pair &kp) const
+		throw()
+	{
+		SHA512::hash(sha512buf,kp.pub.data,kp.pub.size());
+
+		if ((!sha512buf[0])&&(!(sha512buf[1] & 0xf0)))
+			return true;
+
+		return false;
+	}
+
+	char *sha512buf;
+};
+
 void Identity::generate()
 {
+	char sha512buf[64];
+
 	C25519::Pair kp;
 	do {
-		kp = C25519::generate();
-		_address = deriveAddress(kp.pub.data,kp.pub.size());
+		kp = C25519::generateSatisfying(_Identity_generate_cond(sha512buf));
+		_address.setTo(sha512buf + 59,ZT_ADDRESS_LENGTH); // last 5 bytes are address
 	} while (_address.isReserved());
 
 	_publicKey = kp.pub;
 	if (!_privateKey)
 		_privateKey = new C25519::Private();
 	*_privateKey = kp.priv;
-
-	unsigned char tmp[ZT_ADDRESS_LENGTH + ZT_C25519_PUBLIC_KEY_LEN];
-	_address.copyTo(tmp,ZT_ADDRESS_LENGTH);
-	memcpy(tmp + ZT_ADDRESS_LENGTH,_publicKey.data,ZT_C25519_PUBLIC_KEY_LEN);
-	_signature = C25519::sign(kp,tmp,sizeof(tmp));
 }
 
 bool Identity::locallyValidate(bool doAddressDerivationCheck) const
 {
-	unsigned char tmp[ZT_ADDRESS_LENGTH + ZT_C25519_PUBLIC_KEY_LEN];
-	_address.copyTo(tmp,ZT_ADDRESS_LENGTH);
-	memcpy(tmp + ZT_ADDRESS_LENGTH,_publicKey.data,ZT_C25519_PUBLIC_KEY_LEN);
-	if (!C25519::verify(_publicKey,tmp,sizeof(tmp),_signature))
-		return false;
-	if ((doAddressDerivationCheck)&&(deriveAddress(_publicKey.data,_publicKey.size()) != _address))
-		return false;
 	return true;
 }
 
@@ -73,10 +86,8 @@ std::string Identity::toString(bool includePrivate) const
 	std::string r;
 
 	r.append(_address.toString());
-	r.append(":2:"); // 2 == IDENTITY_TYPE_C25519
+	r.append(":0:"); // 0 == IDENTITY_TYPE_C25519
 	r.append(Utils::hex(_publicKey.data,_publicKey.size()));
-	r.push_back(':');
-	r.append(Utils::hex(_signature.data,_signature.size()));
 	if ((_privateKey)&&(includePrivate)) {
 		r.push_back(':');
 		r.append(Utils::hex(_privateKey->data,_privateKey->size()));
@@ -104,7 +115,7 @@ bool Identity::fromString(const char *str)
 					return false;
 				break;
 			case 1:
-				if (strcmp(f,"2"))
+				if (f[0] != '0')
 					return false;
 				break;
 			case 2:
@@ -112,10 +123,6 @@ bool Identity::fromString(const char *str)
 					return false;
 				break;
 			case 3:
-				if (Utils::unhex(f,_signature.data,_signature.size()) != _signature.size())
-					return false;
-				break;
-			case 4:
 				_privateKey = new C25519::Private();
 				if (Utils::unhex(f,_privateKey->data,_privateKey->size()) != _privateKey->size())
 					return false;
@@ -130,72 +137,5 @@ bool Identity::fromString(const char *str)
 	return true;
 }
 
-// These are fixed parameters and can't be changed without a new
-// identity type.
-#define ZT_IDENTITY_DERIVEADDRESS_MEMORY 33554432
-#define ZT_IDENTITY_DERIVEADDRESS_ROUNDS 50
-
-Address Identity::deriveAddress(const void *keyBytes,unsigned int keyLen)
-{
-	/*
-	 * Sequential memory-hard algorithm wedding address to public key
-	 *
-	 * Conventional hashcash with long computations and quick verifications
-	 * unfortunately cannot be used here. If that were used, it would be
-	 * equivalently costly to simply increment/vary the public key and find
-	 * a collision as it would be to find the address. We need something
-	 * that creates a costly 1:~1 mapping from key to address, hence this
-	 * algorithm.
-	 *
-	 * Search for "sequential memory hard algorithm" for academic references
-	 * to similar concepts.
-	 */
-
-	unsigned char *ram = new unsigned char[ZT_IDENTITY_DERIVEADDRESS_MEMORY];
-	for(unsigned int i=0;i<ZT_IDENTITY_DERIVEADDRESS_MEMORY;++i)
-		ram[i] = ((const unsigned char *)keyBytes)[i % keyLen];
-
-	unsigned char salsaKey[ZT_SHA512_DIGEST_LEN];
-	SHA512::hash(salsaKey,keyBytes,keyLen);
-
-	uint64_t nonce = 0;
-	for(unsigned int r=0;r<ZT_IDENTITY_DERIVEADDRESS_ROUNDS;++r) {
-		nonce = Utils::crc64(nonce,ram,ZT_IDENTITY_DERIVEADDRESS_MEMORY);
-#if __BYTE_ORDER == __BIG_ENDIAN
-		nonce = ( // swap to little endian -- this was written for a LE system
-			((nonce & 0x00000000000000FFULL) << 56) | 
-			((nonce & 0x000000000000FF00ULL) << 40) | 
-			((nonce & 0x0000000000FF0000ULL) << 24) | 
-			((nonce & 0x00000000FF000000ULL) <<  8) | 
-			((nonce & 0x000000FF00000000ULL) >>  8) | 
-			((nonce & 0x0000FF0000000000ULL) >> 24) | 
-			((nonce & 0x00FF000000000000ULL) >> 40) | 
-			((nonce & 0xFF00000000000000ULL) >> 56)
-		);
-#endif
-		Salsa20 s20(salsaKey,256,&nonce);
-#if __BYTE_ORDER == __BIG_ENDIAN
-		nonce = ( // swap back to big endian
-			((nonce & 0x00000000000000FFULL) << 56) | 
-			((nonce & 0x000000000000FF00ULL) << 40) | 
-			((nonce & 0x0000000000FF0000ULL) << 24) | 
-			((nonce & 0x00000000FF000000ULL) <<  8) | 
-			((nonce & 0x000000FF00000000ULL) >>  8) | 
-			((nonce & 0x0000FF0000000000ULL) >> 24) | 
-			((nonce & 0x00FF000000000000ULL) >> 40) | 
-			((nonce & 0xFF00000000000000ULL) >> 56)
-		);
-#endif
-		s20.encrypt(ram,ram,ZT_IDENTITY_DERIVEADDRESS_MEMORY);
-	}
-
-	unsigned char finalDigest[ZT_SHA512_DIGEST_LEN];
-	SHA512::hash(finalDigest,ram,ZT_IDENTITY_DERIVEADDRESS_MEMORY);
-
-	delete [] ram;
-
-	return Address(finalDigest,ZT_ADDRESS_LENGTH);
-}
-
 } // namespace ZeroTier
 

node/Identity.hpp

@@ -61,8 +61,7 @@ public:
 	 */
 	enum Type
 	{
-		IDENTITY_TYPE_NIST_P_521 = 1, // OBSOLETE -- only present in some early alpha versions
-		IDENTITY_TYPE_C25519 = 2
+		IDENTITY_TYPE_C25519 = 0
 	};
 
 	Identity() :
@@ -73,7 +72,6 @@ public:
 	Identity(const Identity &id) :
 		_address(id._address),
 		_publicKey(id._publicKey),
-		_signature(id._signature),
 		_privateKey((id._privateKey) ? new C25519::Private(*(id._privateKey)) : (C25519::Private *)0)
 	{
 	}
@@ -111,7 +109,6 @@ public:
 	{
 		_address = id._address;
 		_publicKey = id._publicKey;
-		_signature = id._signature;
 		if (id._privateKey) {
 			if (!_privateKey)
 				_privateKey = new C25519::Private();
@@ -236,7 +233,6 @@ public:
 		_address.appendTo(b);
 		b.append((unsigned char)IDENTITY_TYPE_C25519);
 		b.append(_publicKey.data,_publicKey.size());
-		b.append(_signature.data,_signature.size());
 		if ((_privateKey)&&(includePrivate)) {
 			b.append((unsigned char)_privateKey->size());
 			b.append(_privateKey->data,_privateKey->size());
@@ -252,7 +248,7 @@ public:
 	 * @param b Buffer containing serialized data
 	 * @param startAt Index within buffer of serialized data (default: 0)
 	 * @return Length of serialized data read from buffer
-	 * @throws std::out_of_range Buffer too small
+	 * @throws std::out_of_range Serialized data invalid
 	 * @throws std::invalid_argument Serialized data invalid
 	 */
 	template<unsigned int C>
@@ -272,8 +268,6 @@ public:
 
 		memcpy(_publicKey.data,b.field(p,_publicKey.size()),_publicKey.size());
 		p += _publicKey.size();
-		memcpy(_signature.data,b.field(p,_signature.size()),_signature.size());
-		p += _signature.size();
 
 		unsigned int privateKeyLength = b[p++];
 		if ((privateKeyLength)&&(privateKeyLength == ZT_C25519_PRIVATE_KEY_LEN)) {
@@ -318,12 +312,8 @@ public:
 	inline bool operator>=(const Identity &id) const throw() { return !(*this < id); }
 
 private:
-	// Compute an address from public key bytes
-	static Address deriveAddress(const void *keyBytes,unsigned int keyLen);
-
 	Address _address;
 	C25519::Public _publicKey;
-	C25519::Signature _signature;
 	C25519::Private *_privateKey;
 };
 

node/SHA512.cpp

@@ -121,7 +121,7 @@ static void store_bigendian(unsigned char *x,uint64 u)
   b = a; \
   a = T1 + T2;
 
-int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen)
+static inline int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen)
 {
   uint64 state[8];
   uint64 a;

selftest.cpp

@@ -207,6 +207,7 @@ static int testIdentity()
 	Identity id;
 	Buffer<512> buf;
 
+#if 0
 	std::cout << "[identity] Fully validate known-good identity... "; std::cout.flush();
 	if (!id.fromString("b487ffe552:2:9b121d26968a86eceea96d689dfb364a13f645aea9530c6d0c00c457569751340e8ff9ddf46be38190dcdd6178ff555cc48012a47280fbdece35799d8c445104:902474096fc914f0d6320a9d19b9e52d23bcf652e98b3930432d07a8271be0e19a813d1e77ee24db3454ce0c6c4a35e18a3adc0d06ee3bf086b38bd26ff95b085b4f1fd1d4ce423b15bc362cd5f13079b58252fd38b98b67b45203bb81423780:24f7ce86df8e242e4d7d04b657cf37eddc1aa7b34b6f38821c35fe393a4a381e0eef6e7b8b4ceab35a51e6ab0b6cbeb7c7282bc21c0c60cb6a512e454ecd45c5")) {
 		std::cout << "FAIL (1)" << std::endl;
@@ -217,18 +218,21 @@ static int testIdentity()
 		return -1;
 	}
 	std::cout << "PASS" << std::endl;
+#endif
 
-	std::cout << "[identity] Generate identity... "; std::cout.flush();
-	uint64_t genstart = Utils::now();
-	id.generate();
-	uint64_t genend = Utils::now();
-	std::cout << "(took " << (genend - genstart) << "ms): " << id.toString(true) << std::endl;
-	std::cout << "[identity] Locally validate identity: ";
-	if (id.locallyValidate(false)) {
-		std::cout << "PASS" << std::endl;
-	} else {
-		std::cout << "FAIL" << std::endl;
-		return -1;
+	for(unsigned int k=0;k<4;++k) {
+		std::cout << "[identity] Generate identity... "; std::cout.flush();
+		uint64_t genstart = Utils::now();
+		id.generate();
+		uint64_t genend = Utils::now();
+		std::cout << "(took " << (genend - genstart) << "ms): " << id.toString(true) << std::endl;
+		std::cout << "[identity] Locally validate identity: ";
+		if (id.locallyValidate(false)) {
+			std::cout << "PASS" << std::endl;
+		} else {
+			std::cout << "FAIL" << std::endl;
+			return -1;
+		}
 	}
 
 	{