doxygen/scrypt_8cpp_source.html

/**

* (C) 2018 Jack Lloyd

* (C) 2018 Ribose Inc

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/scrypt.h>


#include <botan/exceptn.h>

#include <botan/pbkdf2.h>

#include <botan/internal/bit_ops.h>

#include <botan/internal/fmt.h>

#include <botan/internal/loadstor.h>

#include <botan/internal/mem_utils.h>

#include <botan/internal/salsa20.h>

#include <botan/internal/time_utils.h>


namespace Botan {


namespace {


size_t scrypt_memory_usage(size_t N, size_t r, size_t p) {

   return 128 * r * (N + p);

}


}  // namespace


std::string Scrypt_Family::name() const {

   return "Scrypt";

}


std::unique_ptr<PasswordHash> Scrypt_Family::default_params() const {

   return std::make_unique<Scrypt>(32768, 8, 1);

}


std::unique_ptr<PasswordHash> Scrypt_Family::tune_params(size_t /*output_length*/,

                                                         uint64_t desired_msec,

                                                         std::optional<size_t> max_memory,

                                                         uint64_t tuning_msec) const {

   /*

   * Some rough relations between scrypt parameters and runtime.

   * Denote here by stime(N,r,p) the msec it takes to run scrypt.

   *

   * Empirically for smaller sizes:

   * stime(N,8*r,p) / stime(N,r,p) is ~ 6-7

   * stime(N,r,8*p) / stime(N,r,8*p) is ~ 7

   * stime(2*N,r,p) / stime(N,r,p) is ~ 2

   *

   * Compute stime(8192,1,1) as baseline and extrapolate

   */


   // If max_memory is nullopt or zero this becomes zero and is ignored

   const size_t max_memory_bytes = max_memory.value_or(0) * 1024 * 1024;


   // Starting parameters

   size_t N = 8 * 1024;

   size_t r = 1;

   size_t p = 1;


   auto pwdhash = this->from_params(N, r, p);


   const uint64_t measured_time = measure_cost(tuning_msec, [&]() {

      uint8_t output[32] = {0};

      pwdhash->derive_key(output, sizeof(output), "test", 4, nullptr, 0);

   });


   const uint64_t target_nsec = desired_msec * static_cast<uint64_t>(1000000);


   uint64_t est_nsec = measured_time;


   // In below code we invoke scrypt_memory_usage with p == 0 as p contributes

   // (very slightly) to memory consumption, but N is the driving factor.

   // Including p leads to using an N half as large as what the user would expect.


   // First increase r by 8x if possible

   if(max_memory_bytes == 0 || scrypt_memory_usage(N, r * 8, 0) <= max_memory_bytes) {

      if(target_nsec / est_nsec >= 5) {

         r *= 8;

         est_nsec *= 5;

      }

   }


   // Now double N as many times as we can

   while(max_memory_bytes == 0 || scrypt_memory_usage(N * 2, r, 0) <= max_memory_bytes) {

      if(target_nsec / est_nsec >= 2) {

         N *= 2;

         est_nsec *= 2;

      } else {

         break;

      }

   }


   // If we have extra runtime budget, increment p

   if(target_nsec / est_nsec >= 2) {

      p *= std::min<size_t>(1024, static_cast<size_t>(target_nsec / est_nsec));

   }


   return std::make_unique<Scrypt>(N, r, p);

}


std::unique_ptr<PasswordHash> Scrypt_Family::from_params(size_t N, size_t r, size_t p) const {

   return std::make_unique<Scrypt>(N, r, p);

}


std::unique_ptr<PasswordHash> Scrypt_Family::from_iterations(size_t iter) const {

   const size_t r = 8;

   const size_t p = 1;


   size_t N = 8192;


   if(iter > 50000) {

      N = 16384;

   }

   if(iter > 100000) {

      N = 32768;

   }

   if(iter > 150000) {

      N = 65536;

   }


   return std::make_unique<Scrypt>(N, r, p);

}


Scrypt::Scrypt(size_t N, size_t r, size_t p) : m_N(N), m_r(r), m_p(p) {

   if(!is_power_of_2(N)) {

      throw Invalid_Argument("Scrypt N parameter must be a power of 2");

   }


   if(p == 0 || p > 1024) {

      throw Invalid_Argument("Invalid or unsupported scrypt p");

   }

   if(r == 0 || r > 256) {

      throw Invalid_Argument("Invalid or unsupported scrypt r");

   }

   if(N < 1 || N > 4194304) {

      throw Invalid_Argument("Invalid or unsupported scrypt N");

   }

}


std::string Scrypt::to_string() const {

   return fmt("Scrypt({},{},{})", m_N, m_r, m_p);

}


size_t Scrypt::total_memory_usage() const {

   const size_t N = memory_param();

   const size_t p = parallelism();

   const size_t r = iterations();


   return scrypt_memory_usage(N, r, p);

}


namespace {


void scryptBlockMix(size_t r, uint8_t* B, uint8_t* Y) {

   uint32_t B32[16];

   secure_vector<uint8_t> X(64);

   copy_mem(X.data(), &B[(2 * r - 1) * 64], 64);


   for(size_t i = 0; i != 2 * r; i++) {

      xor_buf(X.data(), &B[64 * i], 64);

      load_le<uint32_t>(B32, X.data(), 16);

      Salsa20::salsa_core(X.data(), B32, 8);

      copy_mem(&Y[64 * i], X.data(), 64);

   }


   for(size_t i = 0; i < r; ++i) {

      copy_mem(&B[i * 64], &Y[(i * 2) * 64], 64);

   }


   for(size_t i = 0; i < r; ++i) {

      copy_mem(&B[(i + r) * 64], &Y[(i * 2 + 1) * 64], 64);

   }

}


void scryptROMmix(size_t r, size_t N, uint8_t* B, secure_vector<uint8_t>& V) {

   const size_t S = 128 * r;


   for(size_t i = 0; i != N; ++i) {

      copy_mem(&V[S * i], B, S);

      scryptBlockMix(r, B, &V[N * S]);

   }


   for(size_t i = 0; i != N; ++i) {

      // compiler doesn't know here that N is power of 2

      const size_t j = load_le<uint32_t>(&B[(2 * r - 1) * 64], 0) & (N - 1);

      xor_buf(B, &V[j * S], S);

      scryptBlockMix(r, B, &V[N * S]);

   }

}


}  // namespace


void Scrypt::derive_key(uint8_t output[],

                        size_t output_len,

                        const char* password,

                        size_t password_len,

                        const uint8_t salt[],

                        size_t salt_len) const {

   const size_t N = memory_param();

   const size_t p = parallelism();

   const size_t r = iterations();


   const size_t S = 128 * r;

   secure_vector<uint8_t> B(p * S);

   // temp space

   secure_vector<uint8_t> V((N + 1) * S);


   auto hmac_sha256 = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");


   try {

      hmac_sha256->set_key(as_span_of_bytes(password, password_len));

   } catch(Invalid_Key_Length&) {

      throw Invalid_Argument("Scrypt cannot accept passphrases of the provided length");

   }


   pbkdf2(*hmac_sha256, B.data(), B.size(), salt, salt_len, 1);


   // these can be parallel

   for(size_t i = 0; i != p; ++i) {

      scryptROMmix(r, N, &B[128 * r * i], V);

   }


   pbkdf2(*hmac_sha256, output, output_len, B.data(), B.size(), 1);

}


}  // namespace Botan

Botan::Invalid_Argument
Definition exceptn.h:132

Botan::Invalid_Key_Length
Definition exceptn.h:154

Botan::MessageAuthenticationCode::create_or_throw
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:147

Botan::Salsa20::salsa_core
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition salsa20.cpp:75

Botan::Scrypt_Family::from_params
std::unique_ptr< PasswordHash > from_params(size_t N, size_t r, size_t p) const override
Definition scrypt.cpp:102

Botan::Scrypt_Family::tune_params
std::unique_ptr< PasswordHash > tune_params(size_t output_len, uint64_t desired_runtime_msec, std::optional< size_t > max_memory, uint64_t tune_msec) const override
Definition scrypt.cpp:37

Botan::Scrypt_Family::from_iterations
std::unique_ptr< PasswordHash > from_iterations(size_t iter) const override
Definition scrypt.cpp:106

Botan::Scrypt_Family::name
std::string name() const override
Definition scrypt.cpp:29

Botan::Scrypt_Family::default_params
std::unique_ptr< PasswordHash > default_params() const override
Definition scrypt.cpp:33

Botan::Scrypt::to_string
std::string to_string() const override
Definition scrypt.cpp:141

Botan::Scrypt::memory_param
size_t memory_param() const override
Definition scrypt.h:41

Botan::Scrypt::iterations
size_t iterations() const override
Definition scrypt.h:37

Botan::Scrypt::parallelism
size_t parallelism() const override
Definition scrypt.h:39

Botan::Scrypt::total_memory_usage
size_t total_memory_usage() const override
Definition scrypt.cpp:145

Botan::Scrypt::Scrypt
Scrypt(size_t N, size_t r, size_t p)
Definition scrypt.cpp:125

Botan::Scrypt::derive_key
void derive_key(uint8_t out[], size_t out_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len) const override
Definition scrypt.cpp:194

Botan
Definition alg_id.cpp:13

Botan::is_power_of_2
BOTAN_FORCE_INLINE constexpr bool is_power_of_2(T arg)
Definition bit_ops.h:62

Botan::as_span_of_bytes
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:59

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495

Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68

Botan::pbkdf2
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition pbkdf2.cpp:72

Botan::measure_cost
uint64_t measure_cost(uint64_t trial_msec, F func)
Definition time_utils.h:19