[noise] DoS resistance

Jason A. Donenfeld Jason at zx2c4.com
Thu Jul 16 13:42:34 PDT 2015


Hi guys,

So in benchmarking this thing, I've been looking at denial of service
resistance.

I can send around 10 gigabits of data per second of illegitimate
post-handshake data messages, before the CPU is maxed out. That's
good.
But, I can only send around 70 megabits per second of handshake
messages, before the CPU is maxed out. Bad news bears.

The reasoning is obvious -- a bunch of Curve25519 operations are
required during the handshake. Running `perf top` reveals that indeed
the vast majority of time is spent in freduce_coefficients, fproduct,
fsquare, freduce_degree, cmult, fmonty, fsum, etc -- all Curve25519
functions. Now admittedly, I'm not using a very optimized
implementation. But I suspect implementing this in AVX2 would only
speed it up by a factor of two... which wouldn't be enough to matter.

So noise is fast during data packets, slow during handshake (HandshakeIK).

I wonder if there are some tricks we could use for speeding this up.
Or at least a clever filtering out unauthentic packets before too much
CPU time is wasted. Cryptographic tricks? Something better than
generic rate limiting? Something that we could wind up baking into the
noise core protocol?

Jason


More information about the Noise mailing list