mirror of
https://github.com/DNSCrypt/dnscrypt-proxy.git
synced 2025-01-04 01:19:46 +01:00
2d1dd7eaab
This works over DNSCrypt and DoH, but requires a specifically configured server. Instead of sending the actual DNS queries, the SH-T system works as follows: Step 1: the client query is evaluated through Argon2id, a military-grade, memory-hard, CPU-hard stretching function. This makes it very expensive for an attacker to find the original query, even using GPUs and ASICs. For post-quantum resistance, we use it to generate a 1024-bit key. Step 2: in case the Argon2id algorithm has a vulnerability, or, since this is a popular function used for hashing passwords and for cryptocurrencices, and people may have built rainbow tables already, we use a hash function over the result of the previous function. This immediately defeats rainbow tables. Step 3: the output of the hash function is truncated to 64-bit. Due to a property of this operation known as collision-misresistance, and even if the previous steps fail due to a nation-state actor, it is impossible for a server operator to prove what exact query was originally sent by a client. This feature is experimental.
25 lines
566 B
Go
25 lines
566 B
Go
// Copyright 2016 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build !go1.7,amd64,!gccgo,!appengine
|
|
|
|
package blake2b
|
|
|
|
import "golang.org/x/sys/cpu"
|
|
|
|
func init() {
|
|
useSSE4 = cpu.X86.HasSSE41
|
|
}
|
|
|
|
//go:noescape
|
|
func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte)
|
|
|
|
func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
|
|
if useSSE4 {
|
|
hashBlocksSSE4(h, c, flag, blocks)
|
|
} else {
|
|
hashBlocksGeneric(h, c, flag, blocks)
|
|
}
|
|
}
|