Poly1305 Message Authentication Code

About Poly1305

Poly1305 is a cryptographic message authentication code (MAC) created by Daniel J. Bernstein in 2005. It is designed to be fast and secure, and is often used in combination with stream ciphers like ChaCha20 or Salsa20.

Key Features:

• Type: Universal hash function used as a MAC
• Key Size: 256 bits (32 bytes), split into a 128-bit one-time key and a 128-bit AES key
• Output Size: 128 bits (16 bytes)
• Security: Information-theoretically secure when used with a unique key for each message
• Performance: Very fast, especially on modern processors

How Poly1305 Works:

1. Key Setup: The 256-bit key is split into two parts:
   • A 128-bit one-time key r (with some bits masked off)
   • A 128-bit AES key s
2. Message Processing:
   • The message is split into 16-byte chunks
   • Each chunk is interpreted as a number and has a "1" bit appended
   • These numbers are used to evaluate a polynomial modulo 2^130-5
   • The polynomial is evaluated using the one-time key r
3. Finalization:
   • The result of the polynomial evaluation is added to the AES key s
   • The final 16-byte MAC is produced

Common Uses:

• ChaCha20-Poly1305: An AEAD (Authenticated Encryption with Associated Data) construction that combines the ChaCha20 stream cipher with Poly1305 for authentication
• TLS: Used in TLS 1.2 and 1.3 as part of the ChaCha20-Poly1305 cipher suite
• SSH: Used in modern SSH implementations
• Signal Protocol: Used in secure messaging applications
• WireGuard: Used in the WireGuard VPN protocol

Advantages:

• Speed: Very efficient, especially on platforms without AES hardware acceleration
• Security: Provides strong authentication guarantees when used correctly
• Simplicity: Relatively simple design compared to some other MACs
• No Padding Required: Works with messages of any length without padding