Poly1305: Difference between revisions
Added {{primary sources}} tag to article (TW) |
No edit summary |
||
Line 8: | Line 8: | ||
The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. As a result, the only way for an attacker to break Poly1305-AES is to break AES. |
The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. As a result, the only way for an attacker to break Poly1305-AES is to break AES. |
||
:''For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees <math>2^{64}</math> messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping <math>2^{75}</math> forgeries; and that the attacker cannot break AES with probability above <math>\delta</math>; then, with probability at least <math>0.999999-\delta</math>, all the <math>2^{75}</math> are rejected''.<ref name=paper> |
:''For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees <math>2^{64}</math> messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping <math>2^{75}</math> forgeries; and that the attacker cannot break AES with probability above <math>\delta</math>; then, with probability at least <math>0.999999-\delta</math>, all the <math>2^{75}</math> are rejected''.<ref name=paper>{{cite book |first=Daniel J. |last=Bernstein |year=2005 |chapter=The Poly1305-AES Message-Authentication Code |title=Fast Software Encryption |series=Lecture Notes in Computer Science |volume=3557 |pages=32–49 |isbn=978-3-540-26541-2 |doi=10.1007/11502760_3 }}</ref> |
||
Poly1305-AES offers also cipher replaceability. If anything does go wrong with AES, it can be substituted with identical security guarantee. |
Poly1305-AES offers also cipher replaceability. If anything does go wrong with AES, it can be substituted with identical security guarantee. |
||
==Speed== |
==Speed== |
||
Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n+780 Athlon cycles are needed,<ref name=paper/> for example. |
Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n+780 Athlon cycles are needed,<ref name=paper/> for example. |
||
The author has released optimized implementations for Athlon, Pentium Pro/II/III/M, PowerPC and UltraSPARC, in addition to non-optimized reference implementations in [[C (programming language)|C]] and [[C++]]. |
The author has released optimized implementations for [[Athlon]], [[Pentium]] Pro/II/III/M, [[PowerPC]], and [[UltraSPARC]], in addition to non-optimized reference implementations in [[C (programming language)|C]] and [[C++]]. |
||
==References== |
==References== |
||
{{Reflist}} |
|||
<references /> |
|||
== |
==External links== |
||
* [http://cr.yp.to/mac.html ''Poly1305-AES''] |
* [http://cr.yp.to/mac.html ''Poly1305-AES''] |
||
* [http://cr.yp.to/mac/poly1305-20050329.pdf ''Poly1305-AES paper''], complete specification, discussion of security bounds and details on implementation. |
|||
* [http://cr.yp.to/mac.html#use ''Public domain Poly1305 library''] |
* [http://cr.yp.to/mac.html#use ''Public domain Poly1305 library''] |
||
Revision as of 14:12, 17 November 2013
Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message.
Description
Poly1305-AES computes a 128-bit (16 bytes) authenticator of a variable-length message, using a 128-bit AES key, a 106-bit additional key, and a 128-bit nonce. The name is derived from the use of the prime number 2130−5 and the Advanced Encryption Standard.
Security
The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. As a result, the only way for an attacker to break Poly1305-AES is to break AES.
- For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping forgeries; and that the attacker cannot break AES with probability above ; then, with probability at least , all the are rejected.[1]
Poly1305-AES offers also cipher replaceability. If anything does go wrong with AES, it can be substituted with identical security guarantee.
Speed
Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n+780 Athlon cycles are needed,[1] for example. The author has released optimized implementations for Athlon, Pentium Pro/II/III/M, PowerPC, and UltraSPARC, in addition to non-optimized reference implementations in C and C++.
References
- ^ a b Bernstein, Daniel J. (2005). "The Poly1305-AES Message-Authentication Code". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 3557. pp. 32–49. doi:10.1007/11502760_3. ISBN 978-3-540-26541-2.
External links