# Poly1305-AES

Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message.

## Description

Poly1305-AES computes a 128-bit (16 bytes) authenticator of a variable-length message, using a 128-bit AES key, a 106-bit additional key, and a 128-bit nonce. The name is derived from the use of the prime number 2130−5 and the Advanced Encryption Standard.

## Security

The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. As a result, the only way for an attacker to break Poly1305-AES is to break AES.

For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees $2^{64}$ messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping $2^{75}$ forgeries; and that the attacker cannot break AES with probability above $\delta$; then, with probability at least $0.999999-\delta$, all the $2^{75}$ are rejected.[1]

Poly1305-AES offers also cipher replaceability. If anything does go wrong with AES, it can be substituted with identical security guarantee.

## Speed

Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n+780 Athlon cycles are needed,[1] for example. The author has released optimized implementations for Athlon, Pentium Pro/II/III/M, PowerPC, and UltraSPARC, in addition to non-optimized reference implementations in C and C++.

## References

1. ^ a b Bernstein, Daniel J. (2005). "The Poly1305-AES Message-Authentication Code". Fast Software Encryption. Lecture Notes in Computer Science 3557. pp. 32–49. doi:10.1007/11502760_3. ISBN 978-3-540-26541-2.