Poly1305 is a cryptographic message authentication code (MAC) created by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message. A variant of Bernstein's Poly1305 that does not require AES has been standardized by the Internet Engineering Task Force in RFC 8439.
The original proposal, Poly1305-AES, which uses the AES (forward) encryption function as a source of pseudorandomness, computes a 128-bit (16 bytes) authenticator of a variable-length message. In addition to the message, it requires a 128-bit AES key, a 128-bit additional key r (with 106 effective key bits), and a 128-bit nonce which must be unique among all messages authenticated with the same key. The message is broken into 16-byte chunks which become coefficients of a polynomial evaluated at r, modulo the prime number 2130−5. The authentication code is the sum of this polynomial evaluation, plus a pseudorandom value computed by passing the nonce through the AES block cipher. The name Poly1305-AES is derived from its use of polynomial evaluation, the 2130−5 modulus, and AES. In NaCl, Poly1305 is used with Salsa20 in place of AES, and in TLS and SSH it is used with the ChaCha20 variant of the same.
Google has selected Poly1305 along with Bernstein's ChaCha20 symmetric cipher as a replacement for RC4 in TLS/SSL, which is used for Internet security. Google's initial implementation is used in securing https (TLS/SSL) traffic between the Chrome browser on Android phones and Google's websites. Use of ChaCha20/Poly1305 has been standardized in RFC 7905.
Shortly after Google's adoption for use in TLS, both ChaCha20 and Poly1305 support was added to OpenSSH via the email@example.com authenticated encryption cipher. Subsequently, this made it possible for OpenSSH to remove its dependency on OpenSSL through a compile-time option.
The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. Consequently, the only way for an attacker to break Poly1305-AES is to break AES.
- For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees 264 messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping 275 forgeries; and that the attacker cannot break AES with probability above δ; then, with probability at least 0.999999 − δ, all the 275 are rejected.
Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n + 780 Athlon cycles are needed, for example. The author has released optimized source code for Athlon, Pentium Pro/II/III/M, PowerPC, and UltraSPARC, in addition to non-optimized reference implementations in C and C++ as public domain software.
Below is a list of cryptography libraries that support Poly1305:
- Bouncy Castle
- mbed TLS
- Google Swaps Out Crypto Ciphers in OpenSSL, InfoSecurity, April 24, 2014
- Miller, Damien (2013-12-02). "ssh/PROTOCOL.chacha20poly1305". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-26.
- Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.). "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2014-12-26.
- Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.
- Bernstein, Daniel J. (2005). "The Poly1305-AES Message-Authentication Code". Fast Software Encryption. Lecture Notes in Computer Science. 3557. pp. 32–49. doi:10.1007/11502760_3. ISBN 978-3-540-26541-2.
- A state-of-the-art message-authentication code on cr.yp.to