From Wikipedia, the free encyclopedia
Jump to: navigation, search

Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. It can be used to verify the data integrity and the authenticity of a message. It has been standardized in RFC 7539.


Poly1305-AES computes a 128-bit (16 bytes) authenticator of a variable-length message, using a 128-bit AES key, a 106-bit additional key, r, and a 128-bit nonce. The message is broken into 16-byte chunks which become coefficients of a polynomial in r, evaluated modulo the prime number 2130−5. The name is derived from this and the use of 2130−5 and the Advanced Encryption Standard.

Google has selected Poly1305 along with Bernstein's ChaCha20 symmetric cipher as a replacement for RC4 in TLS/SSL, which is used for Internet security.[1] Google's initial implementation is securing https (TLS/SSL) traffic between the Chrome browser on Android phones and Google's websites.[2]

Shortly after Google's adoption for TLS, both ChaCha20 and Poly1305 algorithms have also been used for a new chacha20-poly1305@openssh.com cipher in OpenSSH.[3][4] Subsequently, this made it possible for OpenSSH to not depend on OpenSSL through a compile-time option.[5]


The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. As a result, the only way for an attacker to break Poly1305-AES is to break AES.

For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees 264 messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping 275 forgeries; and that the attacker cannot break AES with probability above δ; then, with probability at least 0.999999-δ, all the 275 are rejected.[6]

Poly1305-AES offers also cipher replaceability. If anything does go wrong with AES, it can be substituted with identical security guarantee.


Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n+780 Athlon cycles are needed,[6] for example. The author has released optimized implementations for Athlon, Pentium Pro/II/III/M, PowerPC, and UltraSPARC, in addition to non-optimized reference implementations in C and C++.


  1. ^ draft-agl-tls-chacha20poly1305-04 - ChaCha20 and Poly1305 based Cipher Suites for TLS4, draft-mavrogiannopoulos-chacha-tls-03 - The ChaCha Stream Cipher for Transport Layer Security
  2. ^ Google Swaps Out Crypto Ciphers in OpenSSL, InfoSecurity, April 24, 2014
  3. ^ Miller, Damien (2013-12-02). "ssh/PROTOCOL.chacha20poly1305". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-26. 
  4. ^ Murenin, Constantine A. (2013-12-11). Unknown Lamer, ed. "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2014-12-26. 
  5. ^ Murenin, Constantine A. (2014-04-30). Soulskill, ed. "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26. 
  6. ^ a b Bernstein, Daniel J. (2005). "The Poly1305-AES Message-Authentication Code". Fast Software Encryption. Lecture Notes in Computer Science 3557. pp. 32–49. doi:10.1007/11502760_3. ISBN 978-3-540-26541-2. 

External links[edit]