Poly1305

Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography. As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a key shared between sender and recipient, like a one-time pad can be used to conceal the content of a single message using a key shared between sender and recipient. Originally Poly1305 was proposed as part of Poly1305-AES, a Carter–Wegman authenticator that combines the Poly1305 hash with AES-128 to authenticate many messages using a single short key and distinct message numbers. Poly1305 was later applied with a single-use key generated for each message using XSalsa20 in the NaCl crypto_secretbox_xsalsa20poly1305 authenticated cipher, and then using ChaCha in the ChaCha20-Poly1305 authenticated cipher deployed in TLS on the internet. Poly1305 takes a 16-byte secret key and an -byte message and returns a 16-byte hash . To do this, Poly1305: Interprets as a little-endian 16-byte integer. Breaks the message into consecutive 16-byte chunks. Interprets the 16-byte chunks as 17-byte little-endian integers by appending a 1 byte to every 16-byte chunk, to be used as coefficients of a polynomial. Evaluates the polynomial at the point modulo the prime . Reduces the result modulo encoded in little-endian return a 16-byte hash. The coefficients of the polynomial , where , are: with the exception that, if , then: The secret key is restricted to have the bytes , i.e., to have their top four bits clear; and to have the bytes , i.e., to have their bottom two bits clear. Thus there are distinct possible values of . If is a secret 16-byte string interpreted as a little-endian integer, then is called the authenticator for the message . If a sender and recipient share the 32-byte secret key in advance, chosen uniformly at random, then the sender can transmit an authenticated message .