LLMpediaThe first transparent, open encyclopedia generated by LLMs

Poly1305

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: GnuTLS Hop 4
Expansion Funnel Raw 62 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted62
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Poly1305
NamePoly1305
TypeMessage authentication code
DesignerDaniel J. Bernstein
Introduced2005
Key size256 bits (effectively 128-bit tag)
Tag size128 bits
Block size128 bits
ClassificationUniversal hash-based MAC

Poly1305 is a high-speed message authentication code designed to provide data integrity and authentication for cryptographic protocols. It was introduced by Daniel J. Bernstein and has been widely adopted in combination with ciphers such as ChaCha20 as part of standards and implementations in projects and protocols like TLS, SSH, OpenSSH, WireGuard, and QUIC. Poly1305 is notable for its performance on software platforms and for a design that leverages modular arithmetic to produce short, fixed-size authentication tags.

Overview

Poly1305 is a one-time universal hash-based message authentication code (MAC) that takes a message and a one-time 256-bit secret (split into a 128-bit polynomial key and a 128-bit pad) to produce a 128-bit tag. Its creator, Daniel J. Bernstein, published the primitive alongside discussions involving cryptographers working in communities around IETF, ACM, and open-source projects such as OpenBSD and LibreSSL. Poly1305 was later popularized in real-world protocols through combinations like ChaCha20-Poly1305, which were standardized in documents associated with RFC 8439 and integrated into libraries maintained by organizations including OpenSSL, BoringSSL, and Mozilla.

Design and Algorithm

The algorithm treats the message as a sequence of 16-byte little-endian blocks, interprets each block as an integer, and computes a polynomial evaluation modulo a large prime. The core uses a 130-bit prime modulus (2^130 − 5), a keyed polynomial accumulator (the "r" value), and a final addition of a 128-bit nonce-derived pad (the "s" value). The mathematical foundations draw upon work in universal hashing and modular arithmetic similar in spirit to constructions discussed by researchers associated with USENIX, CRYPTO, and Eurocrypt conferences. The design emphasizes simple operations—addition, multiplication, and modular reduction—that map well to instruction sets on processors produced by companies such as Intel, AMD, ARM, and MIPS. Bernstein's parameter choices and constraints (for example, clamping of certain bits of the "r" key) were informed by cryptanalysis presented at venues like CHES and RSA Conference.

Security Analysis

Poly1305's security as a message authentication code depends on the one-time use of its polynomial key; reuse of the same key for multiple messages compromises security. The primitive offers provable bounds on forgery probability based on universal hashing proofs that reference results from theoreticians affiliated with institutions such as MIT, Stanford University, ETH Zurich, and Princeton University. Cryptanalysis by experts in the field, including papers and presentations from researchers at IACR conferences, examined resistance to collision, forgery, and side-channel leakage. Practical security assessments also considered implementation pitfalls on platforms from vendors like Apple, Google, and Microsoft where constant-time implementations and careful handling in libraries such as LibreSSL and WolfSSL mitigate timing and fault attacks. When composed properly with a nonce-respecting stream cipher like ChaCha20, Poly1305 provides authenticated encryption with associated data (AEAD) properties used in TLS 1.3 and modern secure transport designs championed by teams at Cloudflare and Facebook.

Implementations and Performance

Poly1305 has numerous optimized implementations across languages and platforms: C implementations in OpenSSL, assembly-optimized backends for x86_64 and ARMv8 in projects like NaCl and libsodium, and portable implementations in Rust, Go, and JavaScript for runtimes such as Node.js and Deno. Benchmarking by contributors in communities around GitHub and performance analyses presented in articles from organizations like Google and Amazon Web Services highlight throughput advantages on CPUs with wide multiply instructions and vector units. Implementations often exploit instructions available in microarchitectures by Intel (e.g., MULX) and ARM (e.g., PMULL) to accelerate multiplication and reduction. Constant-time coding practices promoted by researchers at University of California, Berkeley and Imperial College London reduce side-channel risks; verified implementations and formal proofs were pursued in projects linked to Formal Methods groups at INRIA and Microsoft Research.

Usage and Protocol Integration

Poly1305 appears in AEAD constructions like ChaCha20-Poly1305 used by TLS stacks in Apache HTTP Server, nginx, curl, and client libraries used in Android and iOS devices. It is an option in VPN implementations such as WireGuard and has been selected for use in secure transport protocols including QUIC implementations by Google and Cloudflare. Standards bodies like IETF and working groups such as TLS WG documented negotiation and cipher suite choices that include Poly1305-based AEADs. Software projects and vendors including OpenSSH, OpenVPN, Cisco, and Juniper Networks integrated Poly1305-based authenticated encryption options to provide efficient and secure message authentication in contemporary networking, storage, and embedded systems.

Category:Message authentication codes