Poly1305 is a
universal hash family designed by
Daniel J. Bernstein in 2002 for use in
cryptography
Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
.
As with any universal hash family, Poly1305 can be used as a one-time
message authentication code to authenticate a single message using a secret key shared between sender and recipient,
similar to the way that a
one-time pad can be used to conceal the content of a single message using a secret key shared between sender and recipient.
Originally Poly1305 was proposed as part of Poly1305-AES,
a Carter–Wegman authenticator
that combines the Poly1305 hash with
AES-128 to authenticate many messages using a single short key and distinct message numbers.
Poly1305 was later applied with a single-use key generated for each message using
XSalsa20 in the
NaCl crypto_secretbox_xsalsa20poly1305 authenticated cipher,
and then using
ChaCha in the
ChaCha20-Poly1305 authenticated cipher
deployed in
TLS on the internet.
Description
Definition of Poly1305
Poly1305 takes a 16-byte secret key
and an
-byte message
and returns a 16-byte hash
.
To do this, Poly1305:
# Interprets
as a
little-endian 16-byte integer.
# Breaks the message
into consecutive 16-byte chunks.
# Interprets the 16-byte chunks as 17-byte little-endian integers by appending a 1 byte to every 16-byte chunk, to be used as coefficients of a polynomial.
# Evaluates the polynomial at the point
modulo the prime
.
# Reduces the result modulo
encoded in little-endian return a 16-byte hash.
The coefficients
of the polynomial
, where
, are:
with the exception that, if
, then:
The secret key
is restricted to have the bytes
, ''i.e.'', to have their top four bits clear; and to have the bytes
, ''i.e.'', to have their bottom two bits clear.
Thus there are
distinct possible values of
.
Use as a one-time authenticator
If
is a secret 16-byte string interpreted as a little-endian integer, then
is called the authenticator for the message
.
If a sender and recipient share the 32-byte secret key
in advance, chosen uniformly at random, then the sender can transmit an authenticated message
.
When the recipient receives an ''alleged'' authenticated message
(which may have been modified in transmit by an adversary), they can verify its authenticity by testing whether
Without knowledge of
, the adversary has probability
of finding any
that will pass verification.
However, the same key
must not be reused for two messages.
If the adversary learns
for
, they can subtract
and find a root of the resulting polynomial to recover a small list of candidates for the secret evaluation point
, and from that the secret pad
.
The adversary can then use this to forge additional messages with high probability.
Use in Poly1305-AES as a Carter–Wegman authenticator
The original Poly1305-AES proposal
uses the Carter–Wegman structure
to authenticate many messages by taking
to be the authenticator on the th message
, where
is a universal hash family and
is an independent uniform random hash value that serves as a one-time pad to conceal it.
Poly1305-AES uses
AES-128 to generate
, where
is encoded as a 16-byte little-endian integer.
Specifically, a Poly1305-AES key is a 32-byte pair
of a 16-byte evaluation point
, as above, and a 16-byte AES key
.
The Poly1305-AES authenticator on a message
is
where 16-byte strings and integers are identified by little-endian encoding.
Note that
is reused between messages.
Without knowledge of
, the adversary has low probability of forging any authenticated messages that the recipient will accept as genuine.
Suppose the adversary sees
authenticated messages and attempts
forgeries, and can
distinguish from a uniform random permutation with advantage at most
.
(Unless AES is broken,
is very small.)
The adversary's chance of success at a single forgery is at most:
The message number
must never be repeated with the same key
.
If it is, the adversary can recover a small list of candidates for
and
, as with the one-time authenticator, and use that to forge messages.
Use in NaCl and ChaCha20-Poly1305
The
NaCl crypto_secretbox_xsalsa20poly1305 authenticated cipher uses a message number
with the
XSalsa20 stream cipher to generate a per-message
key stream, the first 32 bytes of which are taken as a one-time Poly1305 key
and the rest of which is used for encrypting the message.
It then uses Poly1305 as a one-time authenticator for the ciphertext of the message.
ChaCha20-Poly1305 does the same but with
ChaCha instead of
XSalsa20.
XChaCha20-Poly1305 using XChaCha20 instead of XSalsa20 has also been described.
Security
The security of Poly1305 and its derivatives against forgery follows from its bounded difference probability as a
universal hash family:
If
and
are messages of up to
bytes each, and
is any 16-byte string interpreted as a little-endian integer, then
where
is a uniform random Poly1305 key.
This property is sometimes called
-almost-Δ-universality over
, or
-AΔU,
where
in this case.
Of one-time authenticator
With a one-time authenticator
, the adversary's success probability for any forgery attempt
on a message
of up to
bytes is:
Here arithmetic inside the