HOME

TheInfoList



OR:

Poly1305 is a universal hash family designed by Daniel J. Bernstein in 2002 for use in
cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
. As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a secret key shared between sender and recipient, similar to the way that a one-time pad can be used to conceal the content of a single message using a secret key shared between sender and recipient. Originally Poly1305 was proposed as part of Poly1305-AES, a Carter–Wegman authenticator that combines the Poly1305 hash with AES-128 to authenticate many messages using a single short key and distinct message numbers. Poly1305 was later applied with a single-use key generated for each message using XSalsa20 in the NaCl crypto_secretbox_xsalsa20poly1305 authenticated cipher, and then using ChaCha in the ChaCha20-Poly1305 authenticated cipher deployed in TLS on the internet.


Description


Definition of Poly1305

Poly1305 takes a 16-byte secret key r and an L-byte message m and returns a 16-byte hash \operatorname_r(m). To do this, Poly1305: # Interprets r as a little-endian 16-byte integer. # Breaks the message m = (m m m \dotsc, m - 1 into consecutive 16-byte chunks. # Interprets the 16-byte chunks as 17-byte little-endian integers by appending a 1 byte to every 16-byte chunk, to be used as coefficients of a polynomial. # Evaluates the polynomial at the point r modulo the prime 2^ - 5. # Reduces the result modulo 2^ encoded in little-endian return a 16-byte hash. The coefficients c_i of the polynomial c_1 r^q + c_2 r^ + \cdots + c_q r, where q = \lceil L/16\rceil, are: c_i = m 6i - 16+ 2^8 m 6i - 15+ 2^ m 6i - 14+ \cdots + 2^ m 6i - 1+ 2^, with the exception that, if L \not\equiv 0 \pmod, then: c_q = m 6q - 16+ 2^8 m 6q - 15+ \cdots + 2^ m - 1+ 2^. The secret key r = (r r r \dotsc, r 5 is restricted to have the bytes r r r 1 r 5\in \, ''i.e.'', to have their top four bits clear; and to have the bytes r r r 2\in \, ''i.e.'', to have their bottom two bits clear. Thus there are 2^ distinct possible values of r.


Use as a one-time authenticator

If s is a secret 16-byte string interpreted as a little-endian integer, then a := \bigl(\operatorname_r(m) + s\bigr) \bmod 2^ is called the authenticator for the message m. If a sender and recipient share the 32-byte secret key (r, s) in advance, chosen uniformly at random, then the sender can transmit an authenticated message (a, m). When the recipient receives an ''alleged'' authenticated message (a', m') (which may have been modified in transmit by an adversary), they can verify its authenticity by testing whether a' \mathrel \bigl(\operatorname_r(m') + s\bigr) \bmod 2^. Without knowledge of (r, s), the adversary has probability 8\lceil L/16\rceil/2^ of finding any (a', m') \ne (a, m) that will pass verification. However, the same key (r, s) must not be reused for two messages. If the adversary learns \begin a_1 &= \bigl(\operatorname_r(m_1) + s\bigr) \bmod 2^, \\ a_2 &= \bigl(\operatorname_r(m_2) + s\bigr) \bmod 2^, \end for m_1 \ne m_2, they can subtract a_1 - a_2 \equiv \operatorname_r(m_1) - \operatorname_r(m_2) \pmod and find a root of the resulting polynomial to recover a small list of candidates for the secret evaluation point r, and from that the secret pad s. The adversary can then use this to forge additional messages with high probability.


Use in Poly1305-AES as a Carter–Wegman authenticator

The original Poly1305-AES proposal uses the Carter–Wegman structure to authenticate many messages by taking a_i := H_r(m_i) + p_i to be the authenticator on the th message m_i, where H_r is a universal hash family and p_i is an independent uniform random hash value that serves as a one-time pad to conceal it. Poly1305-AES uses AES-128 to generate p_i := \operatorname_k(i), where i is encoded as a 16-byte little-endian integer. Specifically, a Poly1305-AES key is a 32-byte pair (r, k) of a 16-byte evaluation point r, as above, and a 16-byte AES key k. The Poly1305-AES authenticator on a message m_i is a_i := \bigl(\operatorname_r(m_i) + \operatorname_k(i)\bigr) \bmod 2^, where 16-byte strings and integers are identified by little-endian encoding. Note that r is reused between messages. Without knowledge of (r, k), the adversary has low probability of forging any authenticated messages that the recipient will accept as genuine. Suppose the adversary sees C authenticated messages and attempts D forgeries, and can distinguish \operatorname_k from a uniform random permutation with advantage at most \delta. (Unless AES is broken, \delta is very small.) The adversary's chance of success at a single forgery is at most: \delta + \frac. The message number i must never be repeated with the same key (r, k). If it is, the adversary can recover a small list of candidates for r and \operatorname_k(i), as with the one-time authenticator, and use that to forge messages.


Use in NaCl and ChaCha20-Poly1305

The NaCl crypto_secretbox_xsalsa20poly1305 authenticated cipher uses a message number i with the XSalsa20 stream cipher to generate a per-message key stream, the first 32 bytes of which are taken as a one-time Poly1305 key (r_i, s_i) and the rest of which is used for encrypting the message. It then uses Poly1305 as a one-time authenticator for the ciphertext of the message. ChaCha20-Poly1305 does the same but with ChaCha instead of XSalsa20. XChaCha20-Poly1305 using XChaCha20 instead of XSalsa20 has also been described.


Security

The security of Poly1305 and its derivatives against forgery follows from its bounded difference probability as a universal hash family: If m_1 and m_2 are messages of up to L bytes each, and d is any 16-byte string interpreted as a little-endian integer, then \Pr operatorname_r(m_1) - \operatorname_r(m_2) \equiv d \pmod \leq \frac, where r is a uniform random Poly1305 key. This property is sometimes called \epsilon-almost-Δ-universality over \mathbb Z/2^\mathbb Z, or \epsilon-AΔU, where \epsilon = 8\lceil L/16\rceil/2^ in this case.


Of one-time authenticator

With a one-time authenticator a = \bigl(\operatorname_r(m) + s\bigr) \bmod 2^, the adversary's success probability for any forgery attempt (a', m') on a message m' of up to L bytes is: \begin \Pr a' = \operatorname_r(m') + s \mathrel\mid a = \operatorname_r(m) + s\\ &= \Pr ' = \operatorname_r(m') + a - \operatorname_r(m)\\ &= \Pr operatorname_r(m') - \operatorname_r(m) = a' - a\\ &\leq 8\lceil L/16\rceil/2^. \end Here arithmetic inside the \Pr
cdots The ellipsis (, plural ellipses; from , , ), rendered , alternatively described as suspension points/dots, points/periods of ellipsis, or ellipsis points, or colloquialism, colloquially, dot-dot-dot,. According to Toner it is difficult to es ...
/math> is taken to be in \mathbb Z/2^\mathbb Z for simplicity.


Of NaCl and ChaCha20-Poly1305

For NaCl crypto_secretbox_xsalsa20poly1305 and ChaCha20-Poly1305, the adversary's success probability at forgery is the same for each message independently as for a one-time authenticator, plus the adversary's distinguishing advantage \delta against XSalsa20 or ChaCha as pseudorandom functions used to generate the per-message key. In other words, the probability that the adversary succeeds at a single forgery after D attempts of messages up to L bytes is at most: \delta + \frac.


Of Poly1305-AES

The security of Poly1305-AES against forgery follows from the Carter–Wegman–Shoup structure, which instantiates a Carter–Wegman authenticator with a permutation to generate the per-message pad. If an adversary sees C authenticated messages and attempts D forgeries of messages of up to L bytes, and if the adversary has distinguishing advantage at most \delta against AES-128 as a pseudorandom permutation, then the probability the adversary succeeds at any one of the D forgeries is at most: \delta + \frac.


Speed

Poly1305-AES can be computed at high speed in various CPUs: for an ''n''-byte message, no more than 3.1''n'' + 780 Athlon cycles are needed, for example. The author has released optimized
source code In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer. Since a computer, at base, only ...
for
Athlon AMD Athlon is the brand name applied to a series of x86, x86-compatible microprocessors designed and manufactured by AMD, Advanced Micro Devices. The original Athlon (now called Athlon Classic) was the first seventh-generation x86 processor a ...
,
Pentium Pentium is a series of x86 architecture-compatible microprocessors produced by Intel from 1993 to 2023. The Pentium (original), original Pentium was Intel's fifth generation processor, succeeding the i486; Pentium was Intel's flagship proce ...
Pro/II/III/M,
PowerPC PowerPC (with the backronym Performance Optimization With Enhanced RISC – Performance Computing, sometimes abbreviated as PPC) is a reduced instruction set computer (RISC) instruction set architecture (ISA) created by the 1991 Apple Inc., App ...
, and UltraSPARC, in addition to non-optimized
reference implementation In the software development process, a reference implementation (or, less frequently, sample implementation or model implementation) is a program that implements all requirements from a corresponding specification. The reference implementation ...
s in C and C++ as public domain software.A state-of-the-art message-authentication code
on cr.yp.to


Implementations

Below is a list of cryptography libraries that support Poly1305: * Botan * Bouncy Castle * Crypto++ * Libgcrypt * libsodium *
Nettle Nettle refers to plants with stinging hairs, particularly those of the genus '' Urtica''. It can also refer to plants which resemble ''Urtica'' species in appearance but do not have stinging hairs. Plants called "nettle" include: * ball nettle ...
* OpenSSL * LibreSSL * wolfCrypt * GnuTLS *
mbed TLS Mbed TLS (previously PolarSSL) is an implementation of the Transport Layer Security, TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on t ...
* MatrixSSL


See also

* ChaCha20-Poly1305 – an AEAD scheme combining the stream cipher ChaCha20 with a variant of Poly1305


References


External links


Poly1305-AES
reference and optimized implementation by author D. J. Bernstein
Fast Poly1305 implementation in C
on github.com * NaClbr>one-time authenticator
an

using Poly1305 {{Cryptography navbox , hash Advanced Encryption Standard Internet Standards Message authentication codes Public-domain software with source code