Link to this headingPoly1305
- Bernstein’s one-time authenticator
- Uses a 128 bit nonce, 256 bit secret key and produces a tag 128 bits long.
- is not random-key robust
Link to this headingImplementation
#Info from http://loup-vaillant.fr/tutorials/poly1305-design
#Set the mod p = 2^130-5
= 0x3fffffffffffffffffffffffffffffffb
#Set some bits for r from spec and convert to little endian
= & 0x0ffffffc0ffffffc0ffffffc0fffffff
#Set secret part and convert to little endian
=
= 0
#Chunk the message into 128-bit ints
#Set the first bit to 1 and convert to little endian
=
# Add the message into the hash accumulator
+=
# Multiply the hash by the random value taken from the input key
*=
# Mod the value by 2^130-5
%=
#Finalize the hash by adding the secret derived from the key
+=
#Set the output configurable size
&=
#Convert the little endian integer back into a bytestring
return
#Generate IV if null
=
#Generate the Poly1305 key from the chacha keystream
=
#Return the Randomly generated IV and message tag
return ,
#From https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04#section-7
=
=
=
#TAG: 49ec78090e481ec6c26b33b91ccc0307
#From https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04#section-7
=
=
=
#TAG: a6f745008f81c916a20dcc74eef2b2f0