-
Notifications
You must be signed in to change notification settings - Fork 0
Poly1305
Is a cryptographic message authentication code (MAC) using 256-bit OTK (One-time-key), its name is derived from prime number 2^(130−5) used as modulo for polynomial r, thus Poly1305. Can be combined with several symmetric ciphers as Poly1305-AES, Poly1305-Salsa20 (NaCl) and Poly1305-ChaCha20 (SSH, TLS).
The Poly1305 authenticator is designed to ensure that forged messages are rejected with a probability of 1-(n/(2^102)) for a 16n-byte message, even after sending 2^64 legitimate messages, so it is SUF-CMA (strong unforgeability against chosen-message attacks) in the terminology of AE.
- Key - secret key/passphrase using 256-bit
🔑 Secret field.
Incremental hash (size of data is not known in advance - i.e. network stream)
byte[] otk = myOneTimeKey;
using (var poly1305 = new Poly1305(otk))
{
// Process incoming data via hasher
while(dataAreAvaiable)
{
poly1305.TransformBlock(data, 0, data.Length, null, 0);
}
// Signal final transformation (flush) & compute hash
poly1305.TransformFinalBlock(new byte[0], 0, 0);
byte[] hash = poly1305.Hash;
}Hash data of known size (file stream, byte array)
byte[] otk = myOneTimeKey;
using (var poly1305 = new Poly1305(otk))
{
byte[] hash = poly1305.ComputeHash(myFileStream);
}Reusing same Poly1305 object (zero-allocations)
using (var poly1305 = Poly1305.Create())
{
// Set-up new unique OTK & re-initialize state
poly1305.Key = myOneTimeKey;
poly1305.Initialize();
// your code...
}- Always try to use non-predictable randomly chosen key to improve security
- Poly1305 is using OTK (one time key) scheme. Using same key more than once creates vulnerability, as each message must use different key (same key can reveal information for possible forgeries on other messages)
- Algorithm is not implemented in constant-time and is thus vulnerable to the cache-timing attacks as its using dynamicly allocated memory (BigInteger). These attacks may be hard to apply in practice as they must be deployed locally on your PC and require a high knowledge of attacker.