Poly1305
Last updated
Last updated
is a fast one-time message authentication code (MAC). It takes a 256-bit key that can only be used once and produces a 128-bit tag.
You almost definitely want instead. Poly1305 is easy to misuse and less secure due to the short tag length.
Fills a span with a tag computed from a message and a one-time key.
tag
has a length not equal to TagSize
.
oneTimeKey
has a length not equal to KeySize
.
The tag could not be computed.
Verifies that a tag is correct in constant time for a given message and one-time key. It returns true
if the tag is valid and false
otherwise.
tag
has a length not equal to TagSize
.
oneTimeKey
has a length not equal to KeySize
.
Provides support for computing a tag from several messages and a one-time key.
oneTimeKey
has a length not equal to KeySize
.
tag
has a length not equal to TagSize
.
The tag could not be computed.
Cannot update after finalizing or finalize twice (without reinitializing).
The object has been disposed.
These are used for validation and/or save you defining your own constants.
Each key MUST be uniformly random, unpredictable, and unique. You MUST NOT reuse a key or use the same key for multiple purposes (e.g. encryption and Poly1305).
Tags MUST be compared in constant time to avoid leaking information, so use the VerifyTag()
or FinalizeAndVerify()
function.
Tags MUST NOT be truncated to minimise the opportunity for forgery.
Do NOT use Poly1305 as a hash function or key derivation function (KDF). Use .
is strongly recommended over Poly1305 as a MAC because it has better security guarantees. Due to the 128-bit tag length, Poly1305 should only ever be used for online protocols and small messages.