Poly1305
Purpose
Poly1305 is a fast one-time message authentication code (MAC). It takes a 256-bit key that can only be used once and produces a 128-bit tag.
You almost definitely want BLAKE2b instead. Poly1305 is easy to misuse and less secure due to the short tag length.
Usage
ComputeTag
Fills a span with a tag computed from a message and a one-time key.
Exceptions
tag has a length not equal to TagSize.
oneTimeKey has a length not equal to KeySize.
The tag could not be computed.
VerifyTag
Verifies that a tag is correct in constant time for a given message and one-time key. It returns true if the tag is valid and false otherwise.
Exceptions
tag has a length not equal to TagSize.
oneTimeKey has a length not equal to KeySize.
IncrementalPoly1305
Provides support for computing a tag from several messages and a one-time key.
Exceptions
oneTimeKey has a length not equal to KeySize.
tag has a length not equal to TagSize.
The tag could not be computed.
Cannot update after finalizing or finalize twice (without reinitializing).
Constants
These are used for validation and/or save you defining your own constants.
Notes
Each key MUST be uniformly random, unpredictable, and unique. You MUST NOT reuse a key or use the same key for multiple purposes (e.g. encryption and Poly1305).
Do NOT use Poly1305 as a hash function or key derivation function (KDF). Use BLAKE2b.
Tags MUST be compared in constant time to avoid leaking information, so use the VerifyTag() or FinalizeAndVerify() function.
Tags MUST NOT be truncated to minimise the opportunity for forgery.
BLAKE2b is strongly recommended over Poly1305 as a MAC because it has better security guarantees. Due to the 128-bit tag length, Poly1305 should only ever be used for online protocols and small messages.
Last updated