Sciweavers

FSE
2005
Springer

The Poly1305-AES Message-Authentication Code

14 years 6 months ago
The Poly1305-AES Message-Authentication Code
Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D L/16 /2106 if messages have at most L bytes, the attacker sees at most 264 authenticated messages, and the attacker attempts D forgeries. Poly1305-AES can be computed at extremely high speed: for example, fewer than 3.625( + 170) Athlon cycles for an -byte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Special-purpose hardware can compute Poly1305-AES at even higher speed. Poly1305AES is parallelizable, incremental, and not subject to any intellectualproperty claims.
Daniel J. Bernstein
Added 27 Jun 2010
Updated 27 Jun 2010
Type Conference
Year 2005
Where FSE
Authors Daniel J. Bernstein
Comments (0)