The Poly1305-AES Message-Authentication Code

  • Daniel J. Bernstein
Conference paper

DOI: 10.1007/11502760_3

Part of the Lecture Notes in Computer Science book series (LNCS, volume 3557)
Cite this paper as:
Bernstein D.J. (2005) The Poly1305-AES Message-Authentication Code. In: Gilbert H., Handschuh H. (eds) Fast Software Encryption. FSE 2005. Lecture Notes in Computer Science, vol 3557. Springer, Berlin, Heidelberg


Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2106 if messages have at most L bytes, the attacker sees at most 264 authenticated messages, and the attacker attempts D forgeries. Poly1305-AES can be computed at extremely high speed: for example, fewer than 3.1l + 780 Athlon cycles for an ℓ-byte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Special-purpose hardware can compute Poly1305-AES at even higher speed. Poly1305-AES is parallelizable, incremental, and not subject to any intellectual-property claims.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  1. 1.Department of Mathematics, Statistics, and Computer Science (M/C 249)The University of Illinois at ChicagoChicago

Personalised recommendations