The Poly1305-AES Message-Authentication Code

  • Daniel J. Bernstein
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3557)


Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2106 if messages have at most L bytes, the attacker sees at most 264 authenticated messages, and the attacker attempts D forgeries. Poly1305-AES can be computed at extremely high speed: for example, fewer than 3.1l + 780 Athlon cycles for an ℓ-byte message. This speed is achieved without precomputation; consequently, 1000 keys can be handled simultaneously without cache misses. Special-purpose hardware can compute Poly1305-AES at even higher speed. Poly1305-AES is parallelizable, incremental, and not subject to any intellectual-property claims.


Message Authentication Security Guarantee Instruction Selection Fast Message Secure Message Authentication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    17th annual symposium on foundations of computer science. IEEE Computer Society, Long Beach (1976), MR 56:1766Google Scholar
  2. 2.
    20th annual symposium on foundations of computer science. IEEE Computer Society, New York (1979), MR 82a:68004Google Scholar
  3. 3.
    IEEE standard for binary floating-point arithmetic, Standard 754–1985, Institute of Electrical and Electronics Engineers New York (1985)Google Scholar
  4. 4.
    Afanassiev, V., Gehrmann, C., Smeets, B.: Fast message authentication using efficient polynomial evaluation. In: [10], pp. 190–204 (1997),
  5. 5.
    Bernstein, D.J.: Guaranteed message authentication faster than MD5, abstract (1999),
  6. 6.
    Bernstein, D.J.: Cache-timing attacks on AES (2004),,IDcd9faae9bd5308c440df50fc26a517b4
  7. 7.
    Bernstein, D.J.: Floating-point arithmetic and message authentication (2004),,IDdabadd3095644704c5cbe9690ea3738e
  8. 8.
    Bernstein, D.J.: Stronger security bounds for wegman-carter-shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005),,ID2d603727f69542f30f7da2832240c1ad CrossRefGoogle Scholar
  9. 9.
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: pp. 331–342 (1994),
  10. 10.
    Biham, E. (ed.): FSE 1997. LNCS, vol. 1267. Springer, Heidelberg (1997) ISBN 3–540–63247–6zbMATHGoogle Scholar
  11. 11.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: [34], pp. 216–233 (1999),
  12. 12.
    Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: [13], pp. 79–86 (1983),
  13. 13.
    Chaum, D., Rivest, R.L., Sherman, A.T.: Advances in cryptology: proceedings of Crypto 1982. Plenum Press, New York (1983) ISBN 0–306–41366–3, MR 84j:94004zbMATHGoogle Scholar
  14. 14.
    den Boer, B.: A simple and key-economical unconditional authentication scheme. Journal of Computer Security 2, 65–71 (1993), ISSN 0926–227XGoogle Scholar
  15. 15.
    Gilbert, E.N., Jessie MacWilliams, F., Sloane, N.J.A.: Codes which detect deception. Bell System Technical Journal 53, 405–424 (1974), ISSN 0005–8580, MR 55:5306MathSciNetGoogle Scholar
  16. 16.
    Granlund, T.: GMP 4.1.2: GNU multiple precision arithmetic library (2004),
  17. 17.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode (2003),
  18. 18.
    Kaminski, M.: A linear time algorithm for residue computation and a fast algorithm for division with a sparse divisor. Journal of the ACM 34, 968–984 (1987), ISSN 0004–5411, MR 89f:68033CrossRefMathSciNetGoogle Scholar
  19. 19.
    Karp, R.M., Rabin, M.O.: Efficient randomized pattern-matching algorithms. IBM Journal of Research and Development 31, 249–260 (1987), ISSN 0018–8646zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Koblitz, N. (ed.): CRYPTO 1996. LNCS, vol. 1109. Springer, Heidelberg (1996)zbMATHGoogle Scholar
  21. 21.
    Krovetz, T., Rogaway, P.: Fast universal hashing with small keys and no preprocessing: the PolyR construction (2000),
  22. 22.
    Nevelsteen, W., Preneel, B.: Software performance of universal hash functions. In: [29], pp. 24–41 (1999)Google Scholar
  23. 23.
    Pippenger, N.: On the evaluation of powers and related problems (preliminary version). In: [1], pp. 258–263 (1976), newer version split into [24] and [25],, MR 58:3682
  24. 24.
    Pippenger, N.: The minimum number of edges in graphs with prescribed paths. Mathematical Systems Theory 12, 325–346 (1979), see also older version [23],, ISSN 0025–5661. MR 81e:05079zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Pippenger, N.: On the evaluation of powers and monomials. SIAM Journal on Computing 9, 230–250 (1980), see older version [23],, ISSN 0097–5397zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Rabin, M.O.: Fingerprinting by random polynomials. Harvard Aiken Computational Laboratory TR-15-81 (1981),
  27. 27.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: [20], 313–328 (1996); see also newer version [28]Google Scholar
  28. 28.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing (1996), see also older version [27]
  29. 29.
    Stern, J. (ed.): EUROCRYPT 1999. LNCS, vol. 1592. Springer, Heidelberg (1999)zbMATHGoogle Scholar
  30. 30.
    Stinson, D.R. (ed.): CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994), ISBN 3–540–57766–1, 0–387–57766–1, MR 95b:94002zbMATHGoogle Scholar
  31. 31.
    Taylor, R.: An integrity check value algorithm for stream ciphers. In: [30], pp. 40–48 (1994),
  32. 32.
    Wegman, M.N., Lawrence Carter, J.: New classes and applications of hash functions. In: [2], pp. 175–182 (1979),
  33. 33.
    Wegman, M.N., Lawrence Carter, J.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981), see older version [32],, ISSN 0022–0000. MR 82i:68017zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999), ISBN 3–5540–66347–9. MR 2000h:94003zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  1. 1.Department of Mathematics, Statistics, and Computer Science (M/C 249)The University of Illinois at ChicagoChicago

Personalised recommendations