Poly1305

Poly1305 is a message authentication code (MAC) designed by Daniel J. Bernstein in 2004. It produces a 16-byte authentication tag from a 32-byte one-time key, which is conceptually split into two parts: r, a polynomial key, and s, an additive offset used to finalize the tag. The r value is typically masked (clamped) to limit its bit-pattern and improve security. The tag is obtained by evaluating a polynomial in the prime field p = 2^130 − 5 with the message blocks as inputs, using r as the key and adding s at the end. The message is processed in 16-byte blocks; each block is incorporated into a running accumulator through modular arithmetic, and the final value is combined with s and truncated to 16 bytes to form the tag.

Poly1305 is designed to be fast and portable, with the security of the MAC relying on the

In usage, Poly1305 provides authenticity and integrity without encryption. It is important to ensure that the