Expand description
Pure-Rust Poly1305 Message Authentication Code
Implements Poly1305-AES one-time authenticator (RFC 8439). This is a faithful translation of poly1305-donna by Andrew Moon. Avoids LLVM SIMD issues on x86_64-unknown-none bare-metal targets.
Properties:
- 128-bit authentication tag
- One-time MAC (key must be unique per message)
- Constant-time operation (no secret-dependent branches)
- ~10 cycles/byte on modern x86_64
Algorithm:
- Clamp the ‘r’ portion of the key
- Process message in 16-byte blocks
- Accumulate: a = ((a + block) * r) mod (2^130 - 5)
- Add ‘s’ portion of key: tag = (a + s) mod 2^128
Structs§
- Poly1305
- Poly1305 MAC state (using 32bit * 32bit = 64bit multiplication)