Poly1305

Poly1305 is a message authentication code (MAC) created by Daniel Bernstein. Poly1305 takes a 32-byte one-time key and a message to produce a 16-byte tag. The tag is then used to authenticate the message. Whenever Poly1305 is used as a MAC algorithm it is necessary to allocate 256 bits to the integrity key.

Google selected Poly1305 and ChaCha20 as a replacement for RC4 in TLS/SSL. OpenSSH added support for Poly1305 with ChaCha20 in v6.5. The NaCl crypto library uses Poly1305 with XSalsa20.

Poly1305 is biased. Poly1305 is not a suitable choice for a Pseudo-Random Function (PRF). Using it for key derivation would reduce the security of symmetric encryption.

ChaCha20-Poly1305 is three times faster than AES-GCM on devices that don’t have AES hardware acceleration. Poly1305 also saves network bandwidth. Cloudflare introduced the ChaCha20-Poly1305 cipher suite in February 2015 and immediately noticed performance benefits.