Poly1305

This is an incremental interface to computing the poly1305 single shot MAC.

Note: construct Poly1305-AES with this by taking a 16 byte nonce and encrypting it, and then using the result as an input to this function.

Types

cf_poly1305

Poly1305 incremental interface context.

cf_poly1305.h

Current accumulator.

cf_poly1305.r

Block multiplier.

cf_poly1305.s

Final XOR offset.

cf_poly1305.partial

Unprocessed input.

cf_poly1305.npartial

Number of bytes of unprocessed input.

Functions

void cf_poly1305_init(cf_poly1305 *ctx, const uint8_t r[16], const uint8_t s[16])

Sets up ctx ready to compute a new MAC.

In Poly1305-AES, r is the second half of the 32-byte key. s is a nonce encrypted under the first half of the key.

Parameters:

• ctx – context (written)
• r – MAC key.
• s – preprocessed nonce.

void cf_poly1305_update(cf_poly1305 *ctx, const uint8_t *data, size_t nbytes)

Processes nbytes at data. Copies the data if there isn’t enough to make a full block.

void cf_poly1305_finish(cf_poly1305 *ctx, uint8_t out[16])

Finishes the operation, writing 16 bytes to out.

This destroys ctx.