Poly1305 (combined with ChaCha) is now used as the defacto Carter-Wegman MAC when it comes to pure software implementations. I wonder why this is the case when Poly1305 itself is quite slow (This paper showing it being 2x slower than UMAC/VMAC). Is there another reason for its wide usage or is it just due to the fact that poly1305 is authored by the same person that created ChaCha?
Asked
Active
Viewed 1,251 times
1 Answers
13
Well, undoubtedly the popularity of Poly1305 is largely due to it being bundled with ChaCha.
On the other hand, it isn't totally undeserved - Poly1305 is actually pretty good - it has decent performance (as long as you have moderately cheap multiplies), it uses a fixed size key, and it has provable security (albeit a few bits short of the tag length). The one big issue it has is that security falls apart if you repeat nonces - that's generally not a major problem if you don't have static keys (that is, keys that survive a reboot).
Now, the idea behind UMAC goes back a ways (circa 1999, IIRC), but it never seemed to get a lot of traction. Part of the issue may be the larger keys required, and part of it was (at the time) the rather larger per-message computation required (which made authenticating short messages slower).
Now, UMAC has gone through a number of versions - it appears that these drawbacks may have been addressed. On the other hand, cryptographers are leery of cryptoprimitives that keep on being changed (even if, in this case, the changes were made for practical reasons and not security ones).
poncho
- 154,064
- 12
- 239
- 382