poly1305

The Poly1305 message authentication code (docs.ppad.tech/poly1305).
git clone git://git.ppad.tech/poly1305.git
Log | Files | Refs | README | LICENSE

README.md (2704B)

      1 # poly1305
      2 
      3 [![](https://img.shields.io/hackage/v/ppad-poly1305?color=blue)](https://hackage.haskell.org/package/ppad-poly1305)
      4 ![](https://img.shields.io/badge/license-MIT-brightgreen)
      5 [![](https://img.shields.io/badge/haddock-poly1305-lightblue)](https://docs.ppad.tech/poly1305)
      6 
      7 A pure Haskell implementation of the Poly1305 message authentication
      8 code as specified by [RFC8439][8439].
      9 
     10 ## Usage
     11 
     12 A sample GHCi session:
     13 
     14 ```
     15   > :set -XOverloadedStrings
     16   >
     17   > -- import qualified
     18   > import qualified Crypto.MAC.Poly1305 as Poly1305
     19   >
     20   > -- produce a MAC for a message using a secret one-time key
     21   > let key = "i'll never use this key again!!!"
     22   > let msg = "i am a message that is in need of authentication"
     23   > Poly1305.mac key msg
     24   Just "\247\247\GSZ^\140\168\r\177\197\242\182b#\210g"
     25 ```
     26 
     27 ## Documentation
     28 
     29 Haddocks (API documentation, etc.) are hosted at
     30 [docs.ppad.tech/poly1305][hadoc].
     31 
     32 ## Performance
     33 
     34 The aim is best-in-class performance for pure, highly-auditable Haskell
     35 code.
     36 
     37 Current benchmark figures on the simple "sunscreen input" from RFC8439
     38 on an M4 Silicon MacBook Air look like (use `cabal bench` to run the
     39 benchmark suite):
     40 
     41 ```
     42   benchmarking ppad-poly1305/mac (big key)
     43   time                 3.491 μs   (3.487 μs .. 3.495 μs)
     44                        1.000 R²   (1.000 R² .. 1.000 R²)
     45   mean                 3.489 μs   (3.484 μs .. 3.493 μs)
     46   std dev              15.51 ns   (12.66 ns .. 19.80 ns)
     47 ```
     48 
     49 ## Security
     50 
     51 This library aims at the maximum security achievable in a
     52 garbage-collected language under an optimizing compiler such as GHC, in
     53 which strict constant-timeness can be [challenging to achieve][const].
     54 
     55 Note that *at present* we use GHC's native variable-length Integer type
     56 internally, and make no guarantees of constant-time execution.
     57 
     58 The Poly1305 MAC function and its internals pass all official
     59 test vectors in RFC8439, and the downstream AEAD-ChaCha20-Poly1305
     60 implementation in [ppad-aead](https://github.com/ppad-tech/aead) passes
     61 all the [Project Wycheproof vectors][wyche].
     62 
     63 If you discover any vulnerabilities, please disclose them via
     64 security@ppad.tech.
     65 
     66 ## Development
     67 
     68 You'll require [Nix][nixos] with [flake][flake] support enabled. Enter a
     69 development shell with:
     70 
     71 ```
     72 $ nix develop
     73 ```
     74 
     75 Then do e.g.:
     76 
     77 ```
     78 $ cabal repl ppad-poly1305
     79 ```
     80 
     81 to get a REPL for the main library.
     82 
     83 [8439]: https://datatracker.ietf.org/doc/html/rfc8439
     84 [nixos]: https://nixos.org/
     85 [flake]: https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-flake.html
     86 [hadoc]: https://docs.ppad.tech/poly1305
     87 [const]: https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html
     88 [wyche]: https://github.com/C2SP/wycheproof