libsodium
Search…
libsodium
Introduction
Installation
Quickstart and FAQ
Projects using libsodium
Commercial support
Bindings for other languages
Usage
Helpers
Padding
Secure memory
Generating random data
Secret-key cryptography
Public-key cryptography
Hashing
Password hashing
Key derivation
Key exchange
Advanced
SHA-2
HMAC-SHA-2
The Scrypt function
Point*scalar multiplicaton
One-time authentication
Stream ciphers
Ed25519 to Curve25519
Finite field arithmetic
Custom RNG
Internals
Roadmap
Powered By GitBook
One-time authentication
One-time authentication in Sodium uses Poly1305, a Wegman-Carter authenticator designed by D. J. Bernstein.
Poly1305 takes a 32-byte, one-time key and a message and produces a 16-byte tag that authenticates the message such that an attacker has a negligible chance of producing a valid tag for a inauthentic message.
Poly1305 keys have to be:
  • secret. An attacker can compute a valid authentication tag for any message, for any given key. The security of Poly1305 relies on the fact that attackers don't know the key being used to compute the tag. This implies that they have to be:
  • unpredictable. Do not use timestamps or counters.
  • unique. Never reuse a key. A new key is required for every single message. The key can be recovered if two messages are authenticated with the same key.
The standard way to use Poly1305 is to derive a dedicated subkey from a (key, nonce) tuple, for example by taking the first bytes generated by a stream cipher.
Due to its output size, Poly1305 is recommended for online protocols, exchanging many small messages, rather than for authenticating very large files.
Finally, Poly1305 is not a replacement for a hash function.

Single-part example

#define MESSAGE ((const unsigned char *) "Data to authenticate")
#define MESSAGE_LEN 20
​
unsigned char out[crypto_onetimeauth_BYTES];
unsigned char key[crypto_onetimeauth_KEYBYTES];
​
crypto_onetimeauth_keygen(key);
crypto_onetimeauth(out, MESSAGE, MESSAGE_LEN, key);
​
if (crypto_onetimeauth_verify(out, MESSAGE, MESSAGE_LEN, key) != 0) {
/* message forged! */
}

Multi-part example

#define MESSAGE1 ((const unsigned char *) "Multi-part")
#define MESSAGE1_LEN 10
#define MESSAGE2 ((const unsigned char *) "data")
#define MESSAGE2_LEN 4
​
unsigned char out[crypto_onetimeauth_BYTES];
unsigned char key[crypto_onetimeauth_KEYBYTES];
crypto_onetimeauth_state state;
​
crypto_onetimeauth_keygen(key);
​
crypto_onetimeauth_init(&state, key);
crypto_onetimeauth_update(&state, MESSAGE1, MESSAGE1_LEN);
crypto_onetimeauth_update(&state, MESSAGE2, MESSAGE2_LEN);
crypto_onetimeauth_final(&state, out);

Usage

Single-part interface

int crypto_onetimeauth(unsigned char *out, const unsigned char *in,
unsigned long long inlen, const unsigned char *k);
The crypto_onetimeauth() function authenticates a message in whose length is inlen using a secret key k (crypto_onetimeauth_KEYBYTES bytes) and puts the authenticator into out (crypto_onetimeauth_BYTES bytes).
int crypto_onetimeauth_verify(const unsigned char *h, const unsigned char *in,
unsigned long long inlen, const unsigned char *k);
The crypto_onetimeauth_verify() function verifies, in constant time, that h is a correct authenticator for the message in whose length is inlen bytes, using the secret key k.
It returns -1 if the verification fails, or 0 on success.

Multi-part (streaming) interface

int crypto_onetimeauth_init(crypto_onetimeauth_state *state,
const unsigned char *key);
int crypto_onetimeauth_update(crypto_onetimeauth_state *state,
const unsigned char *in,
unsigned long long inlen);
int crypto_onetimeauth_final(crypto_onetimeauth_state *state,
unsigned char *out);
The crypto_onetimeauth_init() function initializes a structure pointed by state using a key key.
A 16 bytes alignment is required for the address of state. The size of this value can be obtained using sizeof(crypto_onetimeauth_state), or crypto_onetimeauth_statebytes().
crypto_onetimeauth_update() can then be called more than one in order to compute the authenticator from sequential chunks of the message.
Finally, crypto_onetimeauth_final() puts the authenticator into out.
The state must be initialized with crypto_onetimeauth_init() before updating or finalizing it.
After crypto_onetimeauth_final() returns, the state should not be used any more, unless it is reinitialized using crypto_onetimeauth_init().
void crypto_onetimeauth_keygen(unsigned char k[crypto_onetimeauth_KEYBYTES]);
The crypto_onetimeauth_keygen() function fills k with a random key. This convenience function was introduced in libsodium 1.0.12.

Constants

  • crypto_onetimeauth_BYTES
  • crypto_onetimeauth_KEYBYTES

Data types

  • crypto_onetimeauth_state

Algorithm details

  • Poly1305
Previous
Point*scalar multiplicaton
Next
Stream ciphers
Last modified 5mo ago
Copy link
Outline
Single-part example
Multi-part example
Usage
Single-part interface
Multi-part (streaming) interface
Constants
Data types
Algorithm details