As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a secret key shared between sender and recipient,[2]
similar to the way that a one-time pad can be used to conceal the content of a single message using a secret key shared between sender and recipient.
Originally Poly1305 was proposed as part of Poly1305-AES,[3]
a Carter–Wegman authenticator[4][5][1]
that combines the Poly1305 hash with AES-128 to authenticate many messages using a single short key and distinct message numbers.
Poly1305 was later applied with a single-use key generated for each message using XSalsa20 in the NaCl crypto_secretbox_xsalsa20poly1305 authenticated cipher,[6]
and then using ChaCha in the ChaCha20-Poly1305 authenticated cipher[7][8][1]
deployed in TLS on the internet.[9]
^ abcAumasson, Jean-Philippe (2018). "Chapter 7: Keyed Hashing". Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press. pp. 136–138. ISBN978-1-59327-826-7.
^Wegman, Mark N.; Carter, J. Lawrence (1981). "New Hash Functions and Their Use in Authentication and Set Equality". Journal of Computer and System Sciences. 22 (3): 265–279. doi:10.1016/0022-0000(81)90033-7.