Skip to content
/ poly1305-nostd Public

Pure-Rust Poly1305 MAC implementation for bare-metal/no_std targets (avoids LLVM SIMD issues)

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

artst3in/poly1305-nostd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
test_manual.rs
test_manual.rs
 
 

Repository files navigation

poly1305-nostd

Pure-Rust Poly1305 MAC implementation for no_std and bare-metal targets.

Why This Crate Exists

The standard poly1305 crate (from RustCrypto) fails to compile on certain bare-metal targets like x86_64-unknown-none with LLVM errors:

LLVM ERROR: Do not know how to split the result of this operator!

This happens because the crate uses SIMD intrinsics that aren't available on all targets. This pure-Rust implementation avoids SIMD entirely, making it portable to any Rust target.

Features

  • 100% Pure Rust: No assembly, no SIMD, no platform-specific code
  • no_std compatible: Works in bare-metal and embedded environments
  • Constant-time: Side-channel resistant implementation
  • RFC 8439 compliant: Passes official test vectors
  • Simple API: Drop-in replacement for other Poly1305 implementations

Security Properties

  • 128-bit authentication tag
  • One-time MAC (key must be unique per message)
  • Constant-time operations (no secret-dependent branches)
  • ~10 cycles/byte on modern x86_64

Usage

Add to your Cargo.toml:

[dependencies]
poly1305-nostd = "0.1"

One-shot MAC

use poly1305_nostd::Poly1305;

let key = [0u8; 32];  // Must be unique per message
let message = b"Hello, world!";

let tag = Poly1305::mac(&key, message);
assert_eq!(tag.len(), 16);

Incremental MAC

use poly1305_nostd::Poly1305;

let key = [0u8; 32];
let mut poly = Poly1305::new(&key);

poly.update(b"Hello, ");
poly.update(b"world!");

let tag = poly.finalize();

Algorithm

Poly1305 is a one-time authenticator designed by Daniel J. Bernstein:

  1. Clamp the 'r' portion of the key
  2. Process message in 16-byte blocks
  3. Accumulate: a = ((a + block) * r) mod (2^130 - 5)
  4. Add 's' portion of key: tag = (a + s) mod 2^128

Implementation Details

  • Uses 26-bit limb representation for field arithmetic
  • Field operations modulo 2^130 - 5
  • Avoids arithmetic overflow through careful reduction
  • No heap allocations

Performance

On modern x86_64 CPUs:

  • ~10 cycles/byte for bulk operations
  • ~2 µs for 1 KB message

(Performance varies by target; bare-metal may differ)

Compatibility

Tested on:

  • x86_64-unknown-none (bare-metal)
  • x86_64-unknown-linux-gnu (std)
  • Other targets should work but are untested

Testing

Run the test suite:

cargo test

Includes RFC 8439 test vectors.

License

Licensed under Apache License 2.0.

References

Contributing

Contributions welcome! This crate was extracted from a bare-metal OS project to help the Rust embedded and bare-metal community overcome LLVM SIMD limitations.

About

Pure-Rust Poly1305 MAC implementation for bare-metal/no_std targets (avoids LLVM SIMD issues)

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages