package poly1305

Import Path
	vendor/golang.org/x/crypto/poly1305 (on go.dev)

Dependency Relation
	imports 3 packages, and imported by one package

Involved Source Files

	      bits_go1.13.go
	   #d poly1305.go
		Package poly1305 implements Poly1305 one-time message authentication code as
		specified in https://cr.yp.to/mac/poly1305-20050329.pdf.

		Poly1305 is a fast, one-time authentication function. It is infeasible for an
		attacker to generate an authenticator for a message without the key. However, a
		key must only be used for a single message. Authenticating two different
		messages with the same key allows an attacker to forge authenticators for other
		messages with the same key.

		Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was
		used with a fixed key in order to generate one-time keys from an nonce.
		However, in this package AES isn't used and the one-time key is specified
		directly.

	      sum_amd64.go
	      sum_generic.go
	      sum_amd64.s
Package-Level Type Names (total 5, in which 1 are exported)

	/* sort exporteds by: alphabet | popularity */
	 type MAC (struct)
		MAC is an io.Writer computing an authentication tag
		of the data written to it.

		MAC cannot be used like common hash.Hash implementations,
		because using a poly1305 key twice breaks its security.
		Therefore writing data to a running MAC after calling
		Sum or Verify causes it to panic.

		Fields (total 9, none are exported)
			/* 9 unexporteds ... *//* 9 unexporteds: */
			finalized bool
			mac mac
				// platform-dependent implementation

			mac.macGeneric macGeneric
			mac.macGeneric.buffer [16]byte
			mac.macGeneric.macState macState
			mac.macGeneric.macState.h [3]uint64
				h is the main accumulator. It is to be interpreted modulo 2¹³⁰ - 5, but
				can grow larger during and after rounds. It must, however, remain below
				2 * (2¹³⁰ - 5).

			mac.macGeneric.macState.r [2]uint64
				r and s are the private key components.

			mac.macGeneric.macState.s [2]uint64
			mac.macGeneric.offset int
		Methods (total 4, all are exported)
			(*T) Size() int
				Size returns the number of bytes Sum will return.

			(*T) Sum(b []byte) []byte
				Sum computes the authenticator of all data written to the
				message authentication code.

			(*T) Verify(expected []byte) bool
				Verify returns whether the authenticator of all data written to
				the message authentication code matches the expected value.

			(*T) Write(p []byte) (n int, err error)
				Write adds more data to the running message authentication code.
				It never returns an error.

				It must not be called after the first call of Sum or Verify.

		Implements (at least one exported)
			*T : io.Writer
		As Outputs Of (at least one exported)
			func New(key *[32]byte) *MAC
		As Inputs Of (at least 2, neither is exported)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func vendor/golang.org/x/crypto/chacha20poly1305.writeUint64(p *MAC, n int)
			func vendor/golang.org/x/crypto/chacha20poly1305.writeWithPadding(p *MAC, b []byte)

	/* 4 unexporteds ... *//* 4 unexporteds: */
	 type mac (struct)
		mac is a wrapper for macGeneric that redirects calls that would have gone to
		updateGeneric to update.

		Its Write and Sum methods are otherwise identical to the macGeneric ones, but
		using function pointers would carry a major performance cost.

		Fields (total 7, none are exported)
			/* 7 unexporteds ... *//* 7 unexporteds: */
			macGeneric macGeneric
			macGeneric.buffer [16]byte
			macGeneric.macState macState
			macGeneric.macState.h [3]uint64
				h is the main accumulator. It is to be interpreted modulo 2¹³⁰ - 5, but
				can grow larger during and after rounds. It must, however, remain below
				2 * (2¹³⁰ - 5).

			macGeneric.macState.r [2]uint64
				r and s are the private key components.

			macGeneric.macState.s [2]uint64
			macGeneric.offset int
		Methods (total 2, both are exported)
			(*T) Sum(out *[16]byte)
			(*T) Write(p []byte) (int, error)
		Implements (at least one exported)
			*T : io.Writer

	 type macGeneric (struct)

		Fields (total 6, none are exported)
			/* 6 unexporteds ... *//* 6 unexporteds: */
			buffer [16]byte
			macState macState
			macState.h [3]uint64
				h is the main accumulator. It is to be interpreted modulo 2¹³⁰ - 5, but
				can grow larger during and after rounds. It must, however, remain below
				2 * (2¹³⁰ - 5).

			macState.r [2]uint64
				r and s are the private key components.

			macState.s [2]uint64
			offset int
		Methods (total 2, both are exported)
			(*T) Sum(out *[16]byte)
				Sum flushes the last incomplete chunk from the buffer, if any, and generates
				the MAC output. It does not modify its state, in order to allow for multiple
				calls to Sum, even if no Write is allowed after Sum.

			(*T) Write(p []byte) (int, error)
				Write splits the incoming message into TagSize chunks, and passes them to
				update. It buffers incomplete chunks.

		Implements (at least one exported)
			*T : io.Writer
		As Outputs Of (at least one unexported)
			/* at least one unexported ... *//* at least one unexported: */
			func newMACGeneric(key *[32]byte) macGeneric

	 type macState (struct)
		macState holds numbers in saturated 64-bit little-endian limbs. That is,
		the value of [x0, x1, x2] is x[0] + x[1] * 2⁶⁴ + x[2] * 2¹²⁸.

		Fields (total 3, none are exported)
			/* 3 unexporteds ... *//* 3 unexporteds: */
			h [3]uint64
				h is the main accumulator. It is to be interpreted modulo 2¹³⁰ - 5, but
				can grow larger during and after rounds. It must, however, remain below
				2 * (2¹³⁰ - 5).

			r [2]uint64
				r and s are the private key components.

			s [2]uint64
		As Inputs Of (at least 3, none are exported)
			/* 3+ unexporteds ... *//* 3+ unexporteds: */
			func initialize(key *[32]byte, m *macState)
			func update(state *macState, msg []byte)
			func updateGeneric(state *macState, msg []byte)

	 type uint128 (struct)
		uint128 holds a 128-bit number as two 64-bit limbs, for use with the
		bits.Mul64 and bits.Add64 intrinsics.

		Fields (total 2, neither is exported)
			/* 2 unexporteds ... *//* 2 unexporteds: */
			hi uint64
			lo uint64
		As Outputs Of (at least 3, none are exported)
			/* 3+ unexporteds ... *//* 3+ unexporteds: */
			func add128(a, b uint128) uint128
			func mul64(a, b uint64) uint128
			func shiftRightBy2(a uint128) uint128
		As Inputs Of (at least 2, neither is exported)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func add128(a, b uint128) uint128
			func shiftRightBy2(a uint128) uint128


Package-Level Functions (total 16, in which 3 are exported)

	 func New(key *[32]byte) *MAC
		New returns a new MAC computing an authentication
		tag of all data written to it with the given key.
		This allows writing the message progressively instead
		of passing it as a single slice. Common users should use
		the Sum function instead.

		The key must be unique for each message, as authenticating
		two different messages with the same key allows an attacker
		to forge messages at will.

	 func Sum(out *[16]byte, m []byte, key *[32]byte)
		Sum generates an authenticator for msg using a one-time key and puts the
		16-byte result into out. Authenticating two different messages with the same
		key allows an attacker to forge messages at will.

	 func Verify(mac *[16]byte, m []byte, key *[32]byte) bool
		Verify returns true if mac is a valid authenticator for m with the given key.

	/* 13 unexporteds ... *//* 13 unexporteds: */
	 func add128(a, b uint128) uint128
	 func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64)
	 func bitsMul64(x, y uint64) (hi, lo uint64)
	 func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64)
	 func finalize(out *[16]byte, h *[3]uint64, s *[2]uint64)
		finalize completes the modular reduction of h and computes

		    out = h + s  mod  2¹²⁸

	 func initialize(key *[32]byte, m *macState)
		initialize loads the 256-bit key into the two 128-bit secret values r and s.

	 func mul64(a, b uint64) uint128
	 func newMACGeneric(key *[32]byte) macGeneric
	 func select64(v, x, y uint64) uint64
		select64 returns x if v == 1 and y if v == 0, in constant time.

	 func shiftRightBy2(a uint128) uint128
	 func sumGeneric(out *[16]byte, msg []byte, key *[32]byte)
	 func update(state *macState, msg []byte)
	 func updateGeneric(state *macState, msg []byte)
		updateGeneric absorbs msg into the state.h accumulator. For each chunk m of
		128 bits of message, it computes

		    h₊ = (h + m) * r  mod  2¹³⁰ - 5

		If the msg length is not a multiple of TagSize, it assumes the last
		incomplete chunk is the final one.


Package-Level Constants (total 8, in which 1 are exported)

	const TagSize = 16
		TagSize is the size, in bytes, of a poly1305 authenticator.

	/* 7 unexporteds ... *//* 7 unexporteds: */
	const maskLow2Bits uint64 = 3
	const maskNotLow2Bits uint64 = 18446744073709551612
	const p0 = 18446744073709551611
		[p0, p1, p2] is 2¹³⁰ - 5 in little endian order.

	const p1 = 18446744073709551615
		[p0, p1, p2] is 2¹³⁰ - 5 in little endian order.

	const p2 = 3
		[p0, p1, p2] is 2¹³⁰ - 5 in little endian order.

	const rMask0 = 1152921487695413247
		[rMask0, rMask1] is the specified Poly1305 clamping mask in little-endian. It
		clears some bits of the secret coefficient to make it possible to implement
		multiplication more efficiently.

	const rMask1 = 1152921487695413244
		[rMask0, rMask1] is the specified Poly1305 clamping mask in little-endian. It
		clears some bits of the secret coefficient to make it possible to implement
		multiplication more efficiently.

The pages are generated with Golds v0.4.2. (GOOS=darwin GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.