Approve Poly1305

[randomstuff]

Poly1305 (as used in Chaha20-Poly1305) is currently not listed as "approved" in the crypto appendix. It should probably be listed somewhere but it does not really fit anywhere in the current sections.

Alernative: approve Chacha20-Poly1305 but we don't currently have a section for this either.

[tghosth]

@unprovable do you agree with the additions in #2563

[randomstuff]

Note that #2563, includes Poly1305-AES but not Poly1305 alone as used in Chacha20-Poly1305 (as far as I understand). I am nor sure we should include "Poly1305" under "Approved MAC Algorithms" (without some BIG warning) as it is not really a "normal" MAC algorithm but a universal hash family which can be used as a one-time MAC.

[unprovable]

Poly1305 is designed to function as a 'tag' creator for AEAD in much the same way that GCM mode for AES produces a similar 16-byte tag (though through very dissimilar means). It's less a 'MAC' in the sense you might be thinking for 'Approved MAC Algorithms'.

I would personally err on caution and not include it in the 'Approved MAC list' alongside other algorithms like HMAC or GMAC (though the latter is technically similar). But having ChaCha20-Poly1305 alongside AES-128/256-GCM modes on an AEAD list might be the answer?

[randomstuff]

But having ChaCha20-Poly1305 alongside AES-128/256-GCM modes on an AEAD list might be the answer?

Yes, I agree but there is currently no list of approved AEAD but only lists of approved AES cipher modes.

But I think, the list of approved mechanisms should be reworked anyway for approved/disaproved/legacy #2398.