Poly1305-AES

I've posted a paper on the Poly1305-AES message-authentication code. See 
http://cr.yp.to/papers.html#poly1305. Software is coming soon.

The big advantage of Poly1305-AES over hash127 is that keys are stored
in just 32 bytes---no expansion required. In applications that deal with
a large number of keys simultaneously, hash127 pays a big speed penalty
for constantly missing the cache or constantly re-expanding keys;
Poly1305-AES avoids this problem.

For this reason, I recommend switching from hash127 (and UMAC and many
other functions) to Poly1305-AES.

Other API improvements: Poly1305-AES incorporates AES, as you might
guess from the name. Messages and authenticators are byte strings rather
than int32 strings. You provide a 32-byte key, a 16-byte nonce, and a
byte array containing the message; you receive a 16-byte authenticator;
that's it.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago