Bernstein designed the Salsa20stream cipher in 2005 and submitted it to eSTREAM for review and possible standardization. He later published the ChaCha20 variant of Salsa in 2008. In 2005, he proposed the elliptic curveCurve25519 as a basis for public-key schemes. He worked as the lead researcher on the Ed25519 version of EdDSA. The algorithms made their way into popular software. For example, since 2014, when OpenSSH is compiled without OpenSSL they power most of its operations, and OpenBSD package signing is based on Ed25519.[14][15]
In spring 2005, Bernstein taught a course on "high speed cryptography."[26] He introduced new cache attacks against implementations of AES in the same time period.[27]
He is one of the editors of the 2009 book Post-Quantum Cryptography.[29]
Software
Starting in the mid-1990s, Bernstein wrote a number of security-aware programs, including qmail, ezmlm, djbdns, ucspi-tcp, daemontools, and publicfile.
Bernstein criticized the leading DNS package at the time, BIND, and wrote djbdns as a DNS package with security as a primary goal.[30] Bernstein offers "security guarantees" for qmail and djbdns in the form of monetary rewards for the identification of flaws.[31][32] A purported exploit targeting qmail running on 64-bit platforms was published in 2005,[33][34] but Bernstein believes that the exploit does not fall within the parameters of his qmail security guarantee. In March 2009, Bernstein awarded $1000 to Matthew Dempsky for finding a security flaw in djbdns.[35]
In August 2008, Bernstein announced[36]DNSCurve, a proposal to secure the Domain Name System. DNSCurve applies techniques from elliptic curve cryptography with the goal of providing a vast increase in performance over the RSA public-key algorithm used by DNSSEC. It uses the existing DNS hierarchy to propagate trust by embedding public keys into specially formatted, backward-compatible DNS records.
Bernstein has published a number of papers on mathematics and computation. Many of his papers deal with algorithms or implementations.
In 2001, Bernstein circulated "Circuits for integer factorization: a proposal,"[41] which suggested that, if physical hardware implementations could be brought close to their theoretical efficiency, the then-popular estimates of adequate security parameters might be off by a factor of three. Since 512-bit RSA was breakable at the time, so might be 1536-bit RSA. Bernstein was careful not to make any actual predictions, and emphasized the importance of correctly interpreting asymptotic expressions. Several prominent researchers (among them Arjen Lenstra, Adi Shamir, Jim Tomlinson, and Eran Tromer) disagreed strongly with Bernstein's conclusions.[42] Bernstein has received funding to investigate whether this potential can be realized.[citation needed]
In February 2015, Bernstein and others published a paper on a stateless post-quantumhash-based signature scheme called SPHINCS.[43] In July 2022, SPHINCS+, a signature scheme adapted from SPHINCS by Bernstein and others, was one of four algorithms selected as winners of the NIST Post-Quantum Cryptography Standardization competition. It was the only hash-based algorithm of the four winners.[44][45]
In April 2017, Bernstein and others published a paper on Post-Quantum RSA that includes an integer factorization algorithm claimed to be "often much faster than Shor's".[46]
^L. F. Klosinski; G. L. Alexanderson; L. C. Larson (Oct 1988). "The William Lowell Putnam Mathematical Competition". The American Mathematical Monthly. Vol. 95, no. 8. pp. 717–727. JSTOR2322251.
^L. F. Klosinski; G. L. Alexanderson; L. C. Larson (Oct 1989). "The William Lowell Putnam Mathematical Competition". The American Mathematical Monthly. Vol. 96, no. 8. pp. 688–695. JSTOR2324716.
^Steve Babbage; Christophe De Canniere; Anne Canteaut; Carlos Cid; Henri Gilbert; Thomas Johansson; Matthew Parker; Bart Preneel; Vincent Rijmen; Matthew Robshaw. "The eSTREAM Portfolio"(PDF). Archived from the original(PDF) on August 13, 2012. Retrieved April 28, 2010.