• Publications
  • Influence
Curve25519: New Diffie-Hellman Speed Records
  • D. Bernstein
  • Computer Science
    Public Key Cryptography
  • 24 April 2006
This paper explains the design and implementation of a high-security elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles more than twice as fast as other authors' results at the same conjectured security level.
Cache-timing attacks on AES
This paper demonstrates complete AES key recovery from known-plaintext timings of a network server on another computer and discusses several of the obstacles to constant-time high-speed AES software for common general-purpose computers.
High-speed high-security signatures
This paper shows that a $390 mass-market quad-core 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2128
Twisted Edwards Curves
This paper introduces "twisted Edwards curves," a generalization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular
The Poly1305-AES Message-Authentication Code
The security of Poly1305-AES is very close to the security of AES; the security gap is at most 14D⌈L/16⌉/2106 if messages have at most L bytes, the attacker sees at most 264 authenticated messages, and the attacker attempts D forgeries.
Faster Addition and Doubling on Elliptic Curves
An extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, non-mixed addition, and unified addition) as well as higher-level operations such as multi-scalar multiplication.
SPHINCS: Practical Stateless Hash-Based Signatures
A high-security post-quantum stateless hash-based signature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU, allowing it to be a drop-in replacement for current signature schemes.
The Salsa20 Family of Stream Ciphers
  • D. Bernstein
  • Computer Science, Mathematics
    The eSTREAM Finalists
  • 1 April 2008
The S salsa20 designer presents Salsa20 and discusses the decisions made in the Salsa 20 design, which is consistently faster than AES and is recommended by the designer for typical cryptographic applications.
Attacking and defending the McEliece cryptosystem
New parameters for the McEliece and Niederreiter cryptosystems achieving standard levels of security against all known attacks are proposed, and the resulting public-key sizes are considerably smaller than previous parameter choices for the same level of security.
On the Security of RC4 in TLS
C ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption are presented, building on recent advances in the statistical analysis of RC4, and on new findings announced in this paper.