Open main menu

Daniel J. Bernstein

Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a German-American[2] mathematician, cryptologist, and programmer. He is a Personal professor ("Persoonlijk hoogleraar") in the department of mathematics and computer science at the Technische Universiteit Eindhoven, as well as a Research Professor of Computer Science at the University of Illinois at Chicago.

Daniel J. Bernstein
Dan Bernstein 27C3.jpg
Born (1971-10-29) October 29, 1971 (age 47)
NationalityAmerican, German[1]
Alma materUniversity of California, Berkeley
New York University
Known forqmail, djbdns, Salsa20, ChaCha20, Poly1305, Curve25519
Scientific career
FieldsMathematics, Cryptography,
Computer Security
InstitutionsUniversity of Illinois at Chicago, Eindhoven University of Technology
Doctoral advisorHendrik Lenstra

In the mid-1990s security was not a primary design concern in internet software development and cryptography was subject to strict export controls. Bernstein attempted to address this situation by designing and implementing secure email and DNS services (qmail, ezmlm, djbdns, etc.) and by suing the United States Government in 1995 (Bernstein v. United States). His software received significant attention and no bugs were found in it for eight years despite the monetary rewards he offered for them (more below). Bernstein was merciless in his criticism of the leading email and DNS packages of the time, Sendmail and BIND, both supported by large teams of programmers and widely distributed. (Sendmail and BIND were significantly less efficient, more difficult to configure, and bug-prone by design when compared with his replacement packages.)

Bernstein's qmail, publicfile, and djbdns packages were released as license-free software and, for this reason, were not included in certain open-source Linux distributions (e.g., Debian) despite the fact that they were used internally by their development teams. This issue was resolved when Bernstein released the source code of his projects into the public domain in 2007.

Bernstein designed the Salsa20 stream cipher in 2005 and submitted it to eSTREAM for review and possible standardization. A closely related stream cipher, ChaCha20, was published by him in 2008. He also proposed the elliptic curve Curve25519 as a basis for public-key schemes in 2005, and worked as the lead researcher on the Ed25519 version of EdDSA.

Nearly a decade later Edward Snowden's disclosure of mass surveillance by the National Security Agency and the discovery of a backdoor in their Dual_EC_DRBG, raised suspicions of the elliptic curve parameters proposed by NSA and standardized by NIST.[3] Many researchers feared[4] that the NSA had chosen curves that gave them a cryptanalytic advantage.[5][6] Since then, Curve25519 and EdDSA have attracted much greater attention. Google has also selected ChaCha20 along with Bernstein's Poly1305 message authentication code for use in TLS, which is widely used for Internet security.[7] Many protocols based on his works have now been adopted by various standards organizations and are used in a variety of applications, such as Apple iOS,[8] the Linux kernel,[9] OpenSSH,[10][11] and Tor.[12]


Early lifeEdit

Bernstein attended Bellport High School, a public high school on Long Island, graduating in 1987 at the age of 15.[13] The same year, he ranked fifth in the Westinghouse Science Talent Search.[14] In 1987 (at the age of 16), he achieved a Top 10 ranking in the William Lowell Putnam Mathematical Competition.[15] Bernstein earned a B.A. in Mathematics from New York University (1991) and a Ph.D. in Mathematics from the University of California, Berkeley (1995), where he studied under Hendrik Lenstra.

Bernstein v. United StatesEdit

Bernstein brought the court case Bernstein v. United States. The ruling in the case declared that software was protected speech under the First Amendment, and national restrictions on encryption software were overturned. Bernstein was originally represented by the Electronic Frontier Foundation, but he later represented himself despite having no formal training as a lawyer.[16]

Software securityEdit

In the autumn of 2004, Bernstein taught a course on computer software security, entitled "UNIX Security Holes." As an assignment, he demanded from each student to find ten zeroday exploits in published software. The sixteen members of the class discovered 91 new UNIX security holes.[17] Bernstein, founder of the securesoftware mailing list and long a promoter of the idea that full disclosure is the best means of fostering security, publicly announced 44 of them with sample exploit code.

Bernstein explained in 2005 that he was pursuing a strategy to "produce invulnerable computer systems." He plans to achieve this by putting the vast majority of computer software into an "extreme sandbox" that only allows it to transform input into output, and by employing defect-free software (like qmail and djbdns) for the remaining components that need additional privileges. He concludes: "I won’t be satisfied until I've put the entire security industry out of work."[18]

In spring 2005 Bernstein taught a course on "high speed cryptography."[19] He introduced new attacks against implementations of AES (cache attacks) in the same time period.[20]

In April 2008,[21] Bernstein's stream cipher "Salsa20" was selected as a member of the final portfolio of the eSTREAM project, part of a European Union research directive.

In 2011, Bernstein published RFSB, a variant of the Fast Syndrome Based Hash function.

Secure softwareEdit

Bernstein has written a number of security-aware programs, including:

Bernstein offers "security guarantees" for qmail and djbdns in the form of monetary rewards for the identification of flaws. A purported exploit targeting qmail running on 64-bit platforms was published in 2005,[22][23] but Bernstein believes that the exploit does not fall within the parameters of his qmail security guarantee. In March 2009, Bernstein awarded $1000 to Matthew Dempsky for finding a security flaw in djbdns.[24]

In August 2008, Bernstein announced[25] DNSCurve, a proposal to secure the Domain Name System. DNSCurve applies techniques from elliptic curve cryptography to provide a vast increase in performance over the RSA public-key algorithm used by DNSSEC. It uses the existing DNS hierarchy to propagate trust by embedding public keys into specially formatted, backward-compatible DNS records.

Since 2014, when OpenSSH is compiled without OpenSSL, only Bernstein's algorithms are included: Ed25519 keys,[26] Curve25519 key exchange[27] and ChaCha20-Poly1305 transport cipher (though complemented by AES-CTR).[28][29] Additionally, the cryptography used by OpenBSD for release and package authentication is also based on the algorithms of Bernstein.[30][31] The signature mechanism for package releases and the non-OpenSSL options in OpenSSH first appeared in OpenBSD 5.5,[32] which was the first release to contain any of Bernstein's cryptographic code.


Bernstein has published a number of papers on mathematics and computation. Many of his papers deal with algorithms or implementations. He also wrote a survey titled "Multidigit multiplication for mathematicians".[33]

In 2001 Bernstein circulated "Circuits for integer factorization: a proposal,"[34] which suggested that, if physical hardware implementations could be brought close to their theoretical efficiency, the then-popular estimates of adequate security parameters might be off by a factor of three. Since 512-bit RSA was breakable at the time, so might be 1536-bit RSA. Bernstein was careful not to make any actual predictions, and emphasized the importance of correctly interpreting asymptotic expressions. Several prominent researchers (among them Arjen Lenstra, Adi Shamir, Jim Tomlinson, and Eran Tromer) disagreed strongly with Bernstein's conclusions.[35] Bernstein has received funding to investigate whether this potential can be realized.

Bernstein is also the author of the mathematical libraries DJBFFT, a fast portable FFT library, and primegen, an asymptotically fast small prime sieve with low memory footprint based on the sieve of Atkin (rather than the more usual sieve of Eratosthenes). Both have been used effectively in the search for large prime numbers.

In 2007 Bernstein proposed the use of a (twisted) Edwards curve, Curve25519, as a basis for elliptic curve cryptography; it is employed in Ed25519 implementation of EdDSA.

In February 2015, Bernstein and others published a paper on stateless post-quantum hash-based signatures, called SPHINCS.[36]

In April 2017, Bernstein and others published a paper on Post-Quantum RSA that includes an integer factorization algorithm claimed to be "often much faster than Shor's".[37]

Bernstein's paper on Faster batch forgery identification has been implemented in the libsecp256k1 crypto library used in Bitcoin.[38]

Other workEdit

Bernstein proposed Internet Mail 2000, an alternative system for electronic mail, intended to replace the Simple Mail Transfer Protocol (SMTP), the Post Office Protocol (POP3) and the Internet Message Access Protocol (IMAP).[39]

He is one of the editors of, and a primary contributor to, the 2009 book Post-Quantum Cryptography.

Bernstein is also known for his popular string hashing function djb2.[40][41]

See alsoEdit


  1. ^ a b Daniel J. Bernstein (2007-01-15). "Curriculum vitae" (pdf). Retrieved March 22, 2017.
  2. ^ J. Bernstein, Daniel. "Curriculum vitae" (PDF). Retrieved 3 August 2016.
  3. ^
  4. ^ Maxwell, Gregory (September 8, 2013). "[tor-talk] NIST approved crypto in Tor?". Retrieved 2015-05-20.
  5. ^ "SafeCurves: Rigidity". Retrieved 2015-05-20.
  6. ^ "The NSA Is Breaking Most Encryption on the Internet - Schneier on Security". Retrieved 2015-05-20.
  7. ^ A. Langley, W. Chang, N. Mavrogiannopoulos, J. Strombergson, S. Josefsson (2015-12-16). "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)". Internet Draft.CS1 maint: Uses authors parameter (link)
  8. ^ iOS Security Guide
  9. ^ Corbet, Jonathan. "Replacing /dev/urandom". Linux Weekly News. Retrieved 2016-09-20.
  10. ^ Miller, Damien (2016-05-03). "ssh/PROTOCOL.chacha20poly1305". Super User's BSD Cross Reference: PROTOCOL.chacha20poly1305. Retrieved 2016-09-07.
  11. ^ Murenin, Constantine A. (2013-12-11). Unknown Lamer, ed. "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2016-09-07.
  12. ^ Roger Dingledine & Nick Mathewson. "Tor's Protocol Specifications - Blog". Retrieved 20 December 2014.
  13. ^ "New Yorkers Excel In Contest". New York Times. 1987-01-21. Retrieved November 9, 2008.
  14. ^ "TWO GIRLS WIN WESTINGHOUSE COMPETITION". New York Times. 1987-01-21. Retrieved March 14, 2011.
  15. ^ L. F. Klosinski; G. L. Alexanderson; L. C. Larson (Oct 1988). "The William Lowell Putnam Mathematical Competition". The American Mathematical Monthly. 95 (8). pp. 717–727. JSTOR 2322251.
  16. ^ [1]
  17. ^
  18. ^ Daniel J. Bernstein (2005-01-07). "Selected Research Activities" (PDF).
  19. ^ Daniel J. Bernstein. "MCS 590, High-Speed Cryptography, Spring 2005". Authenticators and signatures. Retrieved September 23, 2005.
  20. ^ Daniel J. Bernstein (2004-04-17). "Cache timing attacks on AES" (PDF). cd9faae9bd5308c440df50fc26a517b4.
  21. ^ Steve Babbage; Christophe De Canniere; Anne Canteaut; Carlos Cid; Henri Gilbert; Thomas Johansson; Matthew Parker; Bart Preneel; Vincent Rijmen; Matthew Robshaw. "The eSTREAM Portfolio" (PDF). Retrieved April 28, 2010.
  22. ^ Georgi Guninski (2005-05-31). "Georgi Guninski security advisory #74, 2005". Retrieved September 23, 2005.
  23. ^ James Craig Burley (2005-05-31). "My Take on Georgi Guninski's qmail Security Advisories".
  24. ^ Daniel J. Bernstein (2009-03-04). "djbdns<=1.05 lets AXFRed subdomains overwrite domains".
  25. ^ Daniel J. Bernstein. "High-speed cryptography".
  26. ^ Miller, Damien, ed. (2014-12-21). "ssh/sshkey.c#keytypes". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-28.
  27. ^ Friedl, Markus (2014-04-29). "ssh/kex.c#kexalgs". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-27.
  28. ^ Miller, Damien, ed. (2014-06-24). "ssh/cipher.c#ciphers". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-27.
  29. ^ Murenin, Constantine A. (2014-04-30). Soulskill, ed. "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.
  30. ^ Unangst, Ted (2014-11-20). krw, ed. "signify.c". BSD Cross Reference, OpenBSD src/usr.bin/signify/. Retrieved 2014-12-28.
  31. ^ Murenin, Constantine A. (2014-01-19). Soulskill, ed. "OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto". Slashdot. Retrieved 2014-12-27.
  32. ^ Murenin, Constantine A. (2014-05-01). timothy, ed. "OpenBSD 5.5 Released". Slashdot. Retrieved 2014-12-27.
  33. ^ Daniel J. Bernstein (2001-08-11). "Multidigit multiplication for mathematicians".
  34. ^ Daniel J. Bernstein (2001-11-09). "Circuits for integer factorization: a proposal".
  35. ^ Arjen K. Lenstra; Adi Shamir; Jim Tomlinson; Eran Tromer (2002). "Analysis of Bernstein's Factorization Circuit". Proc. Asiacrypt. LNCS 2501: 1–26.
  36. ^
  37. ^
  38. ^
  39. ^
  40. ^ Yigit, Ozan. "String hash functions".
  41. ^ "Hash function constants selection discussion".

Further readingEdit

External linksEdit