A Secure and Efficient Implementation of the Quotient Digital Signature Algorithm (qDSA)

  • Armando Faz-HernándezEmail author
  • Hayato Fujii
  • Diego F. Aranha
  • Julio López
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10662)


Digital signatures provide a means to publicly authenticate messages sent over an insecure channel. Recently, the Quotient Digital Signature Algorithm (qDSA) was introduced aiming key-compatibility with the Diffie-Hellman X25519 function. Due to the novelty of qDSA, there remains a need for an optimized implementation that allows identifying the real impact of this new algorithm. In this work, we focus on the secure and efficient implementation of qDSA. By leveraging the use of precomputation on the right-to-left Joye’s algorithm, we reduced the running time of signature generation by 30–35%, and the running time of the verification procedure by 19%. In addition, for increased security, we show a verification method that validates qDSA signatures unequivocally. All of these improvements were included into an optimized software library targeting 32–bit ARM and 64–bit Intel architectures. The improved performance achieved in these platforms, it positions qDSA as a competitive alternative for deploying digital signatures efficiently and securely.


qDSA Digital signatures Elliptic curve cryptography Secure software Montgomery curves 



The authors want to thank the anonymous reviewers of SPACE 2017 conference for the comments given to this research project.


  1. 1.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012). CrossRefzbMATHGoogle Scholar
  3. 3.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  4. 4.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Conference on USENIX Security Symposium, USENIX Association, pp. 1–13, August 2003.
  5. 5.
    Chou, T.: Sandy2x: new curve25519 speed records. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 145–160. Springer, Cham (2016). CrossRefGoogle Scholar
  6. 6.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. (Special Issue on Montgomery Arithmetic) 1–14 (2017).
  7. 7.
    Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in Android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 73–84. ACM, New York (2013).
  8. 8.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 50–61. ACM, New York (2012).
  9. 9.
    Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  10. 10.
    Faz-Hernández, A., Longa, P., Sánchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves (extended version). J. Cryptogr. Eng. 5(1), 31–52 (2015). CrossRefzbMATHGoogle Scholar
  11. 11.
    Feng, M., Zhu, B.B., Zhao, C., Li, S.: Signed MSB-set comb method for elliptic curve point multiplication. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 13–24. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  12. 12.
    Fujii, H., Aranha, D.F.: Curve25519 for the cortex-M4 and beyond. In: Progress in Cryptology - LATINCRYPT 2017: 5th International Conference on Cryptology and Information Security in Latin America 2017, Proceedings. LNCS, Springer International Publishing, September 2017, to appearGoogle Scholar
  13. 13.
    Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Venelli, A.: Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic. J. Cryptogr. Eng. 1(2), 161 (2011). CrossRefGoogle Scholar
  14. 14.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, May 2012.
  15. 15.
    Hedabou, M., Pinel, P., Bénéteau, L.: A comb method to render ECC resistant against Side Channel Attacks. Cryptology ePrint Archive, Report 2004/342, December 2004.
  16. 16.
    Jager, T., Schwenk, J., Somorovsky, J.: Practical invalid curve attacks on TLS-ECDH. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 407–425. Springer, Cham (2015). CrossRefGoogle Scholar
  17. 17.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001). CrossRefGoogle Scholar
  18. 18.
    Josefsson, S., Liusvaara, I.: Edwards-Curve Digital Signature Algorithm (EdDSA). RFC 8032, January 2017.
  19. 19.
    Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 135–147. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  20. 20.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Google Scholar
  21. 21.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994). Google Scholar
  22. 22.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987). MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Moon, A.: Implementations of a fast Elliptic-curve Digital Signature Algorithm, March 2012.
  24. 24.
    NIST: Digital Signature Standard (DSS). Technical report FIPS 186–1, National Institute for Standards and Technology, December 1998Google Scholar
  25. 25.
    NIST: Digital Signature Standard (DSS). Technical report FIPS 186–2, National Institute of Standards and Technology, January 2000.
  26. 26.
    NIST: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Technical report FIPS-202, National Institute of Standards and Technology, August 2015.
  27. 27.
    Okeya, K., Sakurai, K.: Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a montgomery-form elliptic curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 126–141. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  28. 28.
    Oliveira, T., Aranha, D.F., López, J., Rodríguez-Henríquez, F.: Fast point multiplication algorithms for binary elliptic curves with and without precomputation. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 324–344. Springer, Cham (2014). CrossRefGoogle Scholar
  29. 29.
    Oliveira, T., López, J., Hışıl, H., Faz-Hernández, A., Rodríguez-Henríquez, F.: How to (pre-)compute a ladder. In: Selected Areas in Cryptography - SAC 2017: 24th International Conference, Ottawa, Ontario, Canada, 16–18 August 2017, Revised Selected Papers, Springer International Publishing, August 2017, to appearGoogle Scholar
  30. 30.
    Perrin, T.: The XEdDSA and VXEdDSA Signature Schemes. Technical report, Open Whisper Systems, October 2016.
  31. 31.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 7.6) (2017).
  32. 32.
    Renes, J., Smith, B.: qDSA: small and secure digital signatures with curve-based Diffie-Hellman key pairs. In: Advances in Cryptology - ASIACRYPT 2017: 23nd International Conference on the Theory and Application of Cryptology and Information Security, Hong Kong, China, 3–7 December 2017, December 2017, to appearGoogle Scholar
  33. 33.
    Rescorla, E., Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008.
  34. 34.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). CrossRefzbMATHGoogle Scholar
  36. 36.
    Seo, H., Kim, H.: Consecutive operand-caching method for multiprecision multiplication, revisited. J. Inf. Commun. Convergence Eng. 13(1), 27–35 (2015). MathSciNetCrossRefGoogle Scholar
  37. 37.
    Spagni, R.: Disclosure of a Major Bug in CryptoNote Based Currencies, May 2017. Announment on
  38. 38.
    Taverne, J., Faz-Hernández, A., Aranha, D.F., Rodríguez-Henríquez, F., Hankerson, D., López, J.: Speeding scalar multiplication over binary elliptic curves using the new carry-less multiplication instruction. J. Cryptogr. Eng. 1(3), 187 (2011). CrossRefzbMATHGoogle Scholar
  39. 39.
    The OpenSSL Project: OpenSSL: The Open Source toolkit for SSL/TLS, April 2003.
  40. 40.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010). MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    Turner, S., Langley, A., Hamburg, M.: Elliptic Curves for Security. RFC 7748, January 2016.
  42. 42.
    Yen, S.M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000). CrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Armando Faz-Hernández
    • 1
    Email author
  • Hayato Fujii
    • 1
  • Diego F. Aranha
    • 1
  • Julio López
    • 1
  1. 1.Institute of ComputingUniversity of CampinasCampinasBrazil

Personalised recommendations