A Secure and Efficient Implementation of the Quotient Digital Signature Algorithm (qDSA)

  • Armando Faz-Hernández
  • Hayato Fujii
  • Diego F. Aranha
  • Julio López
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10662)


Digital signatures provide a means to publicly authenticate messages sent over an insecure channel. Recently, the Quotient Digital Signature Algorithm (qDSA) was introduced aiming key-compatibility with the Diffie-Hellman X25519 function. Due to the novelty of qDSA, there remains a need for an optimized implementation that allows identifying the real impact of this new algorithm. In this work, we focus on the secure and efficient implementation of qDSA. By leveraging the use of precomputation on the right-to-left Joye’s algorithm, we reduced the running time of signature generation by 30–35%, and the running time of the verification procedure by 19%. In addition, for increased security, we show a verification method that validates qDSA signatures unequivocally. All of these improvements were included into an optimized software library targeting 32–bit ARM and 64–bit Intel architectures. The improved performance achieved in these platforms, it positions qDSA as a competitive alternative for deploying digital signatures efficiently and securely.


qDSA Digital signatures Elliptic curve cryptography Secure software Montgomery curves 



The authors want to thank the anonymous reviewers of SPACE 2017 conference for the comments given to this research project.


  1. 1.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14 CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012).  https://doi.org/10.1007/s13389-012-0027-1 CrossRefMATHGoogle Scholar
  3. 3.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_8 CrossRefGoogle Scholar
  4. 4.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Conference on USENIX Security Symposium, USENIX Association, pp. 1–13, August 2003. https://www.usenix.org/conference/12th-usenix-security-symposium/remote-timing-attacks-are-practical
  5. 5.
    Chou, T.: Sandy2x: new curve25519 speed records. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 145–160. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31301-6_8 CrossRefGoogle Scholar
  6. 6.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. (Special Issue on Montgomery Arithmetic) 1–14 (2017). http://dx.doi.org/10.1007/s13389-017-0157-6
  7. 7.
    Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in Android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 73–84. ACM, New York (2013). http://doi.acm.org/10.1145/2508859.2516693
  8. 8.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 50–61. ACM, New York (2012). http://doi.acm.org/10.1145/2382196.2382205
  9. 9.
    Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23951-9_10 CrossRefGoogle Scholar
  10. 10.
    Faz-Hernández, A., Longa, P., Sánchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves (extended version). J. Cryptogr. Eng. 5(1), 31–52 (2015).  https://doi.org/10.1007/s13389-014-0085-7 CrossRefMATHGoogle Scholar
  11. 11.
    Feng, M., Zhu, B.B., Zhao, C., Li, S.: Signed MSB-set comb method for elliptic curve point multiplication. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds.) ISPEC 2006. LNCS, vol. 3903, pp. 13–24. Springer, Heidelberg (2006).  https://doi.org/10.1007/11689522_2 CrossRefGoogle Scholar
  12. 12.
    Fujii, H., Aranha, D.F.: Curve25519 for the cortex-M4 and beyond. In: Progress in Cryptology - LATINCRYPT 2017: 5th International Conference on Cryptology and Information Security in Latin America 2017, Proceedings. LNCS, Springer International Publishing, September 2017, to appearGoogle Scholar
  13. 13.
    Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Venelli, A.: Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic. J. Cryptogr. Eng. 1(2), 161 (2011).  https://doi.org/10.1007/s13389-011-0012-0 CrossRefGoogle Scholar
  14. 14.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, May 2012. http://eprint.iacr.org/2012/309
  15. 15.
    Hedabou, M., Pinel, P., Bénéteau, L.: A comb method to render ECC resistant against Side Channel Attacks. Cryptology ePrint Archive, Report 2004/342, December 2004. http://eprint.iacr.org/2004/342
  16. 16.
    Jager, T., Schwenk, J., Somorovsky, J.: Practical invalid curve attacks on TLS-ECDH. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 407–425. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24174-6_21 CrossRefGoogle Scholar
  17. 17.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001).  https://doi.org/10.1007/s102070100002 CrossRefGoogle Scholar
  18. 18.
    Josefsson, S., Liusvaara, I.: Edwards-Curve Digital Signature Algorithm (EdDSA). RFC 8032, January 2017. https://dx.doi.org/10.17487/rfc8032
  19. 19.
    Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 135–147. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_10 CrossRefGoogle Scholar
  20. 20.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9 Google Scholar
  21. 21.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_11 Google Scholar
  22. 22.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987).  https://doi.org/10.2307/2007888 MathSciNetCrossRefMATHGoogle Scholar
  23. 23.
    Moon, A.: Implementations of a fast Elliptic-curve Digital Signature Algorithm, March 2012. https://github.com/floodyberry/ed25519-donna
  24. 24.
    NIST: Digital Signature Standard (DSS). Technical report FIPS 186–1, National Institute for Standards and Technology, December 1998Google Scholar
  25. 25.
    NIST: Digital Signature Standard (DSS). Technical report FIPS 186–2, National Institute of Standards and Technology, January 2000. http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf
  26. 26.
    NIST: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Technical report FIPS-202, National Institute of Standards and Technology, August 2015. http://dx.doi.org/10.6028/NIST.FIPS.202
  27. 27.
    Okeya, K., Sakurai, K.: Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a montgomery-form elliptic curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 126–141. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44709-1_12 CrossRefGoogle Scholar
  28. 28.
    Oliveira, T., Aranha, D.F., López, J., Rodríguez-Henríquez, F.: Fast point multiplication algorithms for binary elliptic curves with and without precomputation. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 324–344. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13051-4_20 CrossRefGoogle Scholar
  29. 29.
    Oliveira, T., López, J., Hışıl, H., Faz-Hernández, A., Rodríguez-Henríquez, F.: How to (pre-)compute a ladder. In: Selected Areas in Cryptography - SAC 2017: 24th International Conference, Ottawa, Ontario, Canada, 16–18 August 2017, Revised Selected Papers, Springer International Publishing, August 2017, to appearGoogle Scholar
  30. 30.
    Perrin, T.: The XEdDSA and VXEdDSA Signature Schemes. Technical report, Open Whisper Systems, October 2016. https://whispersystems.org/docs/specifications/xeddsa/xeddsa.pdf
  31. 31.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 7.6) (2017). http://www.sagemath.org
  32. 32.
    Renes, J., Smith, B.: qDSA: small and secure digital signatures with curve-based Diffie-Hellman key pairs. In: Advances in Cryptology - ASIACRYPT 2017: 23nd International Conference on the Theory and Application of Cryptology and Information Security, Hong Kong, China, 3–7 December 2017, December 2017, to appearGoogle Scholar
  33. 33.
    Rescorla, E., Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008. https://dx.doi.org/10.17487/rfc5246
  34. 34.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978).  https://doi.org/10.1145/359340.359342 MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991).  https://doi.org/10.1007/BF00196725 CrossRefMATHGoogle Scholar
  36. 36.
    Seo, H., Kim, H.: Consecutive operand-caching method for multiprecision multiplication, revisited. J. Inf. Commun. Convergence Eng. 13(1), 27–35 (2015).  https://doi.org/10.6109/jicce.2015.13.1.027 MathSciNetCrossRefGoogle Scholar
  37. 37.
    Spagni, R.: Disclosure of a Major Bug in CryptoNote Based Currencies, May 2017. Announment on https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
  38. 38.
    Taverne, J., Faz-Hernández, A., Aranha, D.F., Rodríguez-Henríquez, F., Hankerson, D., López, J.: Speeding scalar multiplication over binary elliptic curves using the new carry-less multiplication instruction. J. Cryptogr. Eng. 1(3), 187 (2011).  https://doi.org/10.1007/s13389-011-0017-8 CrossRefMATHGoogle Scholar
  39. 39.
    The OpenSSL Project: OpenSSL: The Open Source toolkit for SSL/TLS, April 2003. www.openssl.org
  40. 40.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010).  https://doi.org/10.1007/s00145-009-9049-y MathSciNetCrossRefMATHGoogle Scholar
  41. 41.
    Turner, S., Langley, A., Hamburg, M.: Elliptic Curves for Security. RFC 7748, January 2016. https://dx.doi.org/10.17487/rfc7748
  42. 42.
    Yen, S.M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000).  https://doi.org/10.1109/12.869328 CrossRefMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Armando Faz-Hernández
    • 1
  • Hayato Fujii
    • 1
  • Diego F. Aranha
    • 1
  • Julio López
    • 1
  1. 1.Institute of ComputingUniversity of CampinasCampinasBrazil

Personalised recommendations