impl verification algorithm for heea

Author: zz-sol

curve25519-dalek/benches/dalek_benchmarks.rs

@@ -442,10 +442,44 @@ mod scalar_benches {
     }
 }
 
+mod heea_benches {
+    use curve25519_dalek::traits::HEEADecomposition;
+
+    use super::*;
+
+    fn heea_generate_half_size_scalars<M: Measurement>(c: &mut BenchmarkGroup<M>) {
+        let mut rng = rng();
+        let random_scalars: Vec<Scalar> = (0..100)
+            .map(|_| {
+                let mut random_bytes = [0u8; 32];
+                rng.fill_bytes(&mut random_bytes);
+                Scalar::from_bytes_mod_order(random_bytes)
+            })
+            .collect();
+
+        c.bench_function("Generate half-size scalars (hEEA)", |bench| {
+            let mut i = 0;
+            bench.iter(|| {
+                let h = &random_scalars[i % random_scalars.len()];
+                i += 1;
+                h.heea_decompose()
+            })
+        });
+    }
+
+    pub(crate) fn heea_benches() {
+        let mut c = Criterion::default();
+        let mut g = c.benchmark_group("heea benches");
+
+        heea_generate_half_size_scalars(&mut g);
+    }
+}
+
 criterion_main!(
     scalar_benches::scalar_benches,
     montgomery_benches::montgomery_benches,
     ristretto_benches::ristretto_benches,
     edwards_benches::edwards_benches,
     multiscalar_benches::multiscalar_benches,
+    heea_benches::heea_benches,
 );

curve25519-dalek/src/scalar.rs

@@ -2210,4 +2210,4 @@ pub(crate) mod test {
             assert_eq!(a * c.reduce(), reduced_mul_ac);
         }
     }
-}
+}

curve25519-dalek/src/scalar/heea.rs

@@ -182,4 +182,4 @@ mod tests {
         );
         assert_eq!(tau, -I256::ONE, "tau should be -1 for 2^252");
     }
-}
+}

ed25519-dalek/src/verifying.rs

@@ -17,6 +17,7 @@ use curve25519_dalek::{
     edwards::{CompressedEdwardsY, EdwardsPoint},
     montgomery::MontgomeryPoint,
     scalar::Scalar,
+    traits::IsIdentity,
 };
 
 use ed25519::signature::{MultipartVerifier, Verifier};
@@ -381,6 +382,82 @@ impl VerifyingKey {
         }
     }
 
+    /// Verify a signature using the heea half-size scalar optimization.
+    ///
+    /// This implements the algorithm from "Accelerating EdDSA Signature Verification
+    /// with Faster Scalar Size Halving" (TCHES 2025).
+    ///
+    /// The standard verification equation sB = R + hA is transformed to:
+    /// τsB = τR + ρA where ρ ≡ τh (mod ℓ)
+    ///
+    /// Both ρ and τ are approximately half the size of h.
+    ///
+    /// We then decompose τs into two 128-bit scalars:
+    /// τs = τs_hi * 2^128 + τs_lo
+    ///
+    /// The verification equation becomes:
+    /// τs_lo B + τs_hi (2^128 B) = τR + ρA
+    /// which can be done via 4-variable MSM with half-size scalars.
+    #[allow(non_snake_case)]
+    pub fn verify_heea(
+        &self,
+        message: &[u8],
+        signature: &ed25519::Signature,
+    ) -> Result<(), SignatureError> {
+        use curve25519_dalek::traits::HEEADecomposition;
+
+        let signature = InternalSignature::try_from(signature)?;
+
+        let signature_R = signature
+            .R
+            .decompress()
+            .ok_or_else(|| SignatureError::from(InternalError::Verify))?;
+
+        // Logical OR is fine here as we're not trying to be constant time.
+        if signature_R.is_small_order() || self.point.is_small_order() {
+            return Err(InternalError::Verify.into());
+        }
+
+        // Compute h = H(R || A || M)
+        let mut h = Sha512::new();
+        Digest::update(&mut h, signature.R.as_bytes());
+        Digest::update(&mut h, self.compressed.as_bytes());
+        Digest::update(&mut h, message);
+        let h = Scalar::from_hash(h);
+
+        // Generate half-size scalars ρ and τ such that ρ ≡ τh (mod ℓ)
+        // in order to have rho and tau approximately half the size of h
+        // it is possible that we compute ρ ≡ -τh (mod ℓ)
+        // this is indicated by `flip_h` flag being true,
+        // in which case we will need to negate A later
+        let (rho, tau, flip_h) = h.heea_decompose();
+
+        // Standard verification checks: sB = R + hA
+        // Transformed verification: -τsB + τR + ρA == 0
+        let s = signature.s;
+
+        // Compute τs
+        let ts = tau * s;
+        let A = if flip_h { -self.point } else { self.point };
+        let neg_ts = -ts;
+
+        // Compute the multi-scalar multiplication: -τs·B + τ·R + ρ·A
+        let result = EdwardsPoint::vartime_triple_scalar_mul_basepoint(
+            &tau,
+            &signature_R,
+            &rho,
+            &A,
+            &neg_ts,
+        );
+
+        // Check if result is identity (zero point)
+        if result.is_identity() {
+            Ok(())
+        } else {
+            Err(InternalError::Verify.into())
+        }
+    }
+
     /// Constructs stream verifier with candidate `signature`.
     ///
     /// Useful for cases where the whole message is not available all at once, allowing the

ed25519-dalek/tests/ed25519.rs

@@ -95,6 +95,13 @@ mod vectors {
                 "Signature strict verification failed on line {}",
                 lineno
             );
+            assert!(
+                expected_verifying_key
+                    .verify_heea(&msg_bytes, &sig2)
+                    .is_ok(),
+                "Signature heea verification failed on line {}",
+                lineno
+            );
         }
     }
 
@@ -239,6 +246,8 @@ mod vectors {
         // small order pubkeys.
         assert!(vk.verify_strict(message1, &sig).is_err());
         assert!(vk.verify_strict(message2, &sig).is_err());
+        assert!(vk.verify_heea(message1, &sig).is_err());
+        assert!(vk.verify_heea(message2, &sig).is_err());
     }
 
     // Identical to repudiation() above, but testing verify_prehashed against
@@ -323,6 +332,10 @@ mod integrations {
             verifying_key.verify_strict(good, &good_sig).is_ok(),
             "Strict verification of a valid signature failed!"
         );
+        assert!(
+            verifying_key.verify_heea(good, &good_sig).is_ok(),
+            "HEEA verification of a valid signature failed!"
+        );
         assert!(
             signing_key.verify(good, &bad_sig).is_err(),
             "Verification of a signature on a different message passed!"
@@ -331,6 +344,10 @@ mod integrations {
             verifying_key.verify_strict(good, &bad_sig).is_err(),
             "Strict verification of a signature on a different message passed!"
         );
+        assert!(
+            verifying_key.verify_heea(good, &bad_sig).is_err(),
+            "HEEA verification of a signature on a different message passed!"
+        );
         assert!(
             signing_key.verify(bad, &good_sig).is_err(),
             "Verification of a signature on a different message passed!"
@@ -339,6 +356,10 @@ mod integrations {
             verifying_key.verify_strict(bad, &good_sig).is_err(),
             "Strict verification of a signature on a different message passed!"
         );
+        assert!(
+            verifying_key.verify_heea(bad, &good_sig).is_err(),
+            "HEEA verification of a signature on a different message passed!"
+        );
     }
 
     #[cfg(feature = "digest")]
@@ -727,4 +748,100 @@ mod serialisation {
             BINCODE_INT_LENGTH + SECRET_KEY_LENGTH
         );
     }
+
+    // Test verify_heea against standard verification
+    // verify_heea should accept the same signatures as verify_strict
+    #[test]
+    fn verify_heea_basic() {
+        let sec_bytes =
+            hex::decode("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60")
+                .unwrap();
+        let pub_bytes =
+            hex::decode("d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a")
+                .unwrap();
+        let msg_bytes = b"";
+        let sig_bytes = hex::decode("e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b").unwrap();
+
+        let sec_bytes: &[u8; 32] = sec_bytes.as_slice().try_into().unwrap();
+        let pub_bytes: &[u8; 32] = pub_bytes.as_slice().try_into().unwrap();
+
+        let signing_key = SigningKey::from_bytes(sec_bytes);
+        let verifying_key = VerifyingKey::from_bytes(pub_bytes).unwrap();
+        assert_eq!(verifying_key, signing_key.verifying_key());
+
+        let sig = Signature::try_from(&sig_bytes[..]).unwrap();
+
+        // Test that verify_heea accepts the same signatures as verify_strict
+        assert!(
+            verifying_key.verify_heea(msg_bytes, &sig).is_ok(),
+            "verify_heea failed for valid signature"
+        );
+        assert!(
+            verifying_key.verify_strict(msg_bytes, &sig).is_ok(),
+            "verify_strict failed for valid signature"
+        );
+    }
+
+    // Test verify_heea with multiple test vectors
+    #[test]
+    fn verify_heea_test_vectors() {
+        let test_cases = vec![
+            (
+                "c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7",
+                "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+                "af82",
+                "6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a",
+            ),
+            (
+                "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
+                "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+                "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0",
+                "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
+            ),
+        ];
+
+        for (_secret, public, message, signature) in test_cases {
+            let pub_bytes = hex::decode(public).unwrap();
+            let msg_bytes = hex::decode(message).unwrap();
+            let sig_bytes = hex::decode(signature).unwrap();
+
+            let pub_bytes: &[u8; 32] = pub_bytes.as_slice().try_into().unwrap();
+            let verifying_key = VerifyingKey::from_bytes(pub_bytes).unwrap();
+            let sig = Signature::try_from(&sig_bytes[..]).unwrap();
+
+            // Test that verify_heea accepts valid signatures
+            assert!(
+                verifying_key.verify_heea(&msg_bytes, &sig).is_ok(),
+                "verify_heea failed for test vector with public key: {}",
+                public
+            );
+
+            // Also verify with standard verification
+            assert!(
+                verifying_key.verify_strict(&msg_bytes, &sig).is_ok(),
+                "verify_strict failed for test vector with public key: {}",
+                public
+            );
+        }
+    }
+
+    // Test that verify_heea rejects invalid signatures
+    #[test]
+    fn verify_heea_rejects_invalid() {
+        let pub_bytes =
+            hex::decode("d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a")
+                .unwrap();
+        let msg_bytes = b"test message";
+        let sig_bytes = hex::decode("e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b").unwrap();
+
+        let pub_bytes: &[u8; 32] = pub_bytes.as_slice().try_into().unwrap();
+        let verifying_key = VerifyingKey::from_bytes(pub_bytes).unwrap();
+        let sig = Signature::try_from(&sig_bytes[..]).unwrap();
+
+        // This signature is valid for an empty message, but we're verifying with a different message
+        assert!(
+            verifying_key.verify_heea(msg_bytes, &sig).is_err(),
+            "verify_heea should reject invalid signature"
+        );
+    }
 }