trezor-firmware/tests/device_tests/test_cosi.py

# This file is part of the Trezor project.
#
# Copyright (C) 2012-2019 SatoshiLabs and contributors
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License version 3
# as published by the Free Software Foundation.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the License along with this library.
# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.

from hashlib import sha256

import pytest

from trezorlib import cosi
from trezorlib.tools import parse_path


@pytest.mark.skip_t2
class TestCosi:
    def test_cosi_commit(self, client):
        digest = sha256(b"this is a message").digest()

        c0 = cosi.commit(client, parse_path("10018'/0'"), digest)
        c1 = cosi.commit(client, parse_path("10018'/1'"), digest)
        c2 = cosi.commit(client, parse_path("10018'/2'"), digest)

        assert c0.pubkey != c1.pubkey
        assert c0.pubkey != c2.pubkey
        assert c1.pubkey != c2.pubkey

        assert c0.commitment != c1.commitment
        assert c0.commitment != c2.commitment
        assert c1.commitment != c2.commitment

        digestb = sha256(b"this is a different message").digest()

        c0b = cosi.commit(client, parse_path("10018'/0'"), digestb)
        c1b = cosi.commit(client, parse_path("10018'/1'"), digestb)
        c2b = cosi.commit(client, parse_path("10018'/2'"), digestb)

        assert c0.pubkey == c0b.pubkey
        assert c1.pubkey == c1b.pubkey
        assert c2.pubkey == c2b.pubkey

        assert c0.commitment != c0b.commitment
        assert c1.commitment != c1b.commitment
        assert c2.commitment != c2b.commitment

    def test_cosi_sign(self, client):
        digest = sha256(b"this is a message").digest()

        c0 = cosi.commit(client, parse_path("10018'/0'"), digest)
        c1 = cosi.commit(client, parse_path("10018'/1'"), digest)
        c2 = cosi.commit(client, parse_path("10018'/2'"), digest)

        global_pk = cosi.combine_keys([c0.pubkey, c1.pubkey, c2.pubkey])
        global_R = cosi.combine_keys([c0.commitment, c1.commitment, c2.commitment])

        # fmt: off
        sig0 = cosi.sign(client, parse_path("10018'/0'"), digest, global_R, global_pk)
        sig1 = cosi.sign(client, parse_path("10018'/1'"), digest, global_R, global_pk)
        sig2 = cosi.sign(client, parse_path("10018'/2'"), digest, global_R, global_pk)
        # fmt: on

        sig = cosi.combine_sig(
            global_R, [sig0.signature, sig1.signature, sig2.signature]
        )

        cosi.verify_combined(sig, digest, global_pk)

    def test_cosi_compat(self, client):
        digest = sha256(b"this is not a pipe").digest()
        remote_commit = cosi.commit(client, parse_path("10018'/0'"), digest)

        local_privkey = sha256(b"private key").digest()[:32]
        local_pubkey = cosi.pubkey_from_privkey(local_privkey)
        local_nonce, local_commitment = cosi.get_nonce(local_privkey, digest, 42)

        global_pk = cosi.combine_keys([remote_commit.pubkey, local_pubkey])
        global_R = cosi.combine_keys([remote_commit.commitment, local_commitment])

        remote_sig = cosi.sign(
            client, parse_path("10018'/0'"), digest, global_R, global_pk
        )
        local_sig = cosi.sign_with_privkey(
            digest, local_privkey, global_pk, local_nonce, global_R
        )
        sig = cosi.combine_sig(global_R, [remote_sig.signature, local_sig])

        cosi.verify_combined(sig, digest, global_pk)
regenerate license headers This clarifies the intent: the project is licenced under terms of LGPL version 3 only, but the standard headers cover only "3 or later", so we had to rewrite them. In the same step, we removed author information from individual files in favor of "SatoshiLabs and contributors", and include an AUTHORS file that lists the contributors. Apologies to those whose names are missing; please contact us if you wish to add your info to the AUTHORS file. 2018-06-21 14:28:34 +00:00			`# This file is part of the Trezor project.`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00			`#`
python: add or update licence headers 2019-05-29 16:44:09 +00:00			`# Copyright (C) 2012-2019 SatoshiLabs and contributors`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00			`#`
			`# This library is free software: you can redistribute it and/or modify`
regenerate license headers This clarifies the intent: the project is licenced under terms of LGPL version 3 only, but the standard headers cover only "3 or later", so we had to rewrite them. In the same step, we removed author information from individual files in favor of "SatoshiLabs and contributors", and include an AUTHORS file that lists the contributors. Apologies to those whose names are missing; please contact us if you wish to add your info to the AUTHORS file. 2018-06-21 14:28:34 +00:00			`# it under the terms of the GNU Lesser General Public License version 3`
			`# as published by the Free Software Foundation.`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Lesser General Public License for more details.`
			`#`
regenerate license headers This clarifies the intent: the project is licenced under terms of LGPL version 3 only, but the standard headers cover only "3 or later", so we had to rewrite them. In the same step, we removed author information from individual files in favor of "SatoshiLabs and contributors", and include an AUTHORS file that lists the contributors. Apologies to those whose names are missing; please contact us if you wish to add your info to the AUTHORS file. 2018-06-21 14:28:34 +00:00			`# You should have received a copy of the License along with this library.`
			`# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
device tests: simplify, drop unittest dependency 2017-12-23 20:20:49 +00:00			`from hashlib import sha256`
tests: update imports after tests.support move 2018-04-18 12:00:11 +00:00
style: apply black/isort 2018-08-13 16:21:24 +00:00			`import pytest`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
style: apply black/isort 2018-08-13 16:21:24 +00:00			`from trezorlib import cosi`
tests: update to use parse_path 2018-04-18 13:53:40 +00:00			`from trezorlib.tools import parse_path`

tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
device_tests: use skip_t1 and skip_t2 markers 2017-12-19 18:24:18 +00:00			`@pytest.mark.skip_t2`
tests: drop TrezorTest class 2019-09-11 12:29:39 +00:00			`class TestCosi:`
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`def test_cosi_commit(self, client):`
style: apply black/isort 2018-08-13 16:21:24 +00:00			`digest = sha256(b"this is a message").digest()`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`c0 = cosi.commit(client, parse_path("10018'/0'"), digest)`
			`c1 = cosi.commit(client, parse_path("10018'/1'"), digest)`
			`c2 = cosi.commit(client, parse_path("10018'/2'"), digest)`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
			`assert c0.pubkey != c1.pubkey`
			`assert c0.pubkey != c2.pubkey`
			`assert c1.pubkey != c2.pubkey`

			`assert c0.commitment != c1.commitment`
			`assert c0.commitment != c2.commitment`
			`assert c1.commitment != c2.commitment`

style: apply black/isort 2018-08-13 16:21:24 +00:00			`digestb = sha256(b"this is a different message").digest()`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`c0b = cosi.commit(client, parse_path("10018'/0'"), digestb)`
			`c1b = cosi.commit(client, parse_path("10018'/1'"), digestb)`
			`c2b = cosi.commit(client, parse_path("10018'/2'"), digestb)`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
			`assert c0.pubkey == c0b.pubkey`
			`assert c1.pubkey == c1b.pubkey`
			`assert c2.pubkey == c2b.pubkey`

			`assert c0.commitment != c0b.commitment`
			`assert c1.commitment != c1b.commitment`
			`assert c2.commitment != c2b.commitment`

tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`def test_cosi_sign(self, client):`
style: apply black/isort 2018-08-13 16:21:24 +00:00			`digest = sha256(b"this is a message").digest()`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`c0 = cosi.commit(client, parse_path("10018'/0'"), digest)`
			`c1 = cosi.commit(client, parse_path("10018'/1'"), digest)`
			`c2 = cosi.commit(client, parse_path("10018'/2'"), digest)`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
cosi: move things around ed25519raw is moved back to trezorlib ed25519cosi is renamed to cosi, and has a couple more functions, with the expectation that TrezorClient.cosi_* methods will move there. Also most code shouldn't need ed25519raw for anything, so it might get renamed to "_ed25519" to indicate that it's a private implementation. For now, I added a "verify" method to cosi, so that you don't need to call into ed25519raw.checkvalid. But trezor-core's keyctl is also using ed25519raw.publickey. I'm not sure if that's worth replicating in cosi, or whether to just leave it be, so I'm leaving it be for now. Importantly, new function "sign_with_privkey" does that math thing that was part of the selftest and is also explicitly listed in keyctl. (it's called sign_with_privkey because I expect to have a "sign" method here that calls into Trezor) 2018-05-17 10:53:01 +00:00			`global_pk = cosi.combine_keys([c0.pubkey, c1.pubkey, c2.pubkey])`
			`global_R = cosi.combine_keys([c0.commitment, c1.commitment, c2.commitment])`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
style: apply black/isort 2018-08-13 16:21:24 +00:00			`# fmt: off`
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`sig0 = cosi.sign(client, parse_path("10018'/0'"), digest, global_R, global_pk)`
			`sig1 = cosi.sign(client, parse_path("10018'/1'"), digest, global_R, global_pk)`
			`sig2 = cosi.sign(client, parse_path("10018'/2'"), digest, global_R, global_pk)`
style: apply black/isort 2018-08-13 16:21:24 +00:00			`# fmt: on`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
style: apply black/isort 2018-08-13 16:21:24 +00:00			`sig = cosi.combine_sig(`
			`global_R, [sig0.signature, sig1.signature, sig2.signature]`
			`)`
tests: add device test for CoSi 2017-10-03 22:37:45 +00:00
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest. 2019-12-20 12:45:41 +00:00			`cosi.verify_combined(sig, digest, global_pk)`
device_tests: add a compat test for cosi, checking interoperability between Trezor and local implementation 2018-05-28 15:41:52 +00:00
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`def test_cosi_compat(self, client):`
style: apply black/isort 2018-08-13 16:21:24 +00:00			`digest = sha256(b"this is not a pipe").digest()`
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`remote_commit = cosi.commit(client, parse_path("10018'/0'"), digest)`
device_tests: add a compat test for cosi, checking interoperability between Trezor and local implementation 2018-05-28 15:41:52 +00:00
style: apply black/isort 2018-08-13 16:21:24 +00:00			`local_privkey = sha256(b"private key").digest()[:32]`
device_tests: add a compat test for cosi, checking interoperability between Trezor and local implementation 2018-05-28 15:41:52 +00:00			`local_pubkey = cosi.pubkey_from_privkey(local_privkey)`
			`local_nonce, local_commitment = cosi.get_nonce(local_privkey, digest, 42)`

			`global_pk = cosi.combine_keys([remote_commit.pubkey, local_pubkey])`
			`global_R = cosi.combine_keys([remote_commit.commitment, local_commitment])`

style: apply black/isort 2018-08-13 16:21:24 +00:00			`remote_sig = cosi.sign(`
tests: convert from self.client to the client fixture 2019-08-27 14:58:59 +00:00			`client, parse_path("10018'/0'"), digest, global_R, global_pk`
style: apply black/isort 2018-08-13 16:21:24 +00:00			`)`
			`local_sig = cosi.sign_with_privkey(`
			`digest, local_privkey, global_pk, local_nonce, global_R`
			`)`
device_tests: add a compat test for cosi, checking interoperability between Trezor and local implementation 2018-05-28 15:41:52 +00:00			`sig = cosi.combine_sig(global_R, [remote_sig.signature, local_sig])`

python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest. 2019-12-20 12:45:41 +00:00			`cosi.verify_combined(sig, digest, global_pk)`