2017-10-03 22:37:45 +00:00
|
|
|
import sys
|
|
|
|
from functools import reduce
|
|
|
|
import binascii
|
|
|
|
|
2018-05-25 11:07:02 +00:00
|
|
|
from trezorlib import _ed25519
|
2017-10-03 22:37:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
def combine_keys(pks):
|
2018-05-25 11:07:02 +00:00
|
|
|
P = [_ed25519.decodepoint(pk) for pk in pks]
|
|
|
|
combine = reduce(_ed25519.edwards, P)
|
|
|
|
return _ed25519.encodepoint(combine)
|
2017-10-03 22:37:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
def combine_sig(R, sigs):
|
2018-05-25 11:07:02 +00:00
|
|
|
S = [_ed25519.decodeint(si) for si in sigs]
|
|
|
|
s = sum(S) % _ed25519.l
|
|
|
|
sig = R + _ed25519.encodeint(s)
|
2017-10-03 22:37:45 +00:00
|
|
|
return sig
|
|
|
|
|
|
|
|
|
|
|
|
def get_nonce(sk, data, ctr):
|
2018-05-25 11:07:02 +00:00
|
|
|
h = _ed25519.H(sk)
|
|
|
|
b = _ed25519.b
|
|
|
|
r = _ed25519.Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
|
|
|
|
R = _ed25519.scalarmult(_ed25519.B, r)
|
|
|
|
return r, _ed25519.encodepoint(R)
|
2017-10-03 22:37:45 +00:00
|
|
|
|
|
|
|
|
2018-05-17 10:53:01 +00:00
|
|
|
def verify(signature, digest, pub_key):
|
2018-05-25 11:07:02 +00:00
|
|
|
_ed25519.checkvalid(signature, digest, pub_key)
|
2018-05-17 10:53:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
def sign_with_privkey(digest, privkey, global_pubkey, nonce, global_commit):
|
2018-05-25 11:07:02 +00:00
|
|
|
h = _ed25519.H(privkey)
|
|
|
|
b = _ed25519.b
|
|
|
|
a = 2 ** (b - 2) + sum(2 ** i * _ed25519.bit(h, i) for i in range(3, b - 2))
|
|
|
|
S = (nonce + _ed25519.Hint(global_commit + global_pubkey + digest) * a) % _ed25519.l
|
|
|
|
return _ed25519.encodeint(S)
|
2018-05-17 10:53:01 +00:00
|
|
|
|
|
|
|
|
2017-10-03 22:37:45 +00:00
|
|
|
def self_test(digest):
|
|
|
|
|
|
|
|
def to_hex(by):
|
|
|
|
return binascii.hexlify(by).decode()
|
|
|
|
|
|
|
|
N = 3
|
|
|
|
|
|
|
|
digest = binascii.unhexlify(digest)
|
|
|
|
print('Digest: %s' % to_hex(digest))
|
|
|
|
sks = []
|
|
|
|
pks = []
|
|
|
|
nonces = []
|
|
|
|
commits = []
|
|
|
|
sigs = []
|
|
|
|
for i in range(0, N):
|
|
|
|
print('----- Key %d ------' % (i + 1))
|
|
|
|
seckey = (chr(0x41 + i) * 32).encode()
|
2018-05-25 11:07:02 +00:00
|
|
|
pubkey = _ed25519.publickey(seckey)
|
2017-10-03 22:37:45 +00:00
|
|
|
print('Secret Key: %s' % to_hex(seckey))
|
|
|
|
print('Public Key: %s' % to_hex(pubkey))
|
|
|
|
sks.append(seckey)
|
|
|
|
pks.append(pubkey)
|
|
|
|
ctr = 0
|
|
|
|
r, R = get_nonce(seckey, digest, ctr)
|
2018-05-25 11:07:02 +00:00
|
|
|
print('Local nonce: %s' % to_hex(_ed25519.encodeint(r)))
|
2017-10-03 22:37:45 +00:00
|
|
|
print('Local commit: %s' % to_hex(R))
|
|
|
|
nonces.append(r)
|
|
|
|
commits.append(R)
|
|
|
|
|
2018-05-17 10:53:01 +00:00
|
|
|
global_pk = combine_keys(pks)
|
|
|
|
global_R = combine_keys(commits)
|
2017-10-03 22:37:45 +00:00
|
|
|
print('-----------------')
|
|
|
|
print('Global pubkey: %s' % to_hex(global_pk))
|
|
|
|
print('Global commit: %s' % to_hex(global_R))
|
|
|
|
print('-----------------')
|
|
|
|
|
2018-05-17 10:53:01 +00:00
|
|
|
sigs = [sign_with_privkey(digest, sks[i], global_pk, nonces[i], global_R) for i in range(N)]
|
|
|
|
for sig in sigs:
|
|
|
|
print('Local signature: %s' % to_hex(sig))
|
2017-10-03 22:37:45 +00:00
|
|
|
|
|
|
|
print('-----------------')
|
2018-05-17 10:53:01 +00:00
|
|
|
sig = combine_sig(global_R, sigs)
|
2017-10-03 22:37:45 +00:00
|
|
|
print('Global sig: %s' % to_hex(sig))
|
2018-05-17 10:53:01 +00:00
|
|
|
verify(sig, digest, global_pk)
|
2017-10-03 22:37:45 +00:00
|
|
|
print('Valid Signature!')
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
if len(sys.argv) > 1:
|
|
|
|
self_test(digest=sys.argv[1])
|
|
|
|
else:
|
|
|
|
self_test(digest='4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b')
|