diff --git a/micropython/extmod/modtrezorcrypto/modtrezorcrypto-ed25519.h b/micropython/extmod/modtrezorcrypto/modtrezorcrypto-ed25519.h
index 38133696b..5df146a05 100644
--- a/micropython/extmod/modtrezorcrypto/modtrezorcrypto-ed25519.h
+++ b/micropython/extmod/modtrezorcrypto/modtrezorcrypto-ed25519.h
@@ -101,11 +101,105 @@ STATIC mp_obj_t mod_TrezorCrypto_Ed25519_verify(size_t n_args, const mp_obj_t *a
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_TrezorCrypto_Ed25519_verify_obj, 4, 4, mod_TrezorCrypto_Ed25519_verify);
 
+/// def trezor.crypto.curve.ed25519.cosi_combine_publickeys(public_keys: list) -> bytes:
+///     '''
+///     Combines a list of public keys used in COSI cosigning scheme
+///     '''
+STATIC mp_obj_t mod_TrezorCrypto_Ed25519_cosi_combine_publickeys(mp_obj_t self, mp_obj_t public_keys) {
+    mp_uint_t pklen;
+    mp_obj_t *pkitems;
+    mp_obj_get_array(public_keys, &pklen, &pkitems);
+    if (pklen > 15) {
+        mp_raise_ValueError("Can't combine more than 15 public keys");
+    }
+    mp_buffer_info_t buf;
+    ed25519_public_key pks[pklen];
+    for (int i = 0; i < pklen; i++) {
+        mp_get_buffer_raise(pkitems[i], &buf, MP_BUFFER_READ);
+        if (buf.len != 32) {
+            mp_raise_ValueError("Invalid length of public key");
+        }
+        memcpy(pks[i], buf.buf, buf.len);
+    }
+    vstr_t vstr;
+    vstr_init_len(&vstr, 32);
+    if (0 != ed25519_cosi_combine_publickeys(*(ed25519_public_key *)vstr.buf, pks, pklen)) {
+        mp_raise_ValueError("Error combining public keys");
+    }
+    return mp_obj_new_str_from_vstr(&mp_type_bytes, &vstr);
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_2(mod_TrezorCrypto_Ed25519_cosi_combine_publickeys_obj, mod_TrezorCrypto_Ed25519_cosi_combine_publickeys);
+
+/// def trezor.crypto.curve.ed25519.cosi_combine_signatures(R: bytes, signatures: list) -> bytes:
+///     '''
+///     Combines a list of signatures used in COSI cosigning scheme
+///     '''
+STATIC mp_obj_t mod_TrezorCrypto_Ed25519_cosi_combine_signatures(mp_obj_t self, mp_obj_t R, mp_obj_t signatures) {
+    mp_buffer_info_t sigR;
+    mp_get_buffer_raise(R, &sigR, MP_BUFFER_READ);
+    if (sigR.len != 32) {
+        mp_raise_ValueError("Invalid length of R");
+    }
+    mp_uint_t siglen;
+    mp_obj_t *sigitems;
+    mp_obj_get_array(signatures, &siglen, &sigitems);
+    if (siglen > 15) {
+        mp_raise_ValueError("Can't combine more than 15 COSI signatures");
+    }
+    mp_buffer_info_t buf;
+    ed25519_cosi_signature sigs[siglen];
+    for (int i = 0; i < siglen; i++) {
+        mp_get_buffer_raise(sigitems[i], &buf, MP_BUFFER_READ);
+        if (buf.len != 32) {
+            mp_raise_ValueError("Invalid length of COSI signature");
+        }
+        memcpy(sigs[i], buf.buf, buf.len);
+    }
+    vstr_t vstr;
+    vstr_init_len(&vstr, 64);
+    ed25519_cosi_combine_signatures(*(ed25519_signature *)vstr.buf, *(const ed25519_public_key *)sigR.buf, sigs, siglen);
+    return mp_obj_new_str_from_vstr(&mp_type_bytes, &vstr);
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_3(mod_TrezorCrypto_Ed25519_cosi_combine_signatures_obj, mod_TrezorCrypto_Ed25519_cosi_combine_signatures);
+
+/// def trezor.crypto.curve.ed25519.cosi_sign(secret_key: bytes, message: bytes, nonce: bytes, sigR: bytes, combined_pubkey: bytes) -> bytes:
+///     '''
+///     Produce signature of message using COSI cosigning scheme
+///     '''
+STATIC mp_obj_t mod_TrezorCrypto_Ed25519_cosi_sign(size_t n_args, const mp_obj_t *args) {
+    mp_buffer_info_t sk, msg, nonce, sigR, pk;
+    mp_get_buffer_raise(args[1], &sk, MP_BUFFER_READ);
+    mp_get_buffer_raise(args[2], &msg, MP_BUFFER_READ);
+    mp_get_buffer_raise(args[3], &nonce, MP_BUFFER_READ);
+    mp_get_buffer_raise(args[4], &sigR, MP_BUFFER_READ);
+    mp_get_buffer_raise(args[5], &pk, MP_BUFFER_READ);
+    if (sk.len != 32) {
+        mp_raise_ValueError("Invalid length of secret key");
+    }
+    if (nonce.len != 32) {
+        mp_raise_ValueError("Invalid length of nonce");
+    }
+    if (sigR.len != 32) {
+        mp_raise_ValueError("Invalid length of R");
+    }
+    if (pk.len != 32) {
+        mp_raise_ValueError("Invalid length of aggregated public key");
+    }
+    vstr_t vstr;
+    vstr_init_len(&vstr, 32);
+    ed25519_cosi_sign(msg.buf, msg.len, *(const ed25519_secret_key *)sk.buf, *(const ed25519_secret_key *)nonce.buf, *(const ed25519_public_key *)sigR.buf, *(const ed25519_secret_key *)pk.buf, *(ed25519_cosi_signature *)vstr.buf);
+    return mp_obj_new_str_from_vstr(&mp_type_bytes, &vstr);
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_TrezorCrypto_Ed25519_cosi_sign_obj, 6, 6, mod_TrezorCrypto_Ed25519_cosi_sign);
+
 STATIC const mp_rom_map_elem_t mod_TrezorCrypto_Ed25519_locals_dict_table[] = {
     { MP_ROM_QSTR(MP_QSTR_generate_secret), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_generate_secret_obj) },
     { MP_ROM_QSTR(MP_QSTR_publickey), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_publickey_obj) },
     { MP_ROM_QSTR(MP_QSTR_sign), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_sign_obj) },
     { MP_ROM_QSTR(MP_QSTR_verify), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_verify_obj) },
+    { MP_ROM_QSTR(MP_QSTR_cosi_combine_publickeys), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_cosi_combine_publickeys_obj) },
+    { MP_ROM_QSTR(MP_QSTR_cosi_combine_signatures), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_cosi_combine_signatures_obj) },
+    { MP_ROM_QSTR(MP_QSTR_cosi_sign), MP_ROM_PTR(&mod_TrezorCrypto_Ed25519_cosi_sign_obj) },
 };
 STATIC MP_DEFINE_CONST_DICT(mod_TrezorCrypto_Ed25519_locals_dict, mod_TrezorCrypto_Ed25519_locals_dict_table);
 
diff --git a/tests/test_trezor.crypto.curve.ed25519_cosi.py b/tests/test_trezor.crypto.curve.ed25519_cosi.py
new file mode 100644
index 000000000..a048a27af
--- /dev/null
+++ b/tests/test_trezor.crypto.curve.ed25519_cosi.py
@@ -0,0 +1,45 @@
+from common import *
+
+from trezor.crypto import random
+from trezor.crypto.curve import ed25519
+
+class TestCryptoEd25519Cosi(unittest.TestCase):
+
+    def test_cosi(self):
+
+        for N in range(1, 11):
+
+            # generate random message to be signed
+            msg = random.bytes(128)
+
+            # phase 0: create priv/pubkeys and combine pubkeys
+            keys = [None] * N
+            pubkeys = [None] * N
+            for j in range(N):
+                keys[j] = ed25519.generate_secret()
+                pubkeys[j] = ed25519.publickey(keys[j])
+
+            pubkey = ed25519.cosi_combine_publickeys(pubkeys)
+
+            # phase 1: create nonces, commitments (R values) and combine commitments
+            nonces = [None] * N
+            Rs = [None] * N
+            for j in range(N):
+                nonces[j] = ed25519.generate_secret()
+                Rs[j] = ed25519.publickey(nonces[j])
+
+            R = ed25519.cosi_combine_publickeys(Rs)
+
+            # phase 2: sign and combine signatures
+            sigs = [None] * N
+            for j in range(N):
+                sigs[j] = ed25519.cosi_sign(keys[j], msg, nonces[j], R, pubkey)
+
+            sig = ed25519.cosi_combine_signatures(R, sigs)
+
+            # check signature using normal ed25519.verify
+            res = ed25519.verify(pubkey, sig, msg)
+            self.assertTrue(res)
+
+if __name__ == '__main__':
+    unittest.main()