mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-11-13 19:18:56 +00:00
tools: move ed25519raw, ed25519cosi to python-trezor
This commit is contained in:
Pavol Rusnak
parent
5884d1c03f
commit
29c3afe6c4
@ -7,8 +7,7 @@ import struct
|
||||
import binascii
|
||||
import pyblake2
|
||||
|
||||
import ed25519raw
|
||||
import ed25519cosi
|
||||
from trezorlib import ed25519raw, ed25519cosi
|
||||
|
||||
|
||||
def sign_data(seckeys, data):
|
||||
|
||||
@ -1,92 +0,0 @@
|
||||
import sys
|
||||
from functools import reduce
|
||||
import binascii
|
||||
|
||||
import ed25519raw
|
||||
|
||||
|
||||
def combine_keys(pks):
|
||||
P = [ed25519raw.decodepoint(pk) for pk in pks]
|
||||
combine = reduce(ed25519raw.edwards, P)
|
||||
return ed25519raw.encodepoint(combine)
|
||||
|
||||
|
||||
def combine_sig(R, sigs):
|
||||
S = [ed25519raw.decodeint(si) for si in sigs]
|
||||
s = sum(S) % ed25519raw.l
|
||||
sig = R + ed25519raw.encodeint(s)
|
||||
return sig
|
||||
|
||||
|
||||
def get_nonce(sk, data, ctr):
|
||||
h = ed25519raw.H(sk)
|
||||
b = ed25519raw.b
|
||||
if sys.version_info.major < 3:
|
||||
r = ed25519raw.Hint(''.join([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
|
||||
else:
|
||||
r = ed25519raw.Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
|
||||
R = ed25519raw.scalarmult(ed25519raw.B, r)
|
||||
return r, ed25519raw.encodepoint(R)
|
||||
|
||||
|
||||
def self_test(digest):
|
||||
|
||||
def to_hex(by):
|
||||
return binascii.hexlify(by).decode()
|
||||
|
||||
N = 3
|
||||
keyset = [0, 2]
|
||||
|
||||
digest = binascii.unhexlify(digest)
|
||||
print('Digest: %s' % to_hex(digest))
|
||||
sks = []
|
||||
pks = []
|
||||
nonces = []
|
||||
commits = []
|
||||
sigs = []
|
||||
for i in range(0, N):
|
||||
print('----- Key %d ------' % (i + 1))
|
||||
seckey = (chr(0x41 + i) * 32).encode()
|
||||
pubkey = ed25519raw.publickey(seckey)
|
||||
print('Secret Key: %s' % to_hex(seckey))
|
||||
print('Public Key: %s' % to_hex(pubkey))
|
||||
sks.append(seckey)
|
||||
pks.append(pubkey)
|
||||
ctr = 0
|
||||
r, R = get_nonce(seckey, digest, ctr)
|
||||
print('Local nonce: %s' % to_hex(ed25519raw.encodeint(r)))
|
||||
print('Local commit: %s' % to_hex(R))
|
||||
nonces.append(r)
|
||||
commits.append(R)
|
||||
|
||||
global_pk = combine_keys([pks[i] for i in keyset])
|
||||
global_R = combine_keys([commits[i] for i in keyset])
|
||||
print('-----------------')
|
||||
print('Global pubkey: %s' % to_hex(global_pk))
|
||||
print('Global commit: %s' % to_hex(global_R))
|
||||
print('-----------------')
|
||||
|
||||
for i in range(0, N):
|
||||
seckey = sks[i]
|
||||
pubkey = pks[i]
|
||||
r = nonces[i]
|
||||
R = commits[i]
|
||||
h = ed25519raw.H(seckey)
|
||||
b = ed25519raw.b
|
||||
a = 2**(b - 2) + sum(2**i * ed25519raw.bit(h, i) for i in range(3, b - 2))
|
||||
S = (r + ed25519raw.Hint(global_R + global_pk + digest) * a) % ed25519raw.l
|
||||
print('Local sig %d: %s' % (i + 1, to_hex(ed25519raw.encodeint(S))))
|
||||
sigs.append(ed25519raw.encodeint(S))
|
||||
|
||||
print('-----------------')
|
||||
sig = combine_sig(global_R, [sigs[i] for i in keyset])
|
||||
print('Global sig: %s' % to_hex(sig))
|
||||
ed25519raw.checkvalid(sig, digest, global_pk)
|
||||
print('Valid Signature!')
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
if len(sys.argv) > 1:
|
||||
self_test(digest=sys.argv[1])
|
||||
else:
|
||||
self_test(digest='4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b')
|
||||
@ -1,147 +0,0 @@
|
||||
# orignal version downloaded from https://ed25519.cr.yp.to/python/ed25519.py
|
||||
# modified for Python 3 by Jochen Hoenicke <hoenicke@gmail.com>
|
||||
|
||||
import sys
|
||||
import hashlib
|
||||
|
||||
b = 256
|
||||
q = 2 ** 255 - 19
|
||||
l = 2 ** 252 + 27742317777372353535851937790883648493
|
||||
|
||||
|
||||
def H(m):
|
||||
return hashlib.sha512(m).digest()
|
||||
|
||||
|
||||
def expmod(b, e, m):
|
||||
if e < 0:
|
||||
raise Exception('negative exponent')
|
||||
if e == 0:
|
||||
return 1
|
||||
t = expmod(b, e >> 1, m) ** 2 % m
|
||||
if e & 1:
|
||||
t = (t * b) % m
|
||||
return t
|
||||
|
||||
|
||||
def inv(x):
|
||||
return expmod(x, q - 2, q)
|
||||
|
||||
|
||||
d = -121665 * inv(121666)
|
||||
I = expmod(2, (q - 1) >> 2, q)
|
||||
|
||||
|
||||
def xrecover(y):
|
||||
xx = (y * y - 1) * inv(d * y * y + 1)
|
||||
x = expmod(xx, (q + 3) >> 3, q)
|
||||
if (x * x - xx) % q != 0:
|
||||
x = (x * I) % q
|
||||
if x % 2 != 0:
|
||||
x = q - x
|
||||
return x
|
||||
|
||||
|
||||
By = 4 * inv(5)
|
||||
Bx = xrecover(By)
|
||||
B = [Bx % q, By % q]
|
||||
|
||||
|
||||
def edwards(P, Q):
|
||||
x1 = P[0]
|
||||
y1 = P[1]
|
||||
x2 = Q[0]
|
||||
y2 = Q[1]
|
||||
x3 = (x1 * y2 + x2 * y1) * inv(1 + d * x1 * x2 * y1 * y2)
|
||||
y3 = (y1 * y2 + x1 * x2) * inv(1 - d * x1 * x2 * y1 * y2)
|
||||
return [x3 % q, y3 % q]
|
||||
|
||||
|
||||
def scalarmult(P, e):
|
||||
if e == 0:
|
||||
return [0, 1]
|
||||
Q = scalarmult(P, e >> 1)
|
||||
Q = edwards(Q, Q)
|
||||
if e & 1:
|
||||
Q = edwards(Q, P)
|
||||
return Q
|
||||
|
||||
|
||||
def encodeint(y):
|
||||
bits = [(y >> i) & 1 for i in range(b)]
|
||||
if sys.version_info.major < 3:
|
||||
return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b >> 3)])
|
||||
else:
|
||||
return bytes([sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b >> 3)])
|
||||
|
||||
|
||||
def encodepoint(P):
|
||||
x = P[0]
|
||||
y = P[1]
|
||||
bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
|
||||
if sys.version_info.major < 3:
|
||||
return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b >> 3)])
|
||||
else:
|
||||
return bytes([sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b >> 3)])
|
||||
|
||||
|
||||
def bit(h, i):
|
||||
if sys.version_info.major < 3:
|
||||
return (ord(h[i >> 3]) >> (i & 7)) & 1
|
||||
else:
|
||||
return (h[i >> 3] >> (i & 7)) & 1
|
||||
|
||||
|
||||
def publickey(sk):
|
||||
h = H(sk)
|
||||
a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
|
||||
A = scalarmult(B, a)
|
||||
return encodepoint(A)
|
||||
|
||||
|
||||
def Hint(m):
|
||||
h = H(m)
|
||||
return sum(2 ** i * bit(h, i) for i in range(2 * b))
|
||||
|
||||
|
||||
def signature(m, sk, pk):
|
||||
h = H(sk)
|
||||
a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
|
||||
r = Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + m)
|
||||
R = scalarmult(B, r)
|
||||
S = (r + Hint(encodepoint(R) + pk + m) * a) % l
|
||||
return encodepoint(R) + encodeint(S)
|
||||
|
||||
|
||||
def isoncurve(P):
|
||||
x = P[0]
|
||||
y = P[1]
|
||||
return (-x * x + y * y - 1 - d * x * x * y * y) % q == 0
|
||||
|
||||
|
||||
def decodeint(s):
|
||||
return sum(2 ** i * bit(s, i) for i in range(0, b))
|
||||
|
||||
|
||||
def decodepoint(s):
|
||||
y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
|
||||
x = xrecover(y)
|
||||
if x & 1 != bit(s, b - 1):
|
||||
x = q - x
|
||||
P = [x, y]
|
||||
if not isoncurve(P):
|
||||
raise Exception('decoding point that is not on curve')
|
||||
return P
|
||||
|
||||
|
||||
def checkvalid(s, m, pk):
|
||||
if len(s) != b >> 2:
|
||||
raise Exception('signature length is wrong')
|
||||
if len(pk) != b >> 3:
|
||||
raise Exception('public-key length is wrong')
|
||||
R = decodepoint(s[0:b >> 3])
|
||||
A = decodepoint(pk)
|
||||
S = decodeint(s[b >> 3:b >> 2])
|
||||
h = Hint(encodepoint(R) + pk + m)
|
||||
if scalarmult(B, S) != edwards(R, scalarmult(A, h)):
|
||||
raise Exception('signature does not pass verification')
|
||||
Loading…
Reference in New Issue
Block a user