From 5057e022c0750b72e4aeb05f380d7a4edd0552d1 Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Wed, 4 Oct 2017 00:37:45 +0200
Subject: [PATCH] trezorlib: move ed25519cosi and ed25519raw from trezor-core

---
 setup.py                 |   2 +
 trezorlib/ed25519cosi.py |  92 ++++++++++++++++++++++++
 trezorlib/ed25519raw.py  | 147 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 241 insertions(+)
 create mode 100644 trezorlib/ed25519cosi.py
 create mode 100644 trezorlib/ed25519raw.py

diff --git a/setup.py b/setup.py
index c220e9988..521a43ee3 100755
--- a/setup.py
+++ b/setup.py
@@ -27,6 +27,8 @@ setup(
         'trezorlib.ckd_public',
         'trezorlib.client',
         'trezorlib.debuglink',
+        'trezorlib.ed25519cosi',
+        'trezorlib.ed25519raw',
         'trezorlib.mapping',
         'trezorlib.messages_pb2',
         'trezorlib.protocol_v1',
diff --git a/trezorlib/ed25519cosi.py b/trezorlib/ed25519cosi.py
new file mode 100644
index 000000000..01316e5d6
--- /dev/null
+++ b/trezorlib/ed25519cosi.py
@@ -0,0 +1,92 @@
+import sys
+from functools import reduce
+import binascii
+
+from . import ed25519raw
+
+
+def combine_keys(pks):
+    P = [ed25519raw.decodepoint(pk) for pk in pks]
+    combine = reduce(ed25519raw.edwards, P)
+    return ed25519raw.encodepoint(combine)
+
+
+def combine_sig(R, sigs):
+    S = [ed25519raw.decodeint(si) for si in sigs]
+    s = sum(S) % ed25519raw.l
+    sig = R + ed25519raw.encodeint(s)
+    return sig
+
+
+def get_nonce(sk, data, ctr):
+    h = ed25519raw.H(sk)
+    b = ed25519raw.b
+    if sys.version_info.major < 3:
+        r = ed25519raw.Hint(''.join([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
+    else:
+        r = ed25519raw.Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
+    R = ed25519raw.scalarmult(ed25519raw.B, r)
+    return r, ed25519raw.encodepoint(R)
+
+
+def self_test(digest):
+
+    def to_hex(by):
+        return binascii.hexlify(by).decode()
+
+    N = 3
+    keyset = [0, 2]
+
+    digest = binascii.unhexlify(digest)
+    print('Digest: %s' % to_hex(digest))
+    sks = []
+    pks = []
+    nonces = []
+    commits = []
+    sigs = []
+    for i in range(0, N):
+        print('----- Key %d ------' % (i + 1))
+        seckey = (chr(0x41 + i) * 32).encode()
+        pubkey = ed25519raw.publickey(seckey)
+        print('Secret Key: %s' % to_hex(seckey))
+        print('Public Key: %s' % to_hex(pubkey))
+        sks.append(seckey)
+        pks.append(pubkey)
+        ctr = 0
+        r, R = get_nonce(seckey, digest, ctr)
+        print('Local nonce:  %s' % to_hex(ed25519raw.encodeint(r)))
+        print('Local commit: %s' % to_hex(R))
+        nonces.append(r)
+        commits.append(R)
+
+    global_pk = combine_keys([pks[i] for i in keyset])
+    global_R = combine_keys([commits[i] for i in keyset])
+    print('-----------------')
+    print('Global pubkey: %s' % to_hex(global_pk))
+    print('Global commit: %s' % to_hex(global_R))
+    print('-----------------')
+
+    for i in range(0, N):
+        seckey = sks[i]
+        pubkey = pks[i]
+        r = nonces[i]
+        R = commits[i]
+        h = ed25519raw.H(seckey)
+        b = ed25519raw.b
+        a = 2**(b - 2) + sum(2**i * ed25519raw.bit(h, i) for i in range(3, b - 2))
+        S = (r + ed25519raw.Hint(global_R + global_pk + digest) * a) % ed25519raw.l
+        print('Local sig %d: %s' % (i + 1, to_hex(ed25519raw.encodeint(S))))
+        sigs.append(ed25519raw.encodeint(S))
+
+    print('-----------------')
+    sig = combine_sig(global_R, [sigs[i] for i in keyset])
+    print('Global sig: %s' % to_hex(sig))
+    ed25519raw.checkvalid(sig, digest, global_pk)
+    print('Valid Signature!')
+
+
+if __name__ == '__main__':
+    if len(sys.argv) > 1:
+        self_test(digest=sys.argv[1])
+    else:
+        self_test(digest='4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b')
diff --git a/trezorlib/ed25519raw.py b/trezorlib/ed25519raw.py
new file mode 100644
index 000000000..1e75b0926
--- /dev/null
+++ b/trezorlib/ed25519raw.py
@@ -0,0 +1,147 @@
+# orignal version downloaded from https://ed25519.cr.yp.to/python/ed25519.py
+# modified for Python 3 by Jochen Hoenicke <hoenicke@gmail.com>
+
+import sys
+import hashlib
+
+b = 256
+q = 2 ** 255 - 19
+l = 2 ** 252 + 27742317777372353535851937790883648493
+
+
+def H(m):
+    return hashlib.sha512(m).digest()
+
+
+def expmod(b, e, m):
+    if e < 0:
+        raise Exception('negative exponent')
+    if e == 0:
+        return 1
+    t = expmod(b, e >> 1, m) ** 2 % m
+    if e & 1:
+        t = (t * b) % m
+    return t
+
+
+def inv(x):
+    return expmod(x, q - 2, q)
+
+
+d = -121665 * inv(121666)
+I = expmod(2, (q - 1) >> 2, q)
+
+
+def xrecover(y):
+    xx = (y * y - 1) * inv(d * y * y + 1)
+    x = expmod(xx, (q + 3) >> 3, q)
+    if (x * x - xx) % q != 0:
+        x = (x * I) % q
+    if x % 2 != 0:
+        x = q - x
+    return x
+
+
+By = 4 * inv(5)
+Bx = xrecover(By)
+B = [Bx % q, By % q]
+
+
+def edwards(P, Q):
+    x1 = P[0]
+    y1 = P[1]
+    x2 = Q[0]
+    y2 = Q[1]
+    x3 = (x1 * y2 + x2 * y1) * inv(1 + d * x1 * x2 * y1 * y2)
+    y3 = (y1 * y2 + x1 * x2) * inv(1 - d * x1 * x2 * y1 * y2)
+    return [x3 % q, y3 % q]
+
+
+def scalarmult(P, e):
+    if e == 0:
+        return [0, 1]
+    Q = scalarmult(P, e >> 1)
+    Q = edwards(Q, Q)
+    if e & 1:
+        Q = edwards(Q, P)
+    return Q
+
+
+def encodeint(y):
+    bits = [(y >> i) & 1 for i in range(b)]
+    if sys.version_info.major < 3:
+        return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b >> 3)])
+    else:
+        return bytes([sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b >> 3)])
+
+
+def encodepoint(P):
+    x = P[0]
+    y = P[1]
+    bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
+    if sys.version_info.major < 3:
+        return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b >> 3)])
+    else:
+        return bytes([sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b >> 3)])
+
+
+def bit(h, i):
+    if sys.version_info.major < 3:
+        return (ord(h[i >> 3]) >> (i & 7)) & 1
+    else:
+        return (h[i >> 3] >> (i & 7)) & 1
+
+
+def publickey(sk):
+    h = H(sk)
+    a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
+    A = scalarmult(B, a)
+    return encodepoint(A)
+
+
+def Hint(m):
+    h = H(m)
+    return sum(2 ** i * bit(h, i) for i in range(2 * b))
+
+
+def signature(m, sk, pk):
+    h = H(sk)
+    a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
+    r = Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + m)
+    R = scalarmult(B, r)
+    S = (r + Hint(encodepoint(R) + pk + m) * a) % l
+    return encodepoint(R) + encodeint(S)
+
+
+def isoncurve(P):
+    x = P[0]
+    y = P[1]
+    return (-x * x + y * y - 1 - d * x * x * y * y) % q == 0
+
+
+def decodeint(s):
+    return sum(2 ** i * bit(s, i) for i in range(0, b))
+
+
+def decodepoint(s):
+    y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
+    x = xrecover(y)
+    if x & 1 != bit(s, b - 1):
+        x = q - x
+    P = [x, y]
+    if not isoncurve(P):
+        raise Exception('decoding point that is not on curve')
+    return P
+
+
+def checkvalid(s, m, pk):
+    if len(s) != b >> 2:
+        raise Exception('signature length is wrong')
+    if len(pk) != b >> 3:
+        raise Exception('public-key length is wrong')
+    R = decodepoint(s[0:b >> 3])
+    A = decodepoint(pk)
+    S = decodeint(s[b >> 3:b >> 2])
+    h = Hint(encodepoint(R) + pk + m)
+    if scalarmult(B, S) != edwards(R, scalarmult(A, h)):
+        raise Exception('signature does not pass verification')