trezorlib: move ed25519cosi and ed25519raw from trezor-core

2025-01-30 01:01:00 +00:00 · 2017-10-04 00:37:45 +02:00 · 2017-10-04 00:37:45 +02:00 · 5057e022c0
commit 5057e022c0
parent a71c33d123
3 changed files with 241 additions and 0 deletions
--- a/setup.py
+++ b/setup.py
@ -27,6 +27,8 @@ setup(
        'trezorlib.ckd_public',
        'trezorlib.client',
        'trezorlib.debuglink',
        'trezorlib.ed25519cosi',
        'trezorlib.ed25519raw',
        'trezorlib.mapping',
        'trezorlib.messages_pb2',
        'trezorlib.protocol_v1',
--- a/trezorlib/ed25519cosi.py
+++ b/trezorlib/ed25519cosi.py
@ -0,0 +1,92 @@
 import sys
 from functools import reduce
 import binascii
 from . import ed25519raw
 def combine_keys(pks):
    P = [ed25519raw.decodepoint(pk) for pk in pks]
    combine = reduce(ed25519raw.edwards, P)
    return ed25519raw.encodepoint(combine)
 def combine_sig(R, sigs):
    S = [ed25519raw.decodeint(si) for si in sigs]
    s = sum(S) % ed25519raw.l
    sig = R + ed25519raw.encodeint(s)
    return sig
 def get_nonce(sk, data, ctr):
    h = ed25519raw.H(sk)
    b = ed25519raw.b
    if sys.version_info.major < 3:
        r = ed25519raw.Hint(''.join([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
    else:
        r = ed25519raw.Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
    R = ed25519raw.scalarmult(ed25519raw.B, r)
    return r, ed25519raw.encodepoint(R)
 def self_test(digest):
    def to_hex(by):
        return binascii.hexlify(by).decode()
    N = 3
    keyset = [0, 2]
    digest = binascii.unhexlify(digest)
    print('Digest: %s' % to_hex(digest))
    sks = []
    pks = []
    nonces = []
    commits = []
    sigs = []
    for i in range(0, N):
        print('----- Key %d ------' % (i + 1))
        seckey = (chr(0x41 + i) * 32).encode()
        pubkey = ed25519raw.publickey(seckey)
        print('Secret Key: %s' % to_hex(seckey))
        print('Public Key: %s' % to_hex(pubkey))
        sks.append(seckey)
        pks.append(pubkey)
        ctr = 0
        r, R = get_nonce(seckey, digest, ctr)
        print('Local nonce:  %s' % to_hex(ed25519raw.encodeint(r)))
        print('Local commit: %s' % to_hex(R))
        nonces.append(r)
        commits.append(R)
    global_pk = combine_keys([pks[i] for i in keyset])
    global_R = combine_keys([commits[i] for i in keyset])
    print('-----------------')
    print('Global pubkey: %s' % to_hex(global_pk))
    print('Global commit: %s' % to_hex(global_R))
    print('-----------------')
    for i in range(0, N):
        seckey = sks[i]
        pubkey = pks[i]
        r = nonces[i]
        R = commits[i]
        h = ed25519raw.H(seckey)
        b = ed25519raw.b
        a = 2**(b - 2) + sum(2**i * ed25519raw.bit(h, i) for i in range(3, b - 2))
        S = (r + ed25519raw.Hint(global_R + global_pk + digest) * a) % ed25519raw.l
        print('Local sig %d: %s' % (i + 1, to_hex(ed25519raw.encodeint(S))))
        sigs.append(ed25519raw.encodeint(S))
    print('-----------------')
    sig = combine_sig(global_R, [sigs[i] for i in keyset])
    print('Global sig: %s' % to_hex(sig))
    ed25519raw.checkvalid(sig, digest, global_pk)
    print('Valid Signature!')
 if __name__ == '__main__':
    if len(sys.argv) > 1:
        self_test(digest=sys.argv[1])
    else:
        self_test(digest='4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b')
--- a/trezorlib/ed25519raw.py
+++ b/trezorlib/ed25519raw.py
@ -0,0 +1,147 @@
 # orignal version downloaded from https://ed25519.cr.yp.to/python/ed25519.py
 # modified for Python 3 by Jochen Hoenicke <hoenicke@gmail.com>
 import sys
 import hashlib
 b = 256
 q = 2 ** 255 - 19
 l = 2 ** 252 + 27742317777372353535851937790883648493
 def H(m):
    return hashlib.sha512(m).digest()
 def expmod(b, e, m):
    if e < 0:
        raise Exception('negative exponent')
    if e == 0:
        return 1
    t = expmod(b, e >> 1, m) ** 2 % m
    if e & 1:
        t = (t * b) % m
    return t
 def inv(x):
    return expmod(x, q - 2, q)
 d = -121665 * inv(121666)
 I = expmod(2, (q - 1) >> 2, q)
 def xrecover(y):
    xx = (y * y - 1) * inv(d * y * y + 1)
    x = expmod(xx, (q + 3) >> 3, q)
    if (x * x - xx) % q != 0:
        x = (x * I) % q
    if x % 2 != 0:
        x = q - x
    return x
 By = 4 * inv(5)
 Bx = xrecover(By)
 B = [Bx % q, By % q]
 def edwards(P, Q):
    x1 = P[0]
    y1 = P[1]
    x2 = Q[0]
    y2 = Q[1]
    x3 = (x1 * y2 + x2 * y1) * inv(1 + d * x1 * x2 * y1 * y2)
    y3 = (y1 * y2 + x1 * x2) * inv(1 - d * x1 * x2 * y1 * y2)
    return [x3 % q, y3 % q]
 def scalarmult(P, e):
    if e == 0:
        return [0, 1]
    Q = scalarmult(P, e >> 1)
    Q = edwards(Q, Q)
    if e & 1:
        Q = edwards(Q, P)
    return Q
 def encodeint(y):
    bits = [(y >> i) & 1 for i in range(b)]
    if sys.version_info.major < 3:
        return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b >> 3)])
    else:
        return bytes([sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b >> 3)])
 def encodepoint(P):
    x = P[0]
    y = P[1]
    bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
    if sys.version_info.major < 3:
        return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b >> 3)])
    else:
        return bytes([sum([bits[i * 8 + j] << j for j in range(8)]) for i in range(b >> 3)])
 def bit(h, i):
    if sys.version_info.major < 3:
        return (ord(h[i >> 3]) >> (i & 7)) & 1
    else:
        return (h[i >> 3] >> (i & 7)) & 1
 def publickey(sk):
    h = H(sk)
    a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
    A = scalarmult(B, a)
    return encodepoint(A)
 def Hint(m):
    h = H(m)
    return sum(2 ** i * bit(h, i) for i in range(2 * b))
 def signature(m, sk, pk):
    h = H(sk)
    a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2))
    r = Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + m)
    R = scalarmult(B, r)
    S = (r + Hint(encodepoint(R) + pk + m) * a) % l
    return encodepoint(R) + encodeint(S)
 def isoncurve(P):
    x = P[0]
    y = P[1]
    return (-x * x + y * y - 1 - d * x * x * y * y) % q == 0
 def decodeint(s):
    return sum(2 ** i * bit(s, i) for i in range(0, b))
 def decodepoint(s):
    y = sum(2 ** i * bit(s, i) for i in range(0, b - 1))
    x = xrecover(y)
    if x & 1 != bit(s, b - 1):
        x = q - x
    P = [x, y]
    if not isoncurve(P):
        raise Exception('decoding point that is not on curve')
    return P
 def checkvalid(s, m, pk):
    if len(s) != b >> 2:
        raise Exception('signature length is wrong')
    if len(pk) != b >> 3:
        raise Exception('public-key length is wrong')
    R = decodepoint(s[0:b >> 3])
    A = decodepoint(pk)
    S = decodeint(s[b >> 3:b >> 2])
    h = Hint(encodepoint(R) + pk + m)
    if scalarmult(B, S) != edwards(R, scalarmult(A, h)):
        raise Exception('signature does not pass verification')