1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-18 04:18:10 +00:00

feat(core): implement CoSi module and CoSi verification

This commit is contained in:
matejcik 2023-03-15 15:14:27 +01:00 committed by matejcik
parent e6a7b9ccaa
commit dc5e4c1c8f
5 changed files with 137 additions and 48 deletions

View File

@ -75,6 +75,8 @@ trezor.crypto.bech32
import trezor.crypto.bech32
trezor.crypto.cashaddr
import trezor.crypto.cashaddr
trezor.crypto.cosi
import trezor.crypto.cosi
trezor.crypto.curve
import trezor.crypto.curve
trezor.crypto.der

View File

@ -26,6 +26,7 @@ SCHEMA_SLIP26 = PathSchema.parse("m/10026'/[0-2139062143]'/[0-4]'/0'", slip44_id
async def cosi_commit(ctx: Context, msg: CosiCommit) -> CosiSignature:
import storage.cache as storage_cache
from trezor.crypto import cosi
from trezor.crypto.curve import ed25519
from trezor.ui.layouts import confirm_blob
from apps.common import paths
@ -39,7 +40,7 @@ async def cosi_commit(ctx: Context, msg: CosiCommit) -> CosiSignature:
pubkey = ed25519.publickey(seckey)
if not storage_cache.is_set(storage_cache.APP_MISC_COSI_COMMITMENT):
nonce, commitment = ed25519.cosi_commit()
nonce, commitment = cosi.commit()
storage_cache.set(storage_cache.APP_MISC_COSI_NONCE, nonce)
storage_cache.set(storage_cache.APP_MISC_COSI_COMMITMENT, commitment)
commitment = storage_cache.get(storage_cache.APP_MISC_COSI_COMMITMENT)
@ -69,7 +70,7 @@ async def cosi_commit(ctx: Context, msg: CosiCommit) -> CosiSignature:
if nonce is None:
raise RuntimeError
signature = ed25519.cosi_sign(
signature = cosi.sign(
seckey, sign_msg.data, nonce, sign_msg.global_commitment, sign_msg.global_pubkey
)
return CosiSignature(signature=signature)

View File

@ -0,0 +1,37 @@
from typing import Sequence
from .curve import ed25519
commit = ed25519.cosi_commit
sign = ed25519.cosi_sign
combine_publickeys = ed25519.cosi_combine_publickeys
combine_signatures = ed25519.cosi_combine_signatures
def select_keys(sigmask: int, keys: Sequence[bytes]) -> list[bytes]:
selected_keys = []
for key in keys:
if sigmask & 1:
selected_keys.append(key)
sigmask >>= 1
if sigmask:
raise ValueError # sigmask specifies more public keys than provided
return selected_keys
def verify(
signature: bytes,
data: bytes,
threshold: int,
keys: Sequence[bytes],
sigmask: int,
) -> bool:
if threshold < 1:
raise ValueError # at least one signer is required
selected_keys = select_keys(sigmask, keys)
if len(selected_keys) < threshold:
return False # insufficient number of signatures
global_pk = combine_publickeys(selected_keys)
return ed25519.verify(global_pk, signature, data)

View File

@ -0,0 +1,95 @@
from common import *
from trezor.crypto import cosi, random
from trezor.crypto.curve import ed25519
class TestCryptoEd25519Cosi(unittest.TestCase):
def random_signers(self, N: int) -> tuple[list[bytes], list[bytes]]:
keys = []
pubkeys = []
for j in range(N):
keys.append(ed25519.generate_secret())
pubkeys.append(ed25519.publickey(keys[j]))
return keys, pubkeys
def cosign(
self, message: bytes, keys: list[bytes], pubkeys: list[bytes]
) -> tuple[bytes, bytes]:
# phase 0: combine pubkeys
pubkey = cosi.combine_publickeys(pubkeys)
# phase 1: create nonces, commitments (R values) and combine commitments
nonces = []
Rs = []
for _ in range(len(keys)):
nonce, R = cosi.commit()
nonces.append(nonce)
Rs.append(R)
R = ed25519.cosi_combine_publickeys(Rs)
# phase 2: sign and combine signatures
sigs = []
for key, nonce in zip(keys, nonces):
sigs.append(cosi.sign(key, message, nonce, R, pubkey))
return pubkey, cosi.combine_signatures(R, sigs)
def test_cosi(self):
for N in range(1, 11):
# generate random inputs
msg = random.bytes(128)
keys, pubkeys = self.random_signers(N)
# generate combined signature
pubkey, sig = self.cosign(msg, keys, pubkeys)
# check signature using normal ed25519.verify
res = ed25519.verify(pubkey, sig, msg)
self.assertTrue(res)
def test_select_keys(self):
keys, pubkeys = self.random_signers(5)
# try all possible combinations of signers = all 5-bit sigmasks
for sigmask in range(1, 32):
selected_keys = cosi.select_keys(sigmask, keys)
selected_pubkeys = cosi.select_keys(sigmask, pubkeys)
# check that the selection picks the right key combinations
for key, pubkey in zip(selected_keys, selected_pubkeys):
self.assertEqual(ed25519.publickey(key), pubkey)
# count number of ones
count = 0
for i in range(5):
if sigmask & (1 << i):
count += 1
self.assertEqual(len(selected_keys), count)
self.assertEqual(len(selected_pubkeys), count)
def test_verify(self):
keys, all_pubkeys = self.random_signers(5)
# try all possible combinations of signers = all 5-bit sigmasks
for sigmask in range(1, 32):
message = random.bytes(128)
selected_keys = cosi.select_keys(sigmask, keys)
selected_pubkeys = cosi.select_keys(sigmask, all_pubkeys)
_, sig = self.cosign(message, selected_keys, selected_pubkeys)
res = cosi.verify(sig, message, len(selected_keys), all_pubkeys, sigmask)
self.assertTrue(res)
res = cosi.verify(sig, message, 1, all_pubkeys, sigmask)
self.assertTrue(res)
res = cosi.verify(
sig, message, len(selected_keys) + 1, all_pubkeys, sigmask
)
self.assertFalse(res)
if __name__ == "__main__":
unittest.main()

View File

@ -1,46 +0,0 @@
from common import *
from trezor.crypto import random
from trezor.crypto.curve import ed25519
class TestCryptoEd25519Cosi(unittest.TestCase):
def test_cosi(self):
for N in range(1, 11):
# generate random message to be signed
msg = random.bytes(128)
# phase 0: create priv/pubkeys and combine pubkeys
keys = [None] * N
pubkeys = [None] * N
for j in range(N):
keys[j] = ed25519.generate_secret()
pubkeys[j] = ed25519.publickey(keys[j])
pubkey = ed25519.cosi_combine_publickeys(pubkeys)
# phase 1: create nonces, commitments (R values) and combine commitments
nonces = [None] * N
Rs = [None] * N
for j in range(N):
nonces[j], Rs[j] = ed25519.cosi_commit()
R = ed25519.cosi_combine_publickeys(Rs)
# phase 2: sign and combine signatures
sigs = [None] * N
for j in range(N):
sigs[j] = ed25519.cosi_sign(keys[j], msg, nonces[j], R, pubkey)
sig = ed25519.cosi_combine_signatures(R, sigs)
# check signature using normal ed25519.verify
res = ed25519.verify(pubkey, sig, msg)
self.assertTrue(res)
if __name__ == '__main__':
unittest.main()