1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-27 01:48:17 +00:00
trezor-firmware/trezorlib/cosi.py
matejcik db92b13f97 cosi: move things around
ed25519raw is moved back to trezorlib
ed25519cosi is renamed to cosi, and has a couple more functions,
with the expectation that TrezorClient.cosi_* methods will move there.

Also most code shouldn't need ed25519raw for anything, so it might get
renamed to "_ed25519" to indicate that it's a private implementation.

For now, I added a "verify" method to cosi, so that you don't need to
call into ed25519raw.checkvalid. But trezor-core's keyctl is also
using ed25519raw.publickey. I'm not sure if that's worth replicating
in cosi, or whether to just leave it be, so I'm leaving it be for now.

Importantly, new function "sign_with_privkey" does that math thing that
was part of the selftest and is also explicitly listed in keyctl.
(it's called sign_with_privkey because I expect to have a "sign" method
here that calls into Trezor)
2018-05-17 12:53:01 +02:00

93 lines
2.6 KiB
Python

import sys
from functools import reduce
import binascii
from trezorlib import ed25519raw
def combine_keys(pks):
P = [ed25519raw.decodepoint(pk) for pk in pks]
combine = reduce(ed25519raw.edwards, P)
return ed25519raw.encodepoint(combine)
def combine_sig(R, sigs):
S = [ed25519raw.decodeint(si) for si in sigs]
s = sum(S) % ed25519raw.l
sig = R + ed25519raw.encodeint(s)
return sig
def get_nonce(sk, data, ctr):
h = ed25519raw.H(sk)
b = ed25519raw.b
r = ed25519raw.Hint(bytes([h[i] for i in range(b >> 3, b >> 2)]) + data + binascii.unhexlify('%08x' % ctr))
R = ed25519raw.scalarmult(ed25519raw.B, r)
return r, ed25519raw.encodepoint(R)
def verify(signature, digest, pub_key):
ed25519raw.checkvalid(signature, digest, pub_key)
def sign_with_privkey(digest, privkey, global_pubkey, nonce, global_commit):
h = ed25519raw.H(privkey)
b = ed25519raw.b
a = 2 ** (b - 2) + sum(2 ** i * ed25519raw.bit(h, i) for i in range(3, b - 2))
S = (nonce + ed25519raw.Hint(global_commit + global_pubkey + digest) * a) % ed25519raw.l
return ed25519raw.encodeint(S)
def self_test(digest):
def to_hex(by):
return binascii.hexlify(by).decode()
N = 3
digest = binascii.unhexlify(digest)
print('Digest: %s' % to_hex(digest))
sks = []
pks = []
nonces = []
commits = []
sigs = []
for i in range(0, N):
print('----- Key %d ------' % (i + 1))
seckey = (chr(0x41 + i) * 32).encode()
pubkey = ed25519raw.publickey(seckey)
print('Secret Key: %s' % to_hex(seckey))
print('Public Key: %s' % to_hex(pubkey))
sks.append(seckey)
pks.append(pubkey)
ctr = 0
r, R = get_nonce(seckey, digest, ctr)
print('Local nonce: %s' % to_hex(ed25519raw.encodeint(r)))
print('Local commit: %s' % to_hex(R))
nonces.append(r)
commits.append(R)
global_pk = combine_keys(pks)
global_R = combine_keys(commits)
print('-----------------')
print('Global pubkey: %s' % to_hex(global_pk))
print('Global commit: %s' % to_hex(global_R))
print('-----------------')
sigs = [sign_with_privkey(digest, sks[i], global_pk, nonces[i], global_R) for i in range(N)]
for sig in sigs:
print('Local signature: %s' % to_hex(sig))
print('-----------------')
sig = combine_sig(global_R, sigs)
print('Global sig: %s' % to_hex(sig))
verify(sig, digest, global_pk)
print('Valid Signature!')
if __name__ == '__main__':
if len(sys.argv) > 1:
self_test(digest=sys.argv[1])
else:
self_test(digest='4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b')