'Burrito' ring signature, using `c0‧G + s0‧P0` instead of `c0‧P0 + s0‧G`

burrito-ringsig.py

from __future__ import print_function
from py_ecc import bn128
from random import randint
from hashlib import sha256
from py_ecc.bn128 import add, multiply, curve_order, G1
from py_ecc.bn128.bn128_field_elements import inv

def bytes_to_int(x):
    o = 0
    for b in x:
        o = (o << 8) + ord(b)
    return o

rands = lambda: randint(1, curve_order - 1)
sbmul = lambda s: multiply(G1, s)
hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order
hashp = lambda *x: hashs(*[item.n for sublist in x for item in sublist])
addmod = lambda x, y: (x + y) % curve_order
mulmod = lambda x, y: (x * y) % curve_order
submod = lambda x, y: (x - y) % curve_order
negmod = lambda x: -x % curve_order


# Secret keys
x0 = rands()
x1 = rands()

# Public keys
P0 = sbmul(x0)
P1 = sbmul(x1)

# Random intermediate scalars
alpha = rands()
t0 = rands()
t1 = rands()

# Initial ring computation, using random values
link1 = add(sbmul(alpha), multiply(P1, t1))
c1 = hashp(link1)

link0 = add(sbmul(c1), multiply(P0, t0))
c0 = hashp(link0)

# Then close the ring, which proves we know the secret for one ring item
alpha_gap = submod(alpha, c0)
alpha_fixed = submod(alpha, alpha_gap)
t1 = mulmod(addmod(alpha_gap, mulmod(x1, t1)), inv(x1, curve_order))

# Then re-verify the ring
seed = c1
vlink0 = add(sbmul(seed), multiply(P0, t0))
vc0 = hashp(vlink0)
vlink1 = add(sbmul(vc0), multiply(P1, t1))
vc1 = hashp(vlink1)

# Ring consists of:
# P0, P1, t0, t1, seed

print("c0", c0)
print("vc0", vc0)
print("c1", c1)
print("vc1", vc1)
print("link0", link0)
print("link1", link1)
print("vlink0", vlink0)
print("vlink1", vlink1)

# Public verification
print("verify c0", vc0 == c0)
print("verify c1", vc1 == c1)
print("verify ring", seed == vc1)