Created
December 29, 2017 00:00
-
-
Save HarryR/650a5579ec68b5a7f93a144c3a70ed64 to your computer and use it in GitHub Desktop.
'Burrito' ring signature, using `c0‧G + s0‧P0` instead of `c0‧P0 + s0‧G`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from __future__ import print_function | |
from py_ecc import bn128 | |
from random import randint | |
from hashlib import sha256 | |
from py_ecc.bn128 import add, multiply, curve_order, G1 | |
from py_ecc.bn128.bn128_field_elements import inv | |
def bytes_to_int(x): | |
o = 0 | |
for b in x: | |
o = (o << 8) + ord(b) | |
return o | |
rands = lambda: randint(1, curve_order - 1) | |
sbmul = lambda s: multiply(G1, s) | |
hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order | |
hashp = lambda *x: hashs(*[item.n for sublist in x for item in sublist]) | |
addmod = lambda x, y: (x + y) % curve_order | |
mulmod = lambda x, y: (x * y) % curve_order | |
submod = lambda x, y: (x - y) % curve_order | |
negmod = lambda x: -x % curve_order | |
# Secret keys | |
x0 = rands() | |
x1 = rands() | |
# Public keys | |
P0 = sbmul(x0) | |
P1 = sbmul(x1) | |
# Random intermediate scalars | |
alpha = rands() | |
t0 = rands() | |
t1 = rands() | |
# Initial ring computation, using random values | |
link1 = add(sbmul(alpha), multiply(P1, t1)) | |
c1 = hashp(link1) | |
link0 = add(sbmul(c1), multiply(P0, t0)) | |
c0 = hashp(link0) | |
# Then close the ring, which proves we know the secret for one ring item | |
alpha_gap = submod(alpha, c0) | |
alpha_fixed = submod(alpha, alpha_gap) | |
t1 = mulmod(addmod(alpha_gap, mulmod(x1, t1)), inv(x1, curve_order)) | |
# Then re-verify the ring | |
seed = c1 | |
vlink0 = add(sbmul(seed), multiply(P0, t0)) | |
vc0 = hashp(vlink0) | |
vlink1 = add(sbmul(vc0), multiply(P1, t1)) | |
vc1 = hashp(vlink1) | |
# Ring consists of: | |
# P0, P1, t0, t1, seed | |
print("c0", c0) | |
print("vc0", vc0) | |
print("c1", c1) | |
print("vc1", vc1) | |
print("link0", link0) | |
print("link1", link1) | |
print("vlink0", vlink0) | |
print("vlink1", vlink1) | |
# Public verification | |
print("verify c0", vc0 == c0) | |
print("verify c1", vc1 == c1) | |
print("verify ring", seed == vc1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment