HarryR/aos-ringsig.py

## aos-ringsig.py
from __future__ import print_function
from py_ecc import bn128
from random import randint
from hashlib import sha256
from py_ecc.bn128 import add, multiply, curve_order, G1


def bytes_to_int(x):
    o = 0
    for b in x:
        o = (o << 8) + ord(b)
    return o


rands = lambda: randint(1, curve_order - 1)
sbmul = lambda s: multiply(G1, s)
hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order
hashp = lambda *x: hashs(*[item.n for sublist in x for item in sublist])
addmod = lambda x, y: (x + y) % curve_order
mulmod = lambda x, y: (x * y) % curve_order
submod = lambda x, y: (x - y) % curve_order


# Secret keys
x0 = rands()
x1 = rands()

# Public keys
P0 = sbmul(x0)
P1 = sbmul(x1)

# Random intermediate scalars
alpha = rands()
t0 = rands()
t1 = rands()

# Initial ring computation, using random values
link1 = add(sbmul(t1), multiply(P1, alpha))
result1 = hashp(link1)

link0 = add(sbmul(t0), multiply(P0, result1))
result0 = hashp(link0)

# Then close the ring, which proves we know the secret for one ring item
t1 = addmod(t1, mulmod(x1, submod(alpha, result0)))

# Then re-verify the ring
seed = result1
vlink0 = add(sbmul(t0), multiply(P0, seed))
vresult0 = hashp(vlink0)
vlink1 = add(sbmul(t1), multiply(P1, vresult0))
vresult1 = hashp(vlink1)

# Ring consists of:
# P0, P1, t0, t1, seed

print("result0", result0)
print("vresult0", vresult0)
print("result1", result1)
print("vresult1", vresult1)
print("link0", link0)
print("link1", link1)
print("vlink0", vlink0)
print("vlink1", vlink1)

# Public verification
print("verify result 0", vresult0 == result0)
print("verify result 1", vresult1 == result1)
print("verify ring", seed == vresult1)
	from __future__ import print_function
	from py_ecc import bn128
	from random import randint
	from hashlib import sha256
	from py_ecc.bn128 import add, multiply, curve_order, G1


	def bytes_to_int(x):
	o = 0
	for b in x:
	o = (o << 8) + ord(b)
	return o


	rands = lambda: randint(1, curve_order - 1)
	sbmul = lambda s: multiply(G1, s)
	hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order
	hashp = lambda x: hashs([item.n for sublist in x for item in sublist])
	addmod = lambda x, y: (x + y) % curve_order
	mulmod = lambda x, y: (x * y) % curve_order
	submod = lambda x, y: (x - y) % curve_order


	# Secret keys
	x0 = rands()
	x1 = rands()

	# Public keys
	P0 = sbmul(x0)
	P1 = sbmul(x1)

	# Random intermediate scalars
	alpha = rands()
	t0 = rands()
	t1 = rands()

	# Initial ring computation, using random values
	link1 = add(sbmul(t1), multiply(P1, alpha))
	result1 = hashp(link1)

	link0 = add(sbmul(t0), multiply(P0, result1))
	result0 = hashp(link0)

	# Then close the ring, which proves we know the secret for one ring item
	t1 = addmod(t1, mulmod(x1, submod(alpha, result0)))

	# Then re-verify the ring
	seed = result1
	vlink0 = add(sbmul(t0), multiply(P0, seed))
	vresult0 = hashp(vlink0)
	vlink1 = add(sbmul(t1), multiply(P1, vresult0))
	vresult1 = hashp(vlink1)

	# Ring consists of:
	# P0, P1, t0, t1, seed

	print("result0", result0)
	print("vresult0", vresult0)
	print("result1", result1)
	print("vresult1", vresult1)
	print("link0", link0)
	print("link1", link1)
	print("vlink0", vlink0)
	print("vlink1", vlink1)

	# Public verification
	print("verify result 0", vresult0 == result0)
	print("verify result 1", vresult1 == result1)
	print("verify ring", seed == vresult1)