Two key ring signature

ringsig.py

from __future__ import print_function
from py_ecc import bn128
from random import randint
from hashlib import sha256
from py_ecc.bn128 import add, multiply, curve_order, G1


def bytes_to_int(x):
    o = 0
    for b in x:
        o = (o << 8) + ord(b)
    return o


rands = lambda: randint(1, curve_order - 1)
sbmul = lambda s: multiply(G1, s)
hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order
hashp = lambda *x: hashs(*[item.n for sublist in x for item in sublist])
addmod = lambda x, y: (x + y) % curve_order
mulmod = lambda x, y: (x * y) % curve_order
submod = lambda x, y: (x - y) % curve_order
negmod = lambda x: -x % curve_order


# Secret keys
x0 = rands()
x1 = rands()

# Public keys
P0 = sbmul(x0)
P1 = sbmul(x1)

# Random intermediate scalars
c0 = rands()
c1 = rands()
t0 = rands()
t1 = rands()

# Initial ring computation, using random values
link0 = add(sbmul(t0), multiply(P0, c0))
link1 = add(sbmul(t1), multiply(P1, c1))
result = hashp(link0, link1)

# Then close the ring, which proves we know the secret for one ring item
tmpc1 = c1
c1 = submod(result, c0)
t1 = addmod(t1, mulmod(x1, submod(tmpc1, c1)))

# Then re-verify the ring
vlink0 = add(sbmul(t0), multiply(P0, c0))
vlink1 = add(sbmul(t1), multiply(P1, c1))
vresult = hashp(vlink0, vlink1)

# Ring consists of:
# P0, P1, t0, t1, c0, c1

print("result", result)
print("vresult", vresult)
print("link0", link0)
print("link1", link1)
print("vlink0", vlink0)
print("vlink1", vlink1)
print("c0", c0)
print("c1", c1)
print("c0+c1", addmod(c0, c1))

# Public verification
verify = addmod(c0, c1) == result
print(verify)