HarryR/borrito.py

## borrito.py
from __future__ import print_function
from py_ecc import bn128
from random import randint
from hashlib import sha256
from py_ecc.bn128 import add, multiply, curve_order, G1
from py_ecc.bn128.bn128_field_elements import inv

bytes_to_int = lambda x: reduce(lambda o, b: (o << 8) + ord(b), [0] + list(x))
rands = lambda: randint(1, curve_order - 1)
sbmul = lambda s: multiply(G1, s)
hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order
hashp = lambda *x: hashs(*[item.n for sublist in x for item in sublist])
addmod = lambda x, y: (x + y) % curve_order
mulmod = lambda x, y: (x * y) % curve_order
submod = lambda x, y: (x - y) % curve_order


def borrito_randkeys(n=4):
	skeys = [rands() for _ in range(0, n)]
	pkeys = [sbmul(sk) for sk in skeys]
	i = randint(0, n-1)
	return pkeys, (pkeys[i], skeys[i])


def borrito_sign(pkeys, mypair, tees=None, alpha=None):
	mypk, mysk = mypair
	myidx = pkeys.index(mypk)

	tees = tees or [rands() for _ in range(0, len(pkeys))]
	cees = [0 for _ in range(0, len(pkeys))]
	alpha = alpha or rands()

	i = myidx
	n = 0
	while n < len(pkeys):
		idx = i % len(pkeys)
		c = alpha if n == 0 else cees[idx-1]
		cees[idx] = hashp(add(sbmul(c), multiply(pkeys[idx], tees[idx])))
		n += 1
		i += 1

	# Then close the ring, which proves we know the secret for one ring item
	alpha_gap = submod(alpha, cees[myidx-1])
	tees[myidx] = mulmod(addmod(alpha_gap, mulmod(mysk, tees[myidx])), inv(mysk, curve_order))

	return pkeys, tees, cees[-1]


def borrito_check(pkeys, tees, seed):
	c = seed
	for i, pkey in enumerate(pkeys):
		c = hashp(add(sbmul(c or seed), multiply(pkey, tees[i])))
	return c == seed


if __name__ == "__main__":
	print(borrito_check(*borrito_sign(*borrito_randkeys(10))))
	from __future__ import print_function
	from py_ecc import bn128
	from random import randint
	from hashlib import sha256
	from py_ecc.bn128 import add, multiply, curve_order, G1
	from py_ecc.bn128.bn128_field_elements import inv

	bytes_to_int = lambda x: reduce(lambda o, b: (o << 8) + ord(b), [0] + list(x))
	rands = lambda: randint(1, curve_order - 1)
	sbmul = lambda s: multiply(G1, s)
	hashs = lambda *x: bytes_to_int(sha256('.'.join(['%X' for _ in range(0, len(x))]) % x).digest()) % curve_order
	hashp = lambda x: hashs([item.n for sublist in x for item in sublist])
	addmod = lambda x, y: (x + y) % curve_order
	mulmod = lambda x, y: (x * y) % curve_order
	submod = lambda x, y: (x - y) % curve_order


	def borrito_randkeys(n=4):
	skeys = [rands() for _ in range(0, n)]
	pkeys = [sbmul(sk) for sk in skeys]
	i = randint(0, n-1)
	return pkeys, (pkeys[i], skeys[i])


	def borrito_sign(pkeys, mypair, tees=None, alpha=None):
	mypk, mysk = mypair
	myidx = pkeys.index(mypk)

	tees = tees or [rands() for _ in range(0, len(pkeys))]
	cees = [0 for _ in range(0, len(pkeys))]
	alpha = alpha or rands()

	i = myidx
	n = 0
	while n < len(pkeys):
	idx = i % len(pkeys)
	c = alpha if n == 0 else cees[idx-1]
	cees[idx] = hashp(add(sbmul(c), multiply(pkeys[idx], tees[idx])))
	n += 1
	i += 1

	# Then close the ring, which proves we know the secret for one ring item
	alpha_gap = submod(alpha, cees[myidx-1])
	tees[myidx] = mulmod(addmod(alpha_gap, mulmod(mysk, tees[myidx])), inv(mysk, curve_order))

	return pkeys, tees, cees[-1]


	def borrito_check(pkeys, tees, seed):
	c = seed
	for i, pkey in enumerate(pkeys):
	c = hashp(add(sbmul(c or seed), multiply(pkey, tees[i])))
	return c == seed


	if __name__ == "__main__":
	print(borrito_check(borrito_sign(borrito_randkeys(10))))