from hashlib import sha256

# Ring Signatures
# bLSAG: Back’s Linkable Spontaneous Anonymous Group signatures
#
# A Rust implementation of this scheme can be found at:
# https://github.com/arnaucube/ring-signatures-rs

def hashToPoint(a):
    # TODO use a proper hash-to-point
    h = sha256((str(a)).encode('utf-8'))
    r = int(h.hexdigest(), 16) * g
    return r

def hash(R, m, A, B, q):
    h = sha256((
        str(R) + str(m) + str(A) + str(B)
        ).encode('utf-8'))
    r = int(h.hexdigest(), 16)
    return int(mod(r, q))

def print_ring(a):
    print("ring of c's:")
    for i in range(len(a)):
        print(i, a[i])
    print("")

class Prover:
    def __init__(self, F, g):
        self.F = F # Z_p
        self.g = g # elliptic curve generator
        self.q = self.g.order() # order of group

    def new_key(self):
        self.w = int(self.F.random_element())
        self.K = self.g * self.w
        return self.K

    def sign(self, m, R):
        # determine pi (the position of signer's public key in R
        pi = -1
        for i in range(len(R)):
            if self.K == R[i]:
                pi = i
                break
        assert pi>=0

        a = int(self.F.random_element())
        r = [None] * len(R)
        # for i \in {1, 2, ..., n} \ {i=pi}
        for i in range(0, len(R)):
            if i==pi:
                continue

            r[i] = int(mod(int(self.F.random_element()), self.q))

        c = [None] * len(R)
        # c_{pi+1}
        pi1 = mod(pi + 1, len(R))
        c[pi1] = hash(R, m, a * self.g, hashToPoint(R[pi]) * a, self.q)

        key_image = self.w * hashToPoint(self.K)

        # do c_{i+1} from i=pi+1 to pi-1:
        for j in range(0, len(R)-1):
            i = mod(pi1+j, len(R))
            i1 = mod(pi1+j +1, len(R))

            c[i1] = hash(R, m, r[i] * self.g + c[i] * R[i], r[i] * hashToPoint(R[i]) + c[i] * key_image, self.q)

        # compute r_pi
        r[pi] = int(mod(a - c[pi] * self.w, self.q))
        print_ring(c)

        return [c[0], r]

def verify(g, R, m, key_image, sig):
    q = g.order()
    c1 = sig[0]
    r = sig[1]
    assert len(R) == len(r)

    # check that key_image \in G (EC), by l * key_image == 0
    assert q * key_image == 0 # in sage 0 EC point is represented as (0:1:0)


    # for i \in 1,2,...,n
    c = [None] * len(R)
    c[0] = c1
    for j in range(0, len(R)):
        i = mod(j, len(R))
        i1 = mod(j+1, len(R))
        c[i1] = hash(R, m, r[i] * g + c[i] * R[i], r[i] * hashToPoint(R[i]) + c[i] * key_image, q)

    print_ring(c)
    assert c1 == c[0]

# Tests
import unittest, operator

# ethereum elliptic curve
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
a = 0
b = 7
F = GF(p)
E = EllipticCurve(F, [a,b])
GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
g = E(GX,GY)
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
h = 1
q = g.order()
assert is_prime(p)
assert is_prime(q)
assert g * q == 0


class TestRingSignatures(unittest.TestCase):
        def test_bLSAG_ring_of_5(self):
                test_bLSAG(5, 3)
        def test_bLSAG_ring_of_20(self):
                test_bLSAG(20, 14)

def test_bLSAG(ring_size, pi):
        print(f"[bLSAG] Testing with a ring of {ring_size} keys")
        prover = Prover(F, g)
        n = ring_size
        R = [None] * n

        # generate prover's key pair
        K_pi = prover.new_key()

        # generate other n public keys
        for i in range(0, n):
            R[i] = g * i

        # set K_pi
        R[pi] = K_pi

        # sign m
        m = 1234
        print("sign")
        sig = prover.sign(m, R)

        print("verify")
        key_image = prover.w * hashToPoint(prover.K)
        verify(g, R, m, key_image, sig)

if __name__ == '__main__':
        unittest.main()