# Tutorial 4: Ring Signatures (Hiding in the Crowd)

In the previous tutorials, we covered:
1. **Diffie-Hellman:** Establishing a shared secret.
2. **Shamir Secret Sharing:** Splitting a secret into parts.
3. **Schnorr Signatures:** Proving you know *one* private key for *one* public key.

**Ring Signatures** combine these concepts. They allow a user to sign a message on behalf of a group (a "ring") of members.
* **Property 1 (Authentication):** The signature proves that *someone* in the group signed it.
* **Property 2 (Anonymity):** It is computationally infeasible to determine *which* member signed it.

### The Math: "Closing the Ring"

Recall the standard Schnorr equation:
$$ s = r + c \cdot x $$
$$ sG = R + cP $$

In a Ring Signature, we have a list of Public Keys $P_0, P_1, ... P_n$. We want to create a loop of challenges $c_0, c_1, ... c_n$ such that they all link together.

For every member $i$ in the ring, we calculate a commitment point $R_i$:
$$ R_i = s_i G + c_i P_i $$

We then chain them together by hashing the previous result to get the next challenge:
$$ c_{i+1} = H(Message, R_i) $$

**The Magic:** To make this a valid ring, the final challenge $c_n$ (which wraps around to $c_0$) must equal the initial starting seed. If you can close the loop, the signature is valid.

In [None]:
extern crate kn0syseccrs as ecc;
use std::time::{SystemTime, UNIX_EPOCH};

// Helper function to convert our commitment point R into a challenge hash
// c = H(message, R_hex)
fn get_challenge(message: &str, r_point: &ecc::Point) -> ecc::Scalar {
    let r_hex = r_point.get_hex();
    let hash_input = vec![message, &r_hex];
    ecc::hash_to_scalar(hash_input).unwrap()
}

println!("Libraries loaded. Ready to build the ring.");

### Step 1: Verification
It is actually easier to understand how to *verify* a ring signature before learning how to *create* one.

A Ring Signature consists of:
1. The **Message**.
2. The **Ring** (A list of Public Keys).
3. The **Seed Challenge** ($c_0$).
4. A list of **Responses** ($s_0, s_1, ... s_n$).

To verify, we simply run the loop. We calculate $R_i$ for every member, hash it to get the next $c$, and see if the final result matches the start.

$$ R_i = s_i G + c_i P_i $$
$$ c_{i+1} = H(m, R_i) $$

If $c_{last} == c_0$, the ring is closed and valid.

In [None]:
fn verify_ring(
    message: &str,
    ring: &Vec<ecc::Point>,
    c_0: ecc::Scalar,
    s_responses: &Vec<ecc::Scalar>
) -> bool {
    let n = ring.len();
    let mut c = c_0.clone();

    // Iterate through every member of the ring
    for i in 0..n {
        let s_i = &s_responses[i];
        let P_i = &ring[i];

        // R_i = s_i * G + c * P_i
        // Note: In ecc-rs, '+' and '*' are Result types, so we unwrap.
        let s_G = (ecc::G.clone() * s_i.clone()).unwrap();
        let c_P = (P_i.clone() * c.clone()).unwrap();
        let R_i = (s_G + c_P).unwrap();

        // Calculate next c
        c = get_challenge(message, &R_i);
    }

    // The ring is valid if the final calculated 'c' matches the initial 'c_0'
    return c.get_hex() == c_0.get_hex();
}

println!("Verification logic defined.");

### Step 2: Signing (The Trapdoor)

If we don't know the private keys, we can't control the output of $R_i = s_i G + c_i P_i$.

However, if we are the **Signer** (at index $\pi$), we possess the private key $x_\pi$. We can use a trick:

1. **Fake the others:** For every index that isn't us, we just generate a random $s_i$ and a random $c_i$. This lets us calculate a valid-looking $R_i$.
2. **Close the loop:** We run the loop until we reach our own index $\pi$. We now have a specific challenge $c_\pi$ that was forced upon us by the previous link in the chain.
3. **Solve for s:** We need to find an $s_\pi$ that generates the exact $R_\pi$ needed to link back to the start.

We use a special non-random nonce $\alpha$ for our commitment:
$$ R_\pi = \alpha G $$
$$ s_\pi = \alpha - (c_\pi \cdot x_\pi) $$

This allows us to mathematically force the ring to close without revealing that we were the ones who forced it.

In [None]:
fn sign_ring(
    message: &str,
    ring: Vec<ecc::Point>,
    my_pair: (ecc::Scalar, ecc::Point),
    my_index: usize
) -> (ecc::Scalar, Vec<ecc::Scalar>) {

    let n = ring.len();
    let (my_priv, my_pub) = my_pair;

    // We need to store s_values. Initialize with dummy values.
    let mut s_responses: Vec<ecc::Scalar> = Vec::new();
    let mut c_challenges: Vec<ecc::Scalar> = Vec::new();

    // 1. Generate random 's' values for everyone.
    // We will overwrite OUR 's' value later.
    for _ in 0..n {
        s_responses.push(ecc::Scalar::random().unwrap());
        c_challenges.push(ecc::Scalar::random().unwrap()); // Dummies for now
    }

    // 2. Start the ring just after our index.
    // We need a random nonce 'alpha' for our own commitment
    let alpha = ecc::Scalar::random().unwrap();

    // Calculate OUR commitment R_pi = alpha * G
    let R_pi = (ecc::G.clone() * alpha.clone()).unwrap();

    // Calculate the challenge for the NEXT person (pi + 1)
    let mut c_next = get_challenge(message, &R_pi);

    // 3. The "Forgery" Loop
    // Iterate through the ring starting from the person AFTER us
    for i in 1..n {
        let idx = (my_index + i) % n;

        // Store the challenge we just calculated
        c_challenges[idx] = c_next.clone();

        // Calculate R for this fake participant using their random s and our calculated c
        // R = sG + cP
        let s_G = (ecc::G.clone() * s_responses[idx].clone()).unwrap();
        let c_P = (ring[idx].clone() * c_next.clone()).unwrap();
        let R_fake = (s_G + c_P).unwrap();

        // Calculate next c
        c_next = get_challenge(message, &R_fake);
    }

    // 4. Close the Loop (The Trapdoor)
    // The final 'c_next' wraps around and becomes OUR challenge c_pi
    let c_pi = c_next; 
    
    // We must solve for s_pi such that: s_pi = alpha - (c_pi * x_pi)
    let cx = (c_pi.clone() * my_priv).unwrap();
    let s_pi = (alpha - cx).unwrap();

    // Insert our solved values
    s_responses[my_index] = s_pi;
    
    // The initial seed c_0 is whatever challenge belongs to index 0
    // If we are index 0, it's c_pi. If we are index 1, it was calculated in the loop.
    let c_0 = if my_index == 0 { c_pi } else { c_challenges[0].clone() };

    (c_0, s_responses)
}

println!("Signing logic defined.");

In [None]:
// 1. Setup the Ring
// Let's create a ring of 3 people: Alice, Bob, and Charlie.
let priv_alice = ecc::Scalar::random().unwrap();
let pub_alice = (ecc::G.clone() * priv_alice.clone()).unwrap();

let priv_bob = ecc::Scalar::random().unwrap();
let pub_bob = (ecc::G.clone() * priv_bob.clone()).unwrap();

let priv_charlie = ecc::Scalar::random().unwrap();
let pub_charlie = (ecc::G.clone() * priv_charlie.clone()).unwrap();

// The public ring is visible to everyone
let ring = vec![pub_alice.clone(), pub_bob.clone(), pub_charlie.clone()];

println!("Ring created with 3 members.");

// 2. Bob wants to sign a message anonymously
let message = "This leak comes from the triumvirate.";
let my_pair = (priv_bob.clone(), pub_bob.clone());
let my_index = 1; // Bob is at index 1

println!("Bob is generating signature...");
let (c_0, s_responses) = sign_ring(message, ring.clone(), my_pair, my_index);

println!("Signature generated!");
println!("c_0: {}", c_0.get_hex());

// 3. Verify the signature
// The verifier does NOT know it was Bob. They just see the ring and the signature.
let is_valid = verify_ring(message, &ring, c_0.clone(), &s_responses);

println!("--------------------------------");
if is_valid {
    println!("SUCCESS: The signature is valid for the ring!");
} else {
    println!("FAILURE: Signature rejected.");
}

In [None]:
// 4. Tamper Test
// What if we try to use the same signature for a different message?
let fake_message = "This leak comes from valid sources.";
let is_valid_tampered = verify_ring(fake_message, &ring, c_0, &s_responses);

if !is_valid_tampered {
    println!("SUCCESS: Tampered message rejected properly.");
} else {
    println!("FAILURE: Tampered message was accepted!");
}