Ian Goldberg (firstname.lastname@example.org), 2020-04-20
This code implements the protocol of Section 3 of Groth and Kohlweiss, "One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin", Eurocrypt 2015.
You can look at this protocol in a number of ways:
The technique of Section 4 of the above paper uses this same protocol to produce a log-sized ring signature: just compute the challenge x non-interactively as a hash of the group parameters, a message, the ring of public keys, and the output of the prover's first message.
The size of the proof is 4n group elements, plus 3n+1 scalars, where n = ceil(log_2(N)), and N is the number of commitments/group elements/public keys.