Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Many cryptographic schemes assume a group of prime order. Edwards25519 is not a group of prime order (it has order 8 *
l
, wherel
is the order of the usual base point.) This has not prevented people using Edwards25519 nonetheless — some carefully check whether this cofactor 8 impacts the security of the scheme at hand whereas others are more reckless.There is, however, a convenient way to construct a group of prime order (
l
in fact) from Edwards25519 suggested by Mike Hamburg ( @bitwiseshiftleft ). Let's call his group the Ristretto group. The Ristretto group is the subgroup of even points quotiented by the points-of-order-less-than-equal-four.This PR adds two function
ToRistrettoBytes()
takes an even point and returns a binary encoding of the corresponding element in the the Ristretto group.FromRistrettoBytes()
takes a buffer and checks whether it encodes an element of the Ristretto group. If it does, the function returns a point representing the encoded element of the Ristretto group.Code is based on the Ristretto implementation in an unpublished version of the Panda library by Peter Schwabe ( @cryptojedi )
A similar feature was requested for libsodium: jedisct1/libsodium#704
Ristretto is already implemented in Rust in https://github.com/dalek-cryptography/curve25519-dalek