Open
Conversation
Edwards25519 is not a group of prime order --- it has order 8 * l, where l is the (prime) order of the basepoint. Mike Hamurg's Ristretto is a convenient method to construct a group of order l from Edwards25519 as a subquotient (quotient of a subgroup). Half of the points of Edwards25519 are "in" the Ristretto group. (It's the even points.) Every element of the Ristretto group has exactly four points that represent it in the Edwards25519 curve. (Points are equivalent iff they differ by a point of order less than or equal 4.) This commit adds two functions. ToRistrettoBytes() takes an even curvepoint and returns a binary encoding of the corresponding tlement of the Ristretto group. FromRistrettoBytes() takes a buffer and checks whether it is a binary encoding of an element of the Ristretto group. If it is, the function returns a point that represents the encoded element of the Ristretto group.
Author
|
I would prefer Ristretto to be part of the standard library, but in the meantime I have separate package bwesterb/go-ristretto. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Many cryptographic schemes assume a group of prime order. Edwards25519 is not a group of prime order (it has order 8 *
l, wherelis the order of the usual base point.) This has not prevented people using Edwards25519 nonetheless — some carefully check whether this cofactor 8 impacts the security of the scheme at hand whereas others are more reckless.There is, however, a convenient way to construct a group of prime order (
lin fact) from Edwards25519 suggested by Mike Hamburg ( @bitwiseshiftleft ). Let's call his group the Ristretto group. The Ristretto group is the subgroup of even points quotiented by the points-of-order-less-than-equal-four.This PR adds two function
ToRistrettoBytes()takes an even point and returns a binary encoding of the corresponding element in the the Ristretto group.FromRistrettoBytes()takes a buffer and checks whether it encodes an element of the Ristretto group. If it does, the function returns a point representing the encoded element of the Ristretto group.Code is based on the Ristretto implementation in an unpublished version of the Panda library by Peter Schwabe ( @cryptojedi )
A similar feature was requested for libsodium: jedisct1/libsodium#704
Ristretto is already implemented in Rust in https://github.com/dalek-cryptography/curve25519-dalek