{"id":17717299,"url":"https://github.com/bwesterb/go-ristretto","last_synced_at":"2025-04-06T01:08:42.465Z","repository":{"id":50462181,"uuid":"135798749","full_name":"bwesterb/go-ristretto","owner":"bwesterb","description":"Pure Go implementation of the Ristretto prime-order group over Edwards25519","archived":false,"fork":false,"pushed_at":"2023-03-16T16:58:47.000Z","size":340,"stargazers_count":85,"open_issues_count":2,"forks_count":8,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-06-18T14:14:53.519Z","etag":null,"topics":["curve25519","edwards25519","elligator","golang","prime-order-group","ristretto"],"latest_commit_sha":null,"homepage":"https://godoc.org/github.com/bwesterb/go-ristretto","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bwesterb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-06-02T07:54:22.000Z","updated_at":"2024-06-16T03:31:42.000Z","dependencies_parsed_at":"2024-06-18T14:06:21.726Z","dependency_job_id":"78628d16-1cb6-440f-be44-feacfcd4738f","html_url":"https://github.com/bwesterb/go-ristretto","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwesterb%2Fgo-ristretto","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwesterb%2Fgo-ristretto/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwesterb%2Fgo-ristretto/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bwesterb%2Fgo-ristretto/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bwesterb","download_url":"https://codeload.github.com/bwesterb/go-ristretto/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247419860,"owners_count":20936012,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["curve25519","edwards25519","elligator","golang","prime-order-group","ristretto"],"created_at":"2024-10-25T14:19:45.670Z","updated_at":"2025-04-06T01:08:42.442Z","avatar_url":"https://github.com/bwesterb.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"go-ristretto\n============\n\nMany cryptographic schemes need a group of prime order.  Popular and\nefficient elliptic curves like (Edwards25519 of `ed25519` fame) are\nrarely of prime order.  There is, however, a convenient method\nto construct a prime order group from such curves,\ncalled [Ristretto](https://ristretto.group) proposed by\n[Mike Hamburg](https://www.shiftleft.org).\n\nThis is a pure Go implementation of the group operations on the\nRistretto prime-order group built from Edwards25519.\nDocumentation is on [godoc](https://godoc.org/github.com/bwesterb/go-ristretto).\n\nExample: El'Gamal encryption\n----------------------------\n\n```go\n// Generate an El'Gamal keypair\nvar secretKey ristretto.Scalar\nvar publicKey ristretto.Point\n\nsecretKey.Rand() // generate a new secret key\npublicKey.ScalarMultBase(\u0026secretKey) // compute public key\n\n// El'Gamal encrypt a random curve point p into a ciphertext-pair (c1,c2)\nvar p ristretto.Point\nvar r ristretto.Scalar\nvar c1 ristretto.Point\nvar c2 ristretto.Point\np.Rand()\nr.Rand()\nc2.ScalarMultBase(\u0026r)\nc1.PublicScalarMult(\u0026publicKey, \u0026r)\nc1.Add(\u0026c1, \u0026p)\n\n// Decrypt (c1,c2) back to p\nvar blinding, p2 ristretto.Point\nblinding.ScalarMult(\u0026c2, \u0026secretKey)\np2.Sub(\u0026c1, \u0026blinding)\n\nfmt.Printf(\"%v\", bytes.Equal(p.Bytes(), p2.Bytes()))\n// Output:\n// true\n```\n\nCompatibility with `ristretto255` RFC draft\n-------------------------------------------\n\nAn [RFC has been proposed](https://datatracker.ietf.org/doc/draft-hdevalence-cfrg-ristretto/)\nto standardise Ristretto over Ed25519.  This RFC is compatible with `go-ristretto`.  There\nis one caveat: one should use `Point.DeriveDalek` instead of `Point.Derive` to derive a point\nfrom a string.\n\n\nReferences\n----------\n\nThe curve and Ristretto implementation is based on the unpublished\n[PandA](https://link.springer.com/chapter/10.1007/978-3-319-04873-4_14)\nlibrary by\n[Chuengsatiansup](https://perso.ens-lyon.fr/chitchanok.chuengsatiansup/),\n[Ribarski](http://panceribarski.com) and\n[Schwabe](https://cryptojedi.org/peter/index.shtml),\nsee [cref/cref.c](cref/cref.c).  The old generic radix 25.5 field operations borrow\nfrom [Adam Langley](https://www.imperialviolet.org)'s\n[ed25519](http://github.com/agl/ed25519).\nThe amd64 optimized field arithmetic are from George Tankersley's\n[ed25519 patch](https://go-review.googlesource.com/c/crypto/+/71950),\nwhich in turn is based on SUPERCOP's\n[`amd64-51-30k`](https://github.com/floodyberry/supercop/tree/master/crypto_sign/ed25519/amd64-51-30k)\nby Bernstein, Duif, Lange, Schwabe and Yang.\nThe new generic radix 51 field operations are also based on `amd64-51-30k`.\nThe variable-time scalar multiplication code is based on that\nof [curve25519-dalek](https://github.com/dalek-cryptography/curve25519-dalek).\nThe Lizard encoding was proposed by [Bram Westerbaan](https://bram.westerbaan.name/).\nThe quick RistrettoElligator inversion for it is joint work\nwith [Bram Westerbaan](https://bram.westerbaan.name/)\nand [Mike Hamburg](https://www.shiftleft.org).\n\n### other platforms\n* [Rust](https://github.com/dalek-cryptography/curve25519-dalek)\n* [Javascript](https://github.com/jedisct1/wasm-crypto)\n* [C (part of `libsodium`)](https://libsodium.gitbook.io/doc/advanced/point-arithmetic/ristretto)\n\n\nChanges\n-------\n\n### 1.2.3 (16-03-2023)\n- Panic when reading randomness fails.\n\n### 1.2.2 (29-07-2022)\n- Add Point.ConditionalSet() and Scalar.ConditionalSet().\n\n### 1.2.1 (08-11-2021)\n- Add Scalar.SetUint64().\n\n### 1.2.0 (17-02-2021)\n\n- Add Point.Double().  See issue #21.\n- To align more closely with the RFC, Point.SetBytes()\n  and Point.UnmarshalBinary() will now reject points with non-canonical\n  encodings.  See #20.\n\n### 1.1.1 (24-09-2019)\n\n- Only use bits.Add64 from Go 1.13 onwards to make sure we're constant-time\n  on non-amd64 platforms.  Thanks @Yawning; see issue #17.\n\n### 1.1.0 (13-05-2019)\n\n- Add support for the Lizard 16-bytes-to-point-injection.\n  See  `ristretto.Point.`{`SetLizard()`, `Lizard()`,`LizardInto()`}.\n- Add `Scalar.DeriveShort()` to derive a half-length scalar.\n  (Warning: half-length scalars are unsafe in almost every application.)\n\n- (internal) Add `ExtendedPoint.RistrettoElligator2Inverse()` to compute\n  all preimages of a given point up-to Ristretto equivalence\n  of `CompletedPoint.SetRistrettoElligator2()`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbwesterb%2Fgo-ristretto","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbwesterb%2Fgo-ristretto","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbwesterb%2Fgo-ristretto/lists"}