Struct RistrettoPoint

pub struct RistrettoPoint(/* private fields */);

A RistrettoPoint represents a point in the Ristretto group for Curve25519. Ristretto, a variant of Decaf, constructs a prime-order group as a quotient group of a subgroup of (the Edwards form of) Curve25519.

Internally, a RistrettoPoint is implemented as a wrapper type around EdwardsPoint, with custom equality, compression, and decompression routines to account for the quotient. This means that operations on RistrettoPoints are exactly as fast as operations on EdwardsPoints.

Implementations

impl RistrettoPoint

pub fn compress(&self) -> CompressedRistretto

Compress this point using the Ristretto encoding.

✓✓ Lean specification

theorem compress_spec (self : RistrettoPoint) (h : self.IsValid) :
    compress self ⦃ (result : CompressedRistretto) =>
      result.IsValid ∧
      math.compress_pure self.toPoint = U8x32_as_Nat result ⦄

pub fn double_and_compress_batch<'a, I>(points: I) -> Vec<CompressedRistretto>

where I: IntoIterator<Item = &'a RistrettoPoint>,

Available on crate feature alloc and non-verify only.

Double-and-compress a batch of points. The Ristretto encoding is not batchable, since it requires an inverse square root.

However, given input points \( P_1, \ldots, P_n, \) it is possible to compute the encodings of their doubles \( \mathrm{enc}( [2]P_1), \ldots, \mathrm{enc}( [2]P_n ) \) in a batch.

use rand_core::OsRng;

let mut rng = OsRng;

let points: Vec<RistrettoPoint> =
    (0..32).map(|_| RistrettoPoint::random(&mut rng)).collect();

let compressed = RistrettoPoint::double_and_compress_batch(&points);

for (P, P2_compressed) in points.iter().zip(compressed.iter()) {
    assert_eq!(*P2_compressed, (P + P).compress());
}

pub fn from_uniform_bytes(bytes: &[u8; 64]) -> RistrettoPoint

Construct a RistrettoPoint from 64 bytes of data.

If the input bytes are uniformly distributed, the resulting point will be uniformly distributed over the group, and its discrete log with respect to other points should be unknown.

Implementation

This function splits the input array into two 32-byte halves, takes the low 255 bits of each half mod p, applies the Ristretto-flavored Elligator map to each, and adds the results.

✓✓ Lean specification

theorem from_uniform_bytes_spec (bytes : Array U8 64#usize) :
    from_uniform_bytes bytes ⦃ (result : RistrettoPoint) =>
      result.IsValid ∧
      result.toPoint =
        (elligator_ristretto_flavor_pure (field_from_bytes (bytes_lower bytes))).val +
        (elligator_ristretto_flavor_pure (field_from_bytes (bytes_upper bytes))).val ⦄

impl RistrettoPoint

pub fn mul_base(scalar: &Scalar) -> Self

Fixed-base scalar multiplication by the Ristretto base point.

Uses precomputed basepoint tables when the precomputed-tables feature is enabled, trading off increased code size for ~4x better performance.

✓✓ Lean specification

theorem mul_base_spec (s : scalar.Scalar) (h_s_canonical : U8x32_as_Nat s.bytes < 2 ^ 255) :
    mul_base s ⦃ (result : RistrettoPoint) =>
      result.IsValid ∧
      result.toPoint = (U8x32_as_Nat s.bytes) • _root_.Edwards.basepoint ⦄

impl RistrettoPoint

pub fn vartime_double_scalar_mul_basepoint( a: &Scalar, A: &RistrettoPoint, b: &Scalar, ) -> RistrettoPoint

Available on non-verify only.

Compute \(aA + bB\) in variable time, where \(B\) is the Ristretto basepoint.

Trait Implementations

impl<'a> Add<&'a RistrettoPoint> for &RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the + operator.

fn add(self, other: &'a RistrettoPoint) -> RistrettoPoint

Performs the + operation.

✓✓ Lean specification

theorem add_spec (self other : RistrettoPoint) (h_self_valid : self.IsValid)
    (h_other_valid : other.IsValid) :
    add self other ⦃ (result : RistrettoPoint) =>
      result.IsValid ∧
      result.toPoint = self.toPoint + other.toPoint ⦄

impl<'b> Add<&'b RistrettoPoint> for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the + operator.

fn add(self, rhs: &'b RistrettoPoint) -> RistrettoPoint

Performs the + operation.

impl<'a> Add<RistrettoPoint> for &'a RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the + operator.

fn add(self, rhs: RistrettoPoint) -> RistrettoPoint

Performs the + operation.

impl Add for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the + operator.

fn add(self, rhs: RistrettoPoint) -> RistrettoPoint

Performs the + operation.

impl AddAssign<&RistrettoPoint> for RistrettoPoint

fn add_assign(&mut self, _rhs: &RistrettoPoint)

Performs the += operation.

impl AddAssign for RistrettoPoint

fn add_assign(&mut self, rhs: RistrettoPoint)

Performs the += operation.

impl Clone for RistrettoPoint

fn clone(&self) -> RistrettoPoint

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl ConditionallySelectable for RistrettoPoint

fn conditional_select( a: &RistrettoPoint, b: &RistrettoPoint, choice: Choice, ) -> RistrettoPoint

Conditionally select between self and other.

Example

use subtle::ConditionallySelectable;
use subtle::Choice;

let A = RistrettoPoint::identity();
let B = constants::RISTRETTO_BASEPOINT_POINT;

let mut P = A;

P = RistrettoPoint::conditional_select(&A, &B, Choice::from(0));
assert_eq!(P, A);
P = RistrettoPoint::conditional_select(&A, &B, Choice::from(1));
assert_eq!(P, B);

✓✓ Lean specification

theorem conditional_select_spec (a b : RistrettoPoint) (choice : subtle.Choice) :
    conditional_select a b choice ⦃ (result : RistrettoPoint) =>
      result = if choice.val = 1#u8 then b else a ⦄

fn conditional_assign(&mut self, other: &Self, choice: Choice)

Conditionally assign other to self, according to choice.

fn conditional_swap(a: &mut Self, b: &mut Self, choice: Choice)

Conditionally swap self and other if choice == 1; otherwise, reassign both unto themselves.

impl ConstantTimeEq for RistrettoPoint

fn ct_eq(&self, other: &RistrettoPoint) -> Choice

Test equality between two RistrettoPoints.

Returns

• Choice(1) if the two RistrettoPoints are equal;
• Choice(0) otherwise.

✓✓ Lean specification

theorem ct_eq_spec (self other : RistrettoPoint)
    (h_self_valid : self.IsValid)
    (h_other_valid : other.IsValid) :
    ct_eq self other ⦃ (result : subtle.Choice) =>
      result = Choice.one ↔
        (Field51_as_Nat self.X * Field51_as_Nat other.Y) ≡
          (Field51_as_Nat self.Y * Field51_as_Nat other.X) [MOD p] ∨
        (Field51_as_Nat self.X * Field51_as_Nat other.X) ≡
          (Field51_as_Nat self.Y * Field51_as_Nat other.Y) [MOD p] ⦄

fn ct_ne(&self, other: &Self) -> Choice

Determine if two items are NOT equal.

impl Debug for RistrettoPoint

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for RistrettoPoint

fn default() -> RistrettoPoint

Returns the “default value” for a type.

impl Identity for RistrettoPoint

fn identity() -> RistrettoPoint

Returns the identity element of the curve. Can be used as a constructor.

✓✓ Lean specification

theorem identity_spec :
    identity ⦃ (result : RistrettoPoint) =>
      Field51_as_Nat result.X = 0 ∧
      Field51_as_Nat result.Y = 1 ∧
      Field51_as_Nat result.Z = 1 ∧
      Field51_as_Nat result.T = 0 ⦄

impl<'a> Mul<&'a RistrettoPoint> for &Scalar

fn mul(self, point: &'a RistrettoPoint) -> RistrettoPoint

Scalar multiplication: compute self * scalar.

type Output = RistrettoPoint

The resulting type after applying the * operator.

impl<'b> Mul<&'b RistrettoPoint> for Scalar

type Output = RistrettoPoint

The resulting type after applying the * operator.

fn mul(self, rhs: &'b RistrettoPoint) -> RistrettoPoint

Performs the * operation.

impl<'a> Mul<&'a Scalar> for &RistrettoPoint

fn mul(self, scalar: &'a Scalar) -> RistrettoPoint

Scalar multiplication: compute scalar * self.

✓✓ Lean specification

theorem mul_spec (self : RistrettoPoint) (scalar : scalar.Scalar)
    (hscalar : U8x32_as_Nat scalar.bytes < 2 ^ 255) (hself : self.IsValid) :
    mul self scalar ⦃ (result : RistrettoPoint) =>
      result.IsValid ∧
      result.toPoint = (U8x32_as_Nat scalar.bytes) • self.toPoint ⦄

type Output = RistrettoPoint

The resulting type after applying the * operator.

impl<'b> Mul<&'b Scalar> for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the * operator.

fn mul(self, rhs: &'b Scalar) -> RistrettoPoint

Performs the * operation.

impl<'a> Mul<RistrettoPoint> for &'a Scalar

type Output = RistrettoPoint

The resulting type after applying the * operator.

fn mul(self, rhs: RistrettoPoint) -> RistrettoPoint

Performs the * operation.

impl Mul<RistrettoPoint> for Scalar

type Output = RistrettoPoint

The resulting type after applying the * operator.

fn mul(self, rhs: RistrettoPoint) -> RistrettoPoint

Performs the * operation.

impl<'a> Mul<Scalar> for &'a RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the * operator.

fn mul(self, rhs: Scalar) -> RistrettoPoint

Performs the * operation.

impl Mul<Scalar> for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the * operator.

fn mul(self, rhs: Scalar) -> RistrettoPoint

Performs the * operation.

impl<'a> MulAssign<&'a Scalar> for RistrettoPoint

fn mul_assign(&mut self, scalar: &'a Scalar)

Performs the *= operation.

impl MulAssign<Scalar> for RistrettoPoint

fn mul_assign(&mut self, rhs: Scalar)

Performs the *= operation.

impl MultiscalarMul for RistrettoPoint

Available on crate feature alloc only.

type Point = RistrettoPoint

The type of point being multiplied, e.g., RistrettoPoint.

fn multiscalar_mul<I, J>(scalars: I, points: J) -> RistrettoPoint

where I: IntoIterator, I::Item: Borrow<Scalar>, J: IntoIterator, J::Item: Borrow<RistrettoPoint>,

Given an iterator of (possibly secret) scalars and an iterator of public points, compute $$ Q = c_1 P_1 + \cdots + c_n P_n. $$

impl Neg for &RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the - operator.

fn neg(self) -> RistrettoPoint

Performs the unary - operation.

impl Neg for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the - operator.

fn neg(self) -> RistrettoPoint

Performs the unary - operation.

impl PartialEq for RistrettoPoint

fn eq(&self, other: &RistrettoPoint) -> bool

Tests for self and other values to be equal, and is used by ==.

✓✓ Lean specification

theorem eq_spec (self other : RistrettoPoint) (h_self_valid : self.IsValid)
    (h_other_valid : other.IsValid) :
    eq self other ⦃ (result : Bool) =>
      (result = true ↔
        (Field51_as_Nat self.X * Field51_as_Nat other.Y) ≡
          (Field51_as_Nat self.Y * Field51_as_Nat other.X) [MOD p] ∨
        (Field51_as_Nat self.X * Field51_as_Nat other.X) ≡
          (Field51_as_Nat self.Y * Field51_as_Nat other.Y) [MOD p]) ⦄

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl<'a> Sub<&'a RistrettoPoint> for &RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the - operator.

fn sub(self, other: &'a RistrettoPoint) -> RistrettoPoint

Performs the - operation.

✓✓ Lean specification

theorem sub_spec (self other : RistrettoPoint) (h_self_valid : self.IsValid)
    (h_other_valid : other.IsValid) :
    sub self other ⦃ (result : RistrettoPoint) =>
      result.IsValid ∧
      result.toPoint = self.toPoint - other.toPoint ⦄

impl<'b> Sub<&'b RistrettoPoint> for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the - operator.

fn sub(self, rhs: &'b RistrettoPoint) -> RistrettoPoint

Performs the - operation.

impl<'a> Sub<RistrettoPoint> for &'a RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the - operator.

fn sub(self, rhs: RistrettoPoint) -> RistrettoPoint

Performs the - operation.

impl Sub for RistrettoPoint

type Output = RistrettoPoint

The resulting type after applying the - operator.

fn sub(self, rhs: RistrettoPoint) -> RistrettoPoint

Performs the - operation.

impl SubAssign<&RistrettoPoint> for RistrettoPoint

fn sub_assign(&mut self, _rhs: &RistrettoPoint)

Performs the -= operation.

impl SubAssign for RistrettoPoint

fn sub_assign(&mut self, rhs: RistrettoPoint)

Performs the -= operation.

impl<T> Sum<T> for RistrettoPoint

where T: Borrow<RistrettoPoint>,

fn sum<I>(iter: I) -> Self

where I: Iterator<Item = T>,

Takes an iterator and generates Self from the elements by “summing up” the items.

impl VartimeMultiscalarMul for RistrettoPoint

Available on crate feature alloc only.

type Point = RistrettoPoint

The type of point being multiplied, e.g., RistrettoPoint.

fn optional_multiscalar_mul<I, J>( scalars: I, points: J, ) -> Option<RistrettoPoint>

where I: IntoIterator, I::Item: Borrow<Scalar>, J: IntoIterator<Item = Option<RistrettoPoint>>,

Given an iterator of public scalars and an iterator of Options of points, compute either Some(Q), where $$ Q = c_1 P_1 + \cdots + c_n P_n, $$ if all points were Some(P_i), or else return None.

fn vartime_multiscalar_mul<I, J>(scalars: I, points: J) -> Self::Point

where I: IntoIterator, I::Item: Borrow<Scalar>, J: IntoIterator, J::Item: Borrow<Self::Point>, Self::Point: Clone,

Given an iterator of public scalars and an iterator of public points, compute $$ Q = c_1 P_1 + \cdots + c_n P_n, $$ using variable-time operations.

impl Zeroize for RistrettoPoint

Available on crate feature zeroize only.

fn zeroize(&mut self)

Zero out this object from memory using Rust intrinsics which ensure the zeroization operation is not “optimized away” by the compiler.

impl Copy for RistrettoPoint

impl Eq for RistrettoPoint