Add missing Ristretto functions

[tgalal]

Lets keep track of the functions to be added to python-curve25519-dalek in this issue. Typically I (Tarek) will take care of applying the list below.

• lizard_decode

[konradh]

For the proof generation and verification, we need these additional bindings:

• Multiplication of scalars (Scalar * Scalar)
• Addition of scalars (Scalar + Scalar)
• Inversion of scalars (-Scalar)

[tgalal]

Added mul, add ,neg in tgalal/python-curve25519-dalek@57361ba

Note that Scalar * Point now doesn't work, it would to be written Point * Scalar.

[leonschmidt99]

To generate RistrettoPoint and Scalar objects (for example to be used in the various keys and parameters), there are various methods in the Rust library, however, Signal mainly uses these, which should be provided by the binding as well:

Important, used to generate most values:

• RistrettoPoint::from_uniform_bytes
• Scalar::from_bytes_mod_order_wide

less important for now, can work around this not being implemented:

• Scalar::from_bytes_mod_order

(used twice so not important, and can surely work around this, but can't find the corresponding function in curve25519_dalek, which confuses me, and will be a deviation from "Signal compatibility"):

• RistrettoPoint::from_uniform_bytes_single_elligator

[leonschmidt99]

Also, support for subtracting RistrettoPoints from each other (or negating them) is required to calculate "division" of group elements.

• Subtraction of RistrettoPoints

[tgalal]

Added all requested functions. Like others arithmetic ops, subtraction/negation are via the minus - operator.

but can't find the corresponding function in curve25519_dalek,

It's in the lizard2 branch of Signal's fork of the library, inside lizard_ristretto.rs.

[j-hellenberg]

Currently, we can only compare scalars, but we also need to

• compare ristretto points

[tgalal]

Added equality comparison for points

[tgalal]

• Add constant time equality check for points

[j-hellenberg]

It would be nice to be able to convert the Scalar to bytes as well for debugging purposes. Also, we could use the native __bytes__() instead of a to_bytes() method for that

• Scalar conversion to bytes

[tgalal]

• RistrettoPoint::decode_253_bits

[tgalal]

Published 0.0.2: https://github.com/tgalal/python-curve25519-dalek/releases/tag/0.0.2

[maxthure]

Regarding the inversion of Scalars:
I tried to write this line from the Signal Implementation let target_M3 = self.b1.invert() * ciphertext.E_B1; (Reference) like this in Python target_M3 = ciphertext.E_1 * -self.b1 (Reference). This does not yield the correct target_M3. For more detail see this commit.

Edit: The next commit includes a check that I used to verify that ciphertext.E_1 is actually calc_E_b1(profile_key), which suggests that the inversion -self.b1 is not correct, if I am not mistaken.

[tgalal]

It looks like you really need to use invert rather than negation. I've just added it: https://github.com/tgalal/python-curve25519-dalek/releases/tag/