Ristretto255 support?

[redshiftzero]

We're using the libcrux crates for securedrop-protocol and are planning to move to Ristretto255 to eliminate cofactor issues. Ristretto255 is a thin abstraction layer over Curve25519, so we could reuse the existing Edwards curve point and field element operations provided by the libcrux crates. This could be done as a separate crate, but we were wondering if there's interest in adding support for Ristretto255 operations in this repo (and we're happy to contribute).

We would need to add functions that:

• Decodes 32-byte encoding to a RistrettoElement (sec 4.2.1 in [0])
• Encodes a RistrettoElement to its 32-byte encoding (sec 4.2.2 in [0])
• Equality (sec 4.2.3 in [0])
• Hash to group (sec 4.2.4. in [0])

For other group operations, we'd just forward to the underlying Edwards curve operations as appropriate.

Refs:
[0] Ristretto255 IETF RFC: https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-00.html
[1] Ristretto API in curve25519-dalek: https://github.com/dalek-cryptography/curve25519-dalek/blob/main/curve25519-dalek/src/ristretto.rs

[cfm]

Indeed, it looks like there's already a starting point! :-)

https://github.com/hacspec/hacspec/blob/master/examples/ristretto/src/ristretto.rs