Support Mike Hamburg's Ristretto

[bwesterb]

Many cryptographic schemes assume a group of prime order. Edwards25519 is not a group of prime order (it has order 8 * l, where l is the order of the usual base point.) This has not prevented people using Edwards25519 nonetheless — some carefully check whether this cofactor 8 impacts the security of the scheme at hand whereas others are more reckless.

There is, however, a convenient way to construct a group of prime order (l in fact) from Edwards25519 suggested by Mike Hamburg ( @bitwiseshiftleft ). Let's call his group the Ristretto group. The Ristretto group is the subgroup of even points quotiented by the points-of-order-less-than-equal-four.

This PR adds two function

• ToRistrettoBytes() takes an even point and returns a binary encoding of the corresponding element in the the Ristretto group.

• FromRistrettoBytes() takes a buffer and checks whether it encodes an element of the Ristretto group. If it does, the function returns a point representing the encoded element of the Ristretto group.

Code is based on the Ristretto implementation in an unpublished version of the Panda library by Peter Schwabe ( @cryptojedi )

A similar feature was requested for libsodium: jedisct1/libsodium#704 Ristretto is already implemented in Rust in https://github.com/dalek-cryptography/curve25519-dalek

[bwesterb]

I would prefer Ristretto to be part of the standard library, but in the meantime I have separate package bwesterb/go-ristretto.