Christopher Wood

Throwing in my support here. I'd love to see HPKE support land in `ring`.

> I think the q = Order() function is merely for informational purposes, and not to perform any operation modulo q. or maybe returning another type be the option. I...

> I do agree with @armfazh that big.Int isn't great for cryptographic purposes due to timing attacks. That's fair. I think a reasonable thing to do here is to just...

If there is no use case, I strongly suggest we remove it.

> The Go TLS tests require the code to be deterministic. I really don't think exporting functions for internal tests is a good reason to impact the API. I suggest...

@armfazh how do we want to proceed here? Can we remove the deterministic APIs?

@claucece @armfazh should we keep this ticket open to re-implement ristretto255 internally? #216 added support for ristretto255 as a Group instance, but it just wraps @bwesterb's package.

> I think it's bad to return a big.Int. Say more? > Let's step back: for what reasons would the user need the order and can we provide functions directly...

> Operations on big.Int are not constant time. We can add it, but then we need to add some very explicit warnings. I mean, sure, but I don't see any...

@armfazh what's the plan for this PR?