Use Ristretto instead of Ed25519 to get a prime-order group

src/vss.rs

@@ -1,5 +1,5 @@
-use curve25519_dalek::constants::ED25519_BASEPOINT_POINT;
-use curve25519_dalek::edwards::EdwardsPoint;
+use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
+use curve25519_dalek::ristretto::RistrettoPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::Identity;
 use rand::rngs::ThreadRng;
@@ -12,7 +12,7 @@ pub struct Share {
     value: Scalar,
 }
 
-type Commitment = Vec<EdwardsPoint>;
+type Commitment = Vec<RistrettoPoint>;
 
 /// Create secret shares for a given secret.
 pub fn generate_shares(
@@ -61,9 +61,9 @@ pub fn generate_shares(
         });
     }
 
-    commitment.push(ED25519_BASEPOINT_POINT * secret);
+    commitment.push(RISTRETTO_BASEPOINT_POINT * secret);
     for c in coefficients {
-        commitment.push(ED25519_BASEPOINT_POINT * c);
+        commitment.push(RISTRETTO_BASEPOINT_POINT * c);
     }
 
     Ok((commitment, shares))
@@ -71,12 +71,12 @@ pub fn generate_shares(
 
 /// Verify that a share is consistent with a commitment.
 pub fn verify_share(share: &Share, commitment: &Commitment) -> Result<bool, &'static str> {
-    let f_result = ED25519_BASEPOINT_POINT * share.value;
+    let f_result = RISTRETTO_BASEPOINT_POINT * share.value;
 
     let x = Scalar::from(share.index);
 
     let (_, result) = commitment.iter().fold(
-        (Scalar::one(), EdwardsPoint::identity()),
+        (Scalar::one(), RistrettoPoint::identity()),
         |(x_to_the_i, sum_so_far), comm_i| (x_to_the_i * x, sum_so_far + x_to_the_i * comm_i),
     );