The Ristretto Group

Ristretto is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's Decaf approach to cofactor elimination to support cofactor-$8$ curves such as Curve25519.

In particular, this allows an existing Curve25519 library to implement a prime-order group with only a thin abstraction layer, and makes it possible for systems using Ed25519 signatures to be safely extended with zero-knowledge protocols, with no additional cryptographic assumptions and minimal code changes.

Ristretto can be used in conjunction with Edwards curves with cofactor $4$ or $8$, and provides the following specific parameter choices:

• ristretto255, built on top of Curve25519.

This site is organized into several chapters:

• Why Ristretto? describes the pitfalls of the cofactor abstraction mismatch.
• What is Ristretto? describes what Ristretto provides to protocol implementors.
• Ristretto in Detail contains mathematical justification for why Ristretto works.
• Explicit Formulas describes how to implement Ristretto.
• Test Vectors contains test vectors for the Ristretto functions.
• Ristretto Implementations contains a list of implementations of Ristretto.

Ristretto was originally designed by Mike Hamburg; the notes on this page were written by Henry de Valence, with contributions by Isis Lovecruft and Tony Arcieri, and any mistakes are ours.