The Ristretto Group

Ristretto is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's Decaf approach to cofactor elimination to support cofactor-\(8\) curves such as Curve25519.

In particular, this allows an existing Curve25519 library to implement a prime-order group with only a thin abstraction layer, and makes it possible for systems using Ed25519 signatures to be safely extended with zero-knowledge protocols, with no additional cryptographic assumptions and minimal code changes.

Ristretto can be used in conjunction with Edwards curves with cofactor \(4\) or \(8\), and provides the following specific parameter choices:

• ristretto255, built on top of Curve25519.

This site is organized into several chapters:

• Why Ristretto? describes the pitfalls of the cofactor abstraction mismatch.
• What is Ristretto? describes what Ristretto provides to protocol implementors.
• Ristretto in Detail contains mathematical justification for why Ristretto works.
• Explicit Formulas describes how to implement Ristretto.
• Test Vectors contains test vectors for the Ristretto functions.
• Ristretto Implementations contains a list of implementations of Ristretto.

Ristretto was originally designed by Mike Hamburg; the notes on this page were written by Henry de Valence, with contributions by Isis Lovecruft and Tony Arcieri, and any mistakes are ours.