Ristretto is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's Decaf approach to cofactor elimination to support cofactor-\(8\) curves such as Curve25519.

In particular, this allows an existing Curve25519 library to implement a prime-order group with only a thin abstraction layer, and makes it possible for systems using Ed25519 signatures to be safely extended with zero-knowledge protocols, with no additional cryptographic assumptions and minimal code changes.

Ristretto can be used in conjunction with Edwards curves with cofactor \(4\) or \(8\), and provides the following specific parameter choices:

  • ristretto255, built on top of Curve25519.

Organization

This site is organized into several chapters:

About

Ristretto was originally designed by Mike Hamburg; the notes on this page were written by Henry de Valence, with contributions by Isis Lovecruft and Tony Arcieri, and any mistakes are ours.