**Ristretto** is a technique for constructing prime order elliptic curve groups
with non-malleable encodings. It extends the Decaf approach to cofactor
elimination to support cofactor-\(8\) curves such as Curve25519.

In particular, this allows an existing Curve25519 library to implement a
prime-order group with only a thin abstraction layer, and makes it possible
for systems using Ed25519 signatures to be safely extended with zero-knowledge
protocols, with **no additional cryptographic assumptions** and **minimal code
changes**.

Ristretto can be used in conjunction with Edwards curves with cofactor \(4\) or \(8\), and provides the following specific parameter choices:

`ristretto255`

, built on top of Curve25519;`ristretto448`

^{†}, built on top of Ed448-Goldilocks.

† NOTE: Not compatible with the original Decaf group

## Organization

This site is organized into several chapters:

- Why Ristretto? describes the pitfalls of the cofactor abstraction mismatch.
- What is Ristretto? describes what Ristretto provides to protocol implementors.
- Ristretto in Detail contains mathematical justification for why Ristretto works.
- Explicit Formulas describes how to implement Ristretto.
- Test Vectors contains test vectors for the Ristretto functions.
- Ristretto Implementations contains a list of implementations of Ristretto.