Ristretto - Max Fang's Notes

# Ristretto https://ristretto.group/ **Ristretto** is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's [Decaf](https://www.shiftleft.org/papers/decaf/) approach to cofactor elimination to support cofactor-88 curves such as [[Curve25519]]. In particular, this allows an existing Curve25519 library to implement a prime-order group with only a thin abstraction layer, and makes it possible for systems using [[Ed25519]] signatures to be safely extended with zero-knowledge protocols, with **no additional cryptographic assumptions** and **minimal code changes**. Ristretto can be used in conjunction with Edwards curves with cofactor 44 or 88, and provides the following specific parameter choices: - `ristretto255`, built on top of Curve25519. ### Description in [[Dalek Cryptography]]'s implementation of [[Curve25519]] https://doc.dalek.rs/curve25519_dalek/ristretto/ Ristretto is a modification of Mike Hamburg's Decaf scheme to work with cofactor- The introduction of the Decaf paper, [_Decaf: Eliminating cofactors through point compression_](https://eprint.iacr.org/2015/673.pdf), notes that while most cryptographic systems require a group of prime order, most concrete implementations using elliptic curve groups fall short – they either provide a group of prime order, but with incomplete or variable-time addition formulae (for instance, most Weierstrass models), or else they provide a fast and safe implementation of a group whose order is not quite a prime qq, but hqhq for a small cofactor hh (for instance, Edwards curves, which have cofactor at least 44). This abstraction mismatch is commonly “handled” by pushing the complexity upwards, adding ad-hoc protocol modifications. But these modifications require careful analysis and are a recurring source of [vulnerabilities](https://moderncrypto.org/mail-archive/curves/2017/000898.html) and [design complications](https://moderncrypto.org/mail-archive/curves/2017/000858.html). Instead, Decaf (and Ristretto) use a quotient group to implement a prime-order group using a non-prime-order curve. This provides the correct abstraction for cryptographic systems, while retaining the speed and safety benefits of an Edwards curve. Decaf is named “after the procedure which divides the effect of coffee by 44”. However, Curve25519 has a cofactor of 88. To eliminate its cofactor, Ristretto restricts further; this [additional restriction](https://en.wikipedia.org/wiki/Ristretto) gives the _Ristretto_ encoding. More details on why Ristretto is necessary can be found in the [Why Ristretto?](https://ristretto.group/why_ristretto.html) section of the Ristretto website. Ristretto points are provided in `curve25519-dalek` by the `RistrettoPoint` struct.