replacing Curve25519 with Ristretto255

Quoting ,

Ristretto255 is Ristretto defined over Curve25519, which allows cryptographers to extend the Ed25519 signature scheme to support complex zero-knowledge proof protocols without having to deal with the cofactor.

(The cofactor in Ed25519 is what caused the multi-spend vulnerability in CryptoNote cryptocurrencies (n.b. Monero).)

It’s not entirely clear to me, from this, what all would be involved with swapping out Curve25519 for Ristretto255.

Is crypto_scalarmult_ristretto255 a drop in replacement for crypto_scalarmult?

There’s crypto_box_easy and crypto_box_easy_open but they use X25519 – not Ristretto255. I’m not seeing a crypto_box_easy_ristretto255 function. Maybe it’s not needed for that specific use case? Or maybe libsodium has such a function and I just missed it when I was reviewing the documentation? says the following:

For instance, when doing a Diffie-Hellman key exchange over Curve25519, the Diffie-Hellman private keys must be chosen as multiples of 8 (which is expressed as: "set the three least significant bits to zero"); this ensures that the points will be in the proper subgroup.

RFC7748 § Curve25519 says, simply, "Alice generates 32 random bytes in a[0] to a[31]". Should an errata be opened against that RFC to set the last three bytes to 0?

replacing Curve25519 with Ristretto255

Shopping cart
There are no products in the cart!
Continue shopping