Ristretto255 is Ristretto defined over Curve25519, which allows cryptographers to extend the Ed25519 signature scheme to support complex zero-knowledge proof protocols without having to deal with the cofactor.
(The cofactor in Ed25519 is what caused the multi-spend vulnerability in CryptoNote cryptocurrencies (n.b. Monero).)
It’s not entirely clear to me, from this, what all would be involved with swapping out Curve25519 for Ristretto255.
There’s crypto_box_easy and crypto_box_easy_open but they use X25519 – not Ristretto255. I’m not seeing a
crypto_box_easy_ristretto255 function. Maybe it’s not needed for that specific use case? Or maybe libsodium has such a function and I just missed it when I was reviewing the documentation?
https://crypto.stackexchange.com/a/56345/4520 says the following:
For instance, when doing a Diffie-Hellman key exchange over Curve25519, the Diffie-Hellman private keys must be chosen as multiples of 8 (which is expressed as: "set the three least significant bits to zero"); this ensures that the points will be in the proper subgroup.
RFC7748 § Curve25519 says, simply, "Alice generates 32 random bytes in a to a". Should an errata be opened against that RFC to set the last three bytes to 0?