Ristretto is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's Decaf approach to cofactor elimination to support cofactor-8 curves such as Curve25519.
Ristretto255 is Ristretto defined over Curve25519, which allows cryptographers to extend the Ed25519 signature scheme to support complex zero-knowledge proof protocols without having to deal with the cofactor.
(The cofactor in Ed25519 is what caused the multi-spend vulnerability in CryptoNote cryptocurrencies (n.b. Monero).)
Sounds Complicated And Hard to Use, Right?
Cryptographer and Go Security team lead, Filippo Valsorda, once implemented the modern password-authenticated key exchange protocol, CPace, in only 125 lines of Go and said "it felt like cheating".
Why Are We Talking About This Today?
Libsodium added support for Ristretto255 in version 1.0.18 (released in May 2019). Support for Ristretto255 will be landing in PHP 8.1 and PECL libsodium 2.0.25.
However, if you're in a hurry to experiment with these new features, we just released sodium_compat version 1.16.0 which contains a pure-PHP implementation of these features.
As always: If the canon implementation of a libsodium algorithm is available, sodium_compat defers to the actual function. This lives up to the 0th Rule of PHP Cryptography.
Special thanks to Tony Arcieri, Frank Denis, Isis Lovecruft, Mike Hamburg, and Henry de Valence for making this release possible.