[**Ristretto**](https://ristretto.group) is a technique for constructing prime order elliptic curve groups with non-malleable encodings. It extends Mike Hamburg's Decaf approach to cofactor elimination to support cofactor-8 curves such as Curve25519. **Ristretto255** is Ristretto defined over Curve25519, which allows cryptographers to extend the Ed25519 signature scheme to support complex zero-knowledge proof protocols without having to deal with the cofactor. (The cofactor in Ed25519 is what caused the [multi-spend vulnerability in CryptoNote cryptocurrencies (n.b. Monero)](https://moderncrypto.org/mail-archive/curves/2017/000898.html).) ### Sounds Complicated And Hard to Use, Right? Cryptographer and Go Security team lead, Filippo Valsorda, once implemented the modern password-authenticated key exchange protocol, CPace, in only [125 lines of Go](https://twitter.com/filosottile/status/1244332018047082501) and said "it felt like cheating". ### Why Are We Talking About This Today? Libsodium added support for Ristretto255 in version 1.0.18 (released in May 2019). Support for Ristretto255 [will be landing in **PHP 8.1**](https://github.com/php/php-src/pull/6922) and [PECL libsodium 2.0.25](https://github.com/jedisct1/libsodium-php/pull/212). However, if you're in a hurry to experiment with these new features, we just released **[sodium_compat version 1.16.0](https://github.com/paragonie/sodium_compat/releases/tag/v1.16.0)** which contains a pure-PHP implementation of these features. As always: If the canon implementation of a libsodium algorithm is available, sodium_compat defers to the actual function. This lives up to the [0th Rule of PHP Cryptography](https://paragonie.com/blog/2017/02/cryptographically-secure-php-development). ----- Special thanks to **Tony Arcieri**, **Frank Denis**, **Isis Lovecruft**, **Mike Hamburg**, and **Henry de Valence** for making this release possible.