Shepherd writeup
draft-irtf-cfrg-ristretto255-decaf448

Ristretto shepherd writeup

Technical summary

This document defines two prime-order groups that can be used to construct
higher-level cryptographic protocols. The need for these groups in the
development of new protocols is based on practical experience with existing
elliptical curve groups and vulnerabilities that result from using them
incorrectly. These groups are used by other CFRG documents, including
draft-irtf-cfrg-voprfs and draft-irtf-cfrg-frost, as examples, and have been
deployed in real world software systems such as bulletproofs
(https://github.com/dalek-cryptography/bulletproofs) and systems similar to
privacy pass (https://github.com/brave-intl/challenge-bypass-ristretto).

Research Group summary
The document was adopted in the fall of 2019 and has since gone through some
editorial changes to improve document quality. No substantial technical changes
have been made. After some delay, the document went through a first RGLC in the
summer of 2022 but did not receive any reviews. A second RGLC was initiated in
the fall of 2022 and was met with positive and thoughtful reviews that led to
some editorial changes in the draft. Thomas Pornin provided a Crypto Panel
review in 2022 based on a recent version of the document and his feedback has
been addressed.

Document Quality
The document is of high editorial quality, as demonstrated by multiple positive
reviews and many implementations. An incomplete list of implementations is
included at the end of this writeup.

Implementations
- https://github.com/gtank/ristretto255
- https://github.com/dalek-cryptography/curve25519-dalek
- https://libsodium.gitbook.io/doc/advanced/point-arithmetic/ristretto
- https://github.com/bwesterb/go-ristretto
- https://github.com/novifinancial/ristretto255-js
- https://github.com/claucece/sage-ristretto255-decaf448
- https://github.com/otrv4/ed448/blob/master/decaf_curve.go
- https://ed448goldilocks.sourceforge.net

Back