Ristretto and Decaf do something awesome: they make a prime order group out of a normal curve with a cofactor. A prime order group is what many higher level constructs expect, and when that expectation breaks you hear about cofactor vulnerabilities, like the Monero double spend.
You can tiptoe around cofactors and if you do it exactly right you can survive, but that’s not the kind of safe to use and implement cryptography we’ve been trying to build recently. Ristretto solves that.
Decaf can make a prime order group from curves with cofactor 4 (that means order p*4), like Ed448. Ristretto is the generalization that works also on curves with cofactor 8 like Ed25519.
And it’s extremely fast.
(2) If Mike Hamburg is behind it (no author information is available on the page), then it has high credibility.
I would take objection to the following statement: "However, modern elliptic curve implementations with fast, simple formulas don't provide a prime-order group."
The Broker-Stevanhagen (and prior) methods can find good curves with prime order, and complete formulas for these curves that are reasonably efficient are given by Renes, Costello, and Batina in
So this performance knife-fight in the ellpitic curve streets may require some benchmarks to resolve.
...for both signing and verification, beating out the fiat-crypto P-256 implementation (in ring, a Rust cryptography library that wraps BoringCrypto).
libsecp256k1 seems slightly slower than fiat-crypto's P-256, even with the endomorphism optimization enabled. The Rust crate presently provide knobs for either of these things, hence the low Signatory benchmarks.
These curves predate Broker-Stevanhagen, however all of the implementations I'm comparing are production(-ish) quality.
Re (1), AFAIK the author does not consider Ristretto finished by their extremely high (IMHO) standard.
it's not a startup and it's not a side project. Give it a real, original name.