Another footgun is that Curve25519 has a cofactor of 8, which may reveal some information about your private key if some high-order points are used [1].
Some curves (eg: Ristretto) were designed to alleviate this problem.
Curve25519 is a _curve_ that implements a non-prime order _group_. Ristretto255 is a prime-order _group_ that uses Curve25519 as an underlying _curve_.
In other words, Ristretto is a pair of encode/decode functions that map points on _curve25519_ to _ristretto group elements_ and vice versa. It's called "ristretto" because it's a restricted (specific to curve25519) version of Mike Hamburg's Decaf format that "reduces amount of coffee/cofactor by 4" for Edwards curves.
Oh huh, I was thinking the origin of the name "ristretto" was that espresso concentrates a certain amount of coffee in a small cup, whereas ristretto concentrates it even more: in this case it removes a cofactor of 8 and not just 4.
Ristretto is a restricted form of Decaf, that is, specific to curve25519 and deals with a sign choice, while Decaf is generic for all cofactor-4 Edwards curves.
In other words, the joke around coffee takes a 90ยบ turn with Ristretto because our first application was Bulletproofs where you need (among other things) a lot of orthogonal generator points.
Curve25519 is a _curve_ that implements a non-prime order _group_. Ristretto255 is a prime-order _group_ that uses Curve25519 as an underlying _curve_.
In other words, Ristretto is a pair of encode/decode functions that map points on _curve25519_ to _ristretto group elements_ and vice versa. It's called "ristretto" because it's a restricted (specific to curve25519) version of Mike Hamburg's Decaf format that "reduces amount of coffee/cofactor by 4" for Edwards curves.