diff --git a/.circleci/config.yml b/.circleci/config.yml
index 7c8895c7167b0b2a8343a88ecfd9c1bc440f098b..0e713d61281effc258a7cd1e015b606b4bf5122c 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -72,17 +72,17 @@ jobs:
           name: "Restore Nix Store Paths"
           keys:
             # Construct cache keys that allow sharing as long as nixpkgs and
-            # the Ristretto library are the same.
+            # the python-challenge-bypass-ristretto library are the same.
             #
-            # If the Ristretto library changes, we have to rebuild it so we
-            # may as well throw away the part of the cache with the old build
-            # and make a new one with the new build so we don't have to
-            # rebuild it *again* next time.
+            # If python-challenge-bypass-ristretto changes, we have to rebuild
+            # it so we may as well throw away the part of the cache with the
+            # old build and make a new one with the new build so we don't have
+            # to rebuild it *again* next time.
             #
             # If nixpkgs changes then potentially a lot of cached packages for
             # the base system will be invalidated so we may as well drop them
             # and make a new cache with the new packages.
-            - paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-{{ checksum "ristretto.nix" }}
+            - paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-{{ checksum "nix/challenge-bypass-ristretto-repo.nix" }}
             - paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-
             - paymentserver-nix-store-v2-
 
@@ -157,7 +157,7 @@ jobs:
 
       - save_cache:
           name: "Cache Nix Store Paths"
-          key: paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-{{ checksum "ristretto.nix" }}
+          key: paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-{{ checksum "nix/challenge-bypass-ristretto-repo.nix" }}
           paths:
             - "/nix"
 
diff --git a/PaymentServer.cabal b/PaymentServer.cabal
index dd51a39404009e27bf993c5eac9c2842374ef8e2..8e6fee735d06db23137fc050df2cf279a8dce0f8 100644
--- a/PaymentServer.cabal
+++ b/PaymentServer.cabal
@@ -44,7 +44,7 @@ library
                      , sqlite-simple
   default-language:    Haskell2010
   ghc-options:       -Wmissing-import-lists -Wunused-imports
-  pkgconfig-depends: ristretto
+  pkgconfig-depends: libchallenge_bypass_ristretto_ffi
 
 executable PaymentServer-exe
   hs-source-dirs:      app
diff --git a/nix/PaymentServer.nix b/nix/PaymentServer.nix
index 0816f96d9959f118ef572b0673ad83abbfd210e1..54162808eb8bf33ddbd3c325fe9b80fe105082ab 100644
--- a/nix/PaymentServer.nix
+++ b/nix/PaymentServer.nix
@@ -2,19 +2,19 @@ let
   buildDepError = pkg:
     builtins.throw ''
       The Haskell package set does not contain the package: ${pkg} (build dependency).
-      
+
       If you are using Stackage, make sure that you are using a snapshot that contains the package. Otherwise you may need to update the Hackage snapshot you are using, usually by updating haskell.nix.
       '';
   sysDepError = pkg:
     builtins.throw ''
       The Nixpkgs package set does not contain the package: ${pkg} (system dependency).
-      
+
       You may need to augment the system package mapping in haskell.nix so that it can be found.
       '';
   pkgConfDepError = pkg:
     builtins.throw ''
       The pkg-conf packages does not contain the package: ${pkg} (pkg-conf dependency).
-      
+
       You may need to augment the pkg-conf package mapping in haskell.nix so that it can be found.
       '';
   exeDepError = pkg:
@@ -24,16 +24,16 @@ let
   legacyExeDepError = pkg:
     builtins.throw ''
       The Haskell package set does not contain the package: ${pkg} (executable dependency).
-      
+
       If you are using Stackage, make sure that you are using a snapshot that contains the package. Otherwise you may need to update the Hackage snapshot you are using, usually by updating haskell.nix.
       '';
   buildToolDepError = pkg:
     builtins.throw ''
       Neither the Haskell package set or the Nixpkgs package set contain the package: ${pkg} (build tool dependency).
-      
+
       If this is a system dependency:
       You may need to augment the system package mapping in haskell.nix so that it can be found.
-      
+
       If this is a Haskell dependency:
       If you are using Stackage, make sure that you are using a snapshot that contains the package. Otherwise you may need to update the Hackage snapshot you are using, usually by updating haskell.nix.
       '';
@@ -78,7 +78,7 @@ in { system, compiler, flags, pkgs, hsPkgs, pkgconfPkgs, ... }:
           (hsPkgs."sqlite-simple" or (buildDepError "sqlite-simple"))
           ];
         pkgconfig = [
-          (pkgconfPkgs."ristretto" or (pkgConfDepError "ristretto"))
+          (pkgconfPkgs."libchallenge_bypass_ristretto_ffi" or (pkgConfDepError "libchallenge_bypass_ristretto_ffi"))
           ];
         };
       exes = {
@@ -97,4 +97,4 @@ in { system, compiler, flags, pkgs, hsPkgs, pkgconfPkgs, ... }:
           };
         };
       };
-    } // rec { src = (pkgs.lib).mkDefault ../.; }
\ No newline at end of file
+    } // rec { src = (pkgs.lib).mkDefault ../.; }
diff --git a/nix/challenge-bypass-ristretto-repo.nix b/nix/challenge-bypass-ristretto-repo.nix
new file mode 100644
index 0000000000000000000000000000000000000000..007d257fc49c1155eb4775f970a5bc60eb320329
--- /dev/null
+++ b/nix/challenge-bypass-ristretto-repo.nix
@@ -0,0 +1,9 @@
+let
+  pkgs = import <nixpkgs> {};
+in
+  pkgs.fetchFromGitHub {
+    owner = "LeastAuthority";
+    repo = "python-challenge-bypass-ristretto";
+    rev = "v2020.04.03rc1";
+    sha256 = "03iqww9h7ff0pdi3mgg912a9s9yd8xbm4cx7iznv94611vxrcdzs";
+  }
diff --git a/nix/challenge-bypass-ristretto.nix b/nix/challenge-bypass-ristretto.nix
new file mode 100644
index 0000000000000000000000000000000000000000..cded558877b038c7e8c87a82e328f0a8650a3516
--- /dev/null
+++ b/nix/challenge-bypass-ristretto.nix
@@ -0,0 +1,5 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = import ./challenge-bypass-ristretto-repo.nix;
+in
+  callPackage "${src}/challenge-bypass-ristretto.nix" { }
diff --git a/nix/default.nix b/nix/default.nix
index 349c8369f6a81b1934ad076982d3ef92dbc39a4d..64d71bb1da972343b12ef6d307e996044a39d725 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -1,12 +1,17 @@
-{ pkgs ? import <nixpkgs> { overlays = [ (import ./overlay.nix) ]; } }:
+{ pkgs ? import <nixpkgs> { } }:
 
 let
+  # Get our overlay in place regardless of whether a value is passed for pkgs.
+  # The build fails without it and it's unreasonable to expect our caller to
+  # know to apply it.
+  nixpkgs = import pkgs.path { overlays = [ (import ./overlay.nix) ]; };
+
   # Pin a particular version of haskell.nix.  The particular version isn't
   # special.  It's just recent at the time this expression was written and it
   # is known to work with PaymentServer.  It could be bumped if necessary but
   # this would probably only happen as a result of bumping the resolver in
   # stack.yaml.
-  haskell = import (builtins.fetchTarball https://github.com/input-output-hk/haskell.nix/archive/0cb32e695d7014908fb01fd7e3d225ea33dbdc98.tar.gz) { inherit pkgs; };
+  haskell = import (builtins.fetchTarball https://github.com/input-output-hk/haskell.nix/archive/0cb32e695d7014908fb01fd7e3d225ea33dbdc98.tar.gz) { pkgs = nixpkgs; };
 
   pkgSet = haskell.mkStackPkgSet {
     stack-pkgs = import ./pkgs.nix;
diff --git a/nix/overlay.nix b/nix/overlay.nix
index 2673b39a9a30912c088deed29eeaa6a698e0f232..dc4b0ae7f794e5a74c0391037ee5dbd9ee73713f 100644
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@@ -1,3 +1,3 @@
 self: super: {
-  ristretto = super.callPackage ./ristretto.nix { };
+  libchallenge_bypass_ristretto_ffi = super.callPackage ./challenge-bypass-ristretto.nix { };
 }
diff --git a/nix/ristretto.nix b/nix/ristretto.nix
deleted file mode 100644
index 4e0912840d99a23263408dd86be620e23c92d7e3..0000000000000000000000000000000000000000
--- a/nix/ristretto.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ fetchFromGitHub, callPackage }:
-let
-  src = import ./privacypass-repo.nix { inherit fetchFromGitHub; };
-in
-  callPackage "${src}/ristretto.nix" { }
diff --git a/ristretto.nix b/ristretto.nix
deleted file mode 100644
index 8af584c022d28a62c6b3ec5c1dd9638e8c4a6325..0000000000000000000000000000000000000000
--- a/ristretto.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ fetchFromGitHub, callPackage }:
-let
-  src = fetchFromGitHub {
-    owner = "LeastAuthority";
-    repo = "privacypass";
-    rev = "45855401e163f8e622bd93a5c5bce13de8c8510a";
-    sha256 = "15wv8vas6x8cdicylp0m632c916p7qxq1k4lnchr8c92lldp0rv7";
-  };
-in
-  callPackage "${src}/ristretto.nix" { }
diff --git a/stack-shell.nix b/stack-shell.nix
index 8800cbbd773f7386033d30036ff026a169420e5f..3fb4bf7ee8317e5d2648475f03d8458fd123a2b1 100644
--- a/stack-shell.nix
+++ b/stack-shell.nix
@@ -4,7 +4,7 @@
 let
   pkgs = import <nixpkgs> { };
   # Get our Ristretto bindings.
-  ristretto = pkgs.callPackage ./ristretto.nix { };
+  libchallenge_bypass_ristretto = pkgs.callPackage ./nix/challenge-bypass-ristretto.nix { };
 in
   # This is what you're supposed to call in a stack shell-file.  I don't
   # *really* know what it does but I know it works...
@@ -13,5 +13,5 @@ in
     name = "PrivacyPass";
     # zlib is a common dependency of many of our dependencies.  and we put our
     # ristretto library in as well.
-    buildInputs = [ pkgs.zlib ristretto ];
+    buildInputs = [ pkgs.zlib libchallenge_bypass_ristretto ];
   }