diff --git a/overlays.nix b/overlays.nix
index 395e00027d7100f1178402e0f4c2553a18b02e0c..21c2e6a7ff7357cc85d46f595b33d476344f1598 100644
--- a/overlays.nix
+++ b/overlays.nix
@@ -1,6 +1,8 @@
 self: super: {
   openssl = self.openssl_1_1;
 
+  ristretto = super.callPackage ./ristretto.nix { };
+
   python27 = super.python27.override {
     packageOverrides = python-self: python-super: {
       # new tahoe-lafs dependency
@@ -16,6 +18,10 @@ self: super: {
       # tahoe-lafs in nixpkgs is packaged as an application!  so we have to
       # re-package it ourselves as a library.
       tahoe-lafs = python-super.callPackage ./tahoe-lafs.nix { };
+
+      # we depend on the privacypass python library, a set of bindings to the
+      # challenge-bypass-ristretto Rust library
+      privacypass = python-super.callPackage ./privacypass.nix { };
     };
   };
 }
diff --git a/privacypass-repo.nix b/privacypass-repo.nix
new file mode 100644
index 0000000000000000000000000000000000000000..cda604a39095585bd50db0d0ae0754fdd45e9fd2
--- /dev/null
+++ b/privacypass-repo.nix
@@ -0,0 +1,8 @@
+{ fetchFromGitHub }:
+fetchFromGitHub {
+  owner = "LeastAuthority";
+  repo = "privacypass";
+  rev = "5126376574ac126d2cdcd0612ef0ed65ef7bca6e";
+  sha256 = "sha256:1b53315qf3yp9mzrx7nmmqj9gia211yhrzg31jp8ny10w6vgbxmn";
+  fetchSubmodules = true;
+}
diff --git a/privacypass.nix b/privacypass.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ae73e27be85811876b8e5a7f2b8f24b219087c46
--- /dev/null
+++ b/privacypass.nix
@@ -0,0 +1,10 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = import ./privacypass-repo.nix { inherit fetchFromGitHub; };
+  privacypass = callPackage "${src}" { };
+in
+  privacypass.overrideAttrs (old: {
+    patches = [
+      ./remove-setuptools-scm.patch
+    ];
+  })
diff --git a/remove-setuptools-scm.patch b/remove-setuptools-scm.patch
new file mode 100644
index 0000000000000000000000000000000000000000..42e5d94a912abf7eab484fd1a0b0cc8357aeaba9
--- /dev/null
+++ b/remove-setuptools-scm.patch
@@ -0,0 +1,21 @@
+diff --git a/setup.py b/setup.py
+index 70927ff..9bf414d 100644
+--- a/setup.py
++++ b/setup.py
+@@ -21,7 +21,7 @@ setup(
+     packages=['privacypass', 'privacypass.tests'],
+     zip_safe=False,
+     platforms='any',
+-    setup_requires=['milksnake', 'setuptools_scm'],
++    setup_requires=['milksnake'],
+     install_requires=['milksnake', 'cffi', 'attrs'],
+     extras_require={
+         "tests": [
+@@ -29,7 +29,6 @@ setup(
+             "hypothesis",
+         ],
+     },
+-    use_scm_version=True,
+     url='https://github.com/',
+     milksnake_tasks=[
+         build_native
diff --git a/ristretto.nix b/ristretto.nix
new file mode 100644
index 0000000000000000000000000000000000000000..4e0912840d99a23263408dd86be620e23c92d7e3
--- /dev/null
+++ b/ristretto.nix
@@ -0,0 +1,5 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = import ./privacypass-repo.nix { inherit fetchFromGitHub; };
+in
+  callPackage "${src}/ristretto.nix" { }
diff --git a/zkapauthorizer.nix b/zkapauthorizer.nix
index 8265f890df9f900dcdea5b87d159ae117ceaf33d..0b311a4868fcec93729afe25b028ab4dcd336126 100644
--- a/zkapauthorizer.nix
+++ b/zkapauthorizer.nix
@@ -1,5 +1,5 @@
 { buildPythonPackage, sphinx, circleci-cli
-, attrs, zope_interface, twisted, tahoe-lafs
+, attrs, zope_interface, twisted, tahoe-lafs, privacypass
 , fixtures, testtools, hypothesis, pyflakes, treq, coverage
 }:
 buildPythonPackage rec {
@@ -20,6 +20,7 @@ buildPythonPackage rec {
     zope_interface
     twisted
     tahoe-lafs
+    privacypass
   ];
 
   checkInputs = [