<Inge- ""My question is the following: C"> Hi, I answered these questions on the reddit link to the best of my knowledge reddit.com/r/Monero/comments/gcpoby…p?utm_source=share&utm_medium=web2x

kenshamir[m]: cool!

<UkoeHB_ "What is the difference between R"> AFAIK the ristretto group is actually a quotient group built from the Ed25519 group.

So we double all points and then we consider two points equal if they differ by a point of order 4

If you imagine that there are points of order 8, once you double them they will have points of order 4, we then consider all of these points the same, and we pick a "representative point" to represent that particular group of points who differ by a point of order 4. This representative point is always chosen to be the point which lies in the prime order subgroup

I kind of oversimplified some things, but that's the gist of it, I think

Here is page for the checks: ristretto.group/details/isogeny_encoding.html

And the next section shows that you can use Ed25519 or Curve25519 and still arrive at the same Ristretto255 group. You can use any curve in the isogeny graph, as long as you modify the compression and decompresion formulas accordingly. Hope that helps

kenshamir[m]: do you have an account on the stack exchange? care to add your answer and perhaps expand on it? monero.stackexchange.com/questions/…sed-in-monero-a-subgroup-of-ed25519

scoobybejesus: I'll need to dig a bit for the email assosciated with it, but I think thats a great idea!

Feel free to copy and paste, if I take too long

Maybe you did what I did and logged in for the first time with your google account. I don't even have a password. It's weird. I need to change it. anyway...

Yep, this was it. It was a google login. Will post an answer on stackexchange

Sorry had a few other things to do, I have posted an expansion, please correct any mistakes you notice.

It's a bit long winded, so TLDR;

Ristretto does not map to the points in the prime order subgroup in E(K) . It builds a prime order subgroup from E(K). So it is important to never mix RistrettoPoints and EdwardsPoints together. I think by interopability @inge

* Sorry had a few other things to do, I have posted an expansion, please correct any mistakes you notice.

It's a bit long winded, so TLDR;

Ristretto does not map to the points in the prime order subgroup in E(K) . It builds a prime order subgroup from E(K). So it is important to never mix RistrettoPoints and EdwardsPoints together. I think by interopability @inge was referring to previous EdwardsPoints, but this does not seem necessary IMO. Not 100% sure