omershlo
commented
5 years ago Henry de Valence answers: 1) Nope, they’re different groups, just as different as secp256 and ed25519... they are related only in that you can modify the internals of an ed25519 implementation to implement ristretto255, but that’s an implementation detail 2) Nope, they’re different groups, so trying to decode a ristretto255 point as an ed25519 point or vice versa will in general fail. 3) Yes, clamping is not necessary with Ristretto, because it provides a prime-order group.
conclusion: in order to be compatible to blockchains we need to move back to curve25519.
we are using dalek curve25519 using Ristretto curve and RistrettoPoint.
1) for the use case of signing on blockchain transactions. Would a blockchain that supports curve25519 be able to validate signatures based on ristretto curve?
2) If a blockchain decides to check IsPoint() on ristretto public keys - would that check pass? 3) using ed25519 with ristretto curve means that we can eliminate bit clamping? this is super important for later implementing HD