> Montgomery curves work well with the montgomery ladder, which is easy to use in constant time, and that any 32-byte string is a valid public key for ECDH.
You can also have Montgomery ladder an a 32-byte encoding with Weierstrass curve, even though it would be slower.
> The point of ristretto, and its precursor/similar project decaf, is to preserve group structure while using these curves, and also eliminating small subgroups.
Exactly. Because we are stuck with all these cofactor issues. Not to mention how clamping also "contaminated" EdDSA.
You can also have Montgomery ladder an a 32-byte encoding with Weierstrass curve, even though it would be slower.
> The point of ristretto, and its precursor/similar project decaf, is to preserve group structure while using these curves, and also eliminating small subgroups.
Exactly. Because we are stuck with all these cofactor issues. Not to mention how clamping also "contaminated" EdDSA.