<kayabanerve:matrix.org> With FCMP++, I zealously limited to the odd-prime-order subgroup so we don't even have to discuss the implications of torsion.

<kayabanerve:matrix.org> IIRC, it's a constant headache, generally effects an incomplete prover, cannot be used for any generator for which a diffie-hellman is then performed against, and I think the order-2 point doesn't have a representation on Wei25519 so some of the maps we use would be incomplete if over the entire group of order 8l.

<kayabanerve:matrix.org> Other than the order-2 point, I don't believe there'd be soundness issues with points of composite order though, solely completeness and zero-knowledge issues.