I was thinking about how SRP might be used with Curve25519 or Curve448. In this question, Can SRP be used with Elliptic Curves?, the answer is that you can't directly translate SRP to a group that isn't also a ring, because SRP uses not just multiplication but also addition.
In traditional SRP-6a, the server computes its public element $B$ from random secret $b$ as follows:
$B = kv + g^b$
The client then computes $S$ from its own secret $a$ and the server's $B$ as follows:
$S = (B - kv)^{a + ux}$
The subtraction of $kv$ from $B$ restores $g^b$ to compute the shared secret $S = {(g^b)}^{a + ux}$. It's only the single addition and subtraction (not counting $a+ux$) that prevent using a non-ring group like elliptic curves.
The purpose of adding $kv$ to $g^b$ seems to be to hide the value of $g^b$ from any adversary who does not know the verifier $v=g^x$. In other words, a sort of encryption.
What if we then remove the problematic operations and replace them with encryption using hashes of the verifier as the key?
$B = Enc(H(kv), g^b)$
$S = Dec(H(kv), B)^{a + ux}$
Now all the operations can be translated to an elliptic curve group. (With proper precautions like ensuring that $A$ and $Dec(H(kv),B)$ are on the curve and not on small subgroups.)
