hngopher.com

       [HN Gopher] Double-Odd Elliptic Curves
       ___________________________________________________________________
        
       Double-Odd Elliptic Curves
        
       Author : rdpintqogeogsaa
       Score  : 46 points
       Date   : 2021-10-03 13:18 UTC (9 hours ago)
        
 (HTM) web link (doubleodd.group)
 (TXT) w3m dump (doubleodd.group)
        
       | ljhsiung wrote:
       | Slightly tangential-- to my knowledge, many common curves (e.g.
       | secp256k1 i.e. bitcoin) use order == 3 mod 4 because it enables
       | usage of quick Tonelli-Shanks shortcuts [1],[2].
       | 
       | Perhaps the claim that the selection of the curve has no
       | cofactor, and thus doesn't require the validation cost of e.g.
       | clearing the cofactor, ensuring torsion safety. Not sure what
       | other performance tricks this type of curve may enable.
       | 
       | I'm still reading and understanding how precisely they select the
       | curves to have no cofactor, but that's definitely interesting.
       | There's more desirable security considerations than just a low
       | cofactor, however; but going through the paper, they definitely
       | check a lot of other boxes.
       | 
       | [1]
       | https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorit...
       | 
       | [2] https://go-review.googlesource.com/c/go/+/11522/
        
         | tromp wrote:
         | > the curve has no cofactor
         | 
         | The groups do have a cofactor of 2 ("Curve order must be equal
         | to 2r for a prime integer r"). When they say "There is no
         | cofactor to deal with", they mean they pick a generator that's
         | divisible by 2 (like G=(2,2) in do255e) and use curve point
         | representations that only allow multiples of G.
        
       | Sniffnoy wrote:
       | "Double-odd" is a confusing term. Makes it sound like it's odd in
       | two ways. A more common term for a number that's 2 mod 4 is
       | "singly even" (because 2 only divides it once).
        
         | rdpintqogeogsaa wrote:
         | Let's just do the same we do with other classes of curves: Name
         | them after the person who either came up with or popularized
         | them. Thus, we might as well just call them Pornin curves (in
         | line with Edwards curves and Montgomery curves and [short]
         | Weierstrasse curves and Koblitz curves).
        
       ___________________________________________________________________
       (page generated 2021-10-03 23:01 UTC)