[curves] Twist-secure Weierstrass curves over Fq(Sal384)

David Leon Gil coruus at gmail.com
Sat Nov 29 18:14:05 PST 2014


Some numerical results for elliptic curves over Fq(2^384 - 2^128 -
2^96 + 2^32 - 1). I generated curves by j-invariant using the
relations:

a4 = (36 / (j0 - 1728))
a6 = (-1 / (j0 - 1728))

I've run 0 < j ~<= 210341. (Upper-bound approximate because a few
curves with smaller j were still being point-counted when I stopped
the process.)

--

221/210341 (about 0.1%) of the curves had prime order (cofactor 1). 4
of those curves (about 2%) had prime order on both the curve and
twist.

The j-invariants of the twist-secure curves I found: 145, 23041, 85522, 155663.

(Some raw data here: https://github.com/coruus/sally)

I was too lazy to attempt to replicate using Appendix 4 of this:
http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf

- David

(Many thanks to Michael Hamburg for his point-counting script. Any
egregious blunders are entirely mine, however.)


More information about the Curves mailing list