|
September 09, 2021, 08:12:30 PM |
|
To be analogous to secp256k1, your prime should be congruent to 3 mod 4, should have a primitive cube root of unity, and the generated group should be prime.
The curve created by a=0 b=11 over field P=2^32-116325 has these properties. N is 2^32-4443.
There are many such choices that work. I chose the option with the largest group size subject to the restriction that the order was still under 2^32, that the twist had cofactor of 4 or less, and that the embedding degree was 'large' (in this case almost 2^30, though there are somewhat smaller groups where the embedding degree is close to 2^32). I chose the smallest b among the isomorphic alternatives.
For a generator, you could use G = {0x02, 0x20c2c3af} (x=0x01 isn't on the curve). All points on the curve are equally good as a generator.
results=[] for x in [xf for xf in range(2^32,2^32-300000,-1) if xf%4==3 and Integer(xf).is_prime() and FiniteField(xf)(1).nth_root(3)!=1]: for b in range(1,15): order=EllipticCurve([FiniteField(x)(0), FiniteField(x)(b)]).order() if order<2^32 and order.is_prime()==True: ordert=EllipticCurve([FiniteField(x)(0), FiniteField(x)(-b)]).order() ordertp=factor(ordert)[-1][0] if ordert/ordertp<=4: results.append((order,RR(log(FiniteField(order)(x).multiplicative_order(),2)),ordert,-x,-b)) sorted(results)
|