This is definitely the most straightforward way find the generator of a subgroup, except that you want qP = 0. If you want a NUMS property, you could take the first generator with x-coordinate greater than or equal to some hash value, or similar.
An alternative method is to obtain a point on the curve (either by brute force or with SWU or Elligator), and then multiply it by the cofactor h = #E/q, and then check that it’s not 0. I’m not sure what reference you would cite for either of these. I’m pretty sure the Curve25519 spec is the least generator, as is the X448 generator. Many other specs make similar choices. — Mike > On Dec 11, 2016, at 3:12 PM, Ron Garret <r...@flownet.com> wrote: > > SLSIA. I’m working on an introductory survey of ECC (the one suggested in > the “Climbing the elliptic learning curve” thread a few weeks back) and I’m > making good progress but I’m stuck on this issue. I have, of course, found > Shoof’s algorithm for counting curve points, but that only gets you so far. > With that as a baseline, I can kind of imagine an algorithm for finding a > base point: compute the number of curve points, factor the result, pick the > largest prime factor q, and then find a generator by brute-force search for a > point P such that qP=-P. Is that anywhere close to being the right answer? > Is there a reference I can cite? > > Thanks, > rg > > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
