2016-12-12 0:58 GMT+01:00 Mike Hamburg <m...@shiftleft.org>: > This is definitely the most straightforward way find the generator of a > subgroup, except that you want qP = 0. If you want a NUMS property, you > could take the first generator with x-coordinate greater than or equal to > some hash value, or similar. > > An alternative method is to obtain a point on the curve (either by brute > force or with SWU or Elligator), and then multiply it by the cofactor h = > #E/q, and then check that it’s not 0.
It's worth noting that multiplying-by-the-cofactor is something that you'll definitely need to do if you have larger cofactors, like if you're in a pairing-based situation, because otherwise the probability that your randomly generated point is even in the subgroup is somewhere between "annoyingly small" and "negligible". ben -- You know we all became mathematicians for the same reason: we were lazy. --Max Rosenlicht _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
