# [Crypto] Order of Edwards curve and its twist

## Solution 1:

Regarding the [B] and [C] parts of the question per the comments:

I'm not sure how exactly did Mike Hamburg find the curve, but from what I know it's usually easier to find the order of the matching Montgomery curve. Recall that Montgomery curves have the form $$By^2 = x^3 + Ax^2 + x$$. If $$B$$ is 1, then it fits into the generalized Weierstrass form, and most SEA algorithm implementations work with any curve in the generalized Weierstrass form. (If it's not 1 then you can easily map into a curve with $$B = 1$$, the same way that short Weierstrass curves can be mapped into $$a = -3$$)

So basically:

• Search for a Montgomery curve matching the criteria;
• Then convert it into Edwards form.

One optimization is to instruct SEA to quickly discard curves whose order it knows beforehand that have a small factor (other than 4 or 8), see the tors parameter of the ellsea PARI/GP function, for example.

The paper "A note on high-security general-purpose elliptic curves" has a Magma implementation of the process (though IIRC it uses a slightly different approach). RFC 7748 has a Sage script that also searches for a Montgomery curve (though it will probably be much slower, since it doesn't seem to support that optimization).

## Solution 2:

Do your experiments count points at infinity? When $$d$$ is a quadratic nonresidue over $$\mathbb{F}$$, the curve

$$y^2 + x^2 = 1 + d x^2 y^2$$

has no points at infinity over $$\mathbb{F}$$. But if $$-1$$ is also a quadratic nonresidue, then the curve

$$y^2 - x^2 = 1 - d x^2 y^2$$

has two of them, roughly of the form $$(\pm\sqrt{-1/d}, \infty)$$.

## Solution 3:

Why $$|E_d|+|E'_d|=2\cdot p+2$$ ?

It follows from the definition of quadratic twist. In fact, let's consider all possible $$\tilde{x}$$ coordinates for points, that is all the values in $$\mathbb{F_p}$$, and an elliptic curve $$E$$ with equation $$y^2=x^3+ax+b$$, then:

Case $$\tilde{x}^3+a\tilde{x}+b\neq0$$:

So either $$\tilde{x}^3+a\tilde{x}+b$$ is a square and thus its square root provides us two points belonging to $$E$$, namely $$(\tilde{x},\pm\sqrt{\tilde{x}^3+a\tilde{x}+b})$$ or it is not a square. If it's not a square then it will be a square for the twist curve $$E'$$ of equation $$y^2=x^3+d^2ax+d^3b$$ with $$d\neq0$$ and non-square in $$\mathbb{F}_p$$, thus providing two points belonging to $$E'$$.

Case $$\tilde{x}^3+a\tilde{x}+b=0$$:

In this case the point lies on the $$x$$ axis and belongs both to $$E$$ and $$E'$$.

So, when you consider all possible $$\tilde{x}$$ values in $$\mathbb{F}_p$$, you have for each of them two points belonging to $$\{E \cup E'\}$$, if you add also the point at infinity for each curve, you end up with $$|E_d|+|E'_d|=2\cdot p+2$$