34

In cryptography, an elliptic curve is a group based on a finite field $GF(p^k)$; this group has $n$ elements on it, and we work on a prime-sized subgroup of size $q$. We denote the value $h = n/q$ as the cofactor of the curve.

My question is: why would we ever want to consider using a curve which has a cofactor $h>1$? Or, in other words, why would we consider using an elliptic curve that had a composite number of points? After all, the discrete log problem can be solved in $O(\sqrt{n / h})$ time; if we were to select a curve with $h>1$, we are deliberately making this problem easier.

Now, if $h$ is small, we're not making it much easier; if (for example) $p^k \ge 2^{256}$ and $h \le 4$, this would still appear to be an intractible problem. On the other hand, I don't know if we want to make the attacker's job any easier than necessary, unless we gain some other benefit from it (perhaps making some other attack harder, or gaining some computational efficiency).

So, is there any benefit for using a curve with a cofactor > 1?

poncho
  • 154,064
  • 12
  • 239
  • 382

3 Answers3

27

Montgomery and twisted Edwards curves have even order, but the group law can be implemented using multiplication which is usually fast whereas curve operations in Weierstrass models involve inversions. So that is why these curves are popular and we have to live with cofactors $> 1$.

There are other reasons to prefer to use prime-order elliptic curves (e.g., small subgroup attacks). So you are right that in an ideal world one would used prime order curves. But sometimes it is worth the trouble to use a more efficient curve model.

Verified Anon
  • 25
  • 5
Steven Galbraith
  • 271
  • 2
  • 2
20

I do not have any hard data to back this up, but an educated guess is that relaxing the cofactor to be "small" instead of "1" was done to allow Koblitz curves — which in early days looked like an attractive choice for implementation.

Koblitz curves over binary fields are of the form $y^2 + xy = x^3 + a x^2 + 1$.
The cofactor is at least $4$ when $a = 0$, and $2$ when $a = 1$.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Samuel Neves
  • 12,960
  • 46
  • 54
1

When it comes to practical and standard backed solutions using h = 1 is rather common. This is to prevent small subgroup attacks.

  1. Brainpool Curves standard defines h=1 as a requirement: https://www.rfc-editor.org/rfc/rfc5639 (page 17)

cofactor is set to 1.

  1. All NIST curves below have h=1 as well (see: http://www.secg.org/SEC2-Ver-1.0.pdf)

    secp192r1

    secp224r1

    secp256r1 (default in all popular FOSS implementations including OpenSSL)

    secp384r1

    secp521r1

An exception is Bernstein's Curve25519 where h = 8 (https://www.rfc-editor.org/rfc/rfc7748#page-4). That one is practically used by Apple in their cloud encryption solutions, and is being moved to NIST SP 800-186, but I didn't see it published yet. As others pointed out, performance issues have been taken into consideration here.

Community
  • 1
Oleg Gryb
  • 366
  • 6
  • 11