0

I know that the cofactor of curve 25519 is 8. Is it the maximum factor in the existing curve used for ECDSA?

user77340
  • 787
  • 4
  • 13

1 Answers1

4

The X9.62 ECDSA standard does not specify a bound on permissible cofactors (though it only records how to validate cofactors up to about $\sqrt p/4$). The Certicom SEC1 document only allows cofactors up to $2^{t/8}$ where $t$ is the bit size of the field. In theory then, quite large cofactors might be in use somewhere. In practice people almost always preferred to use Weierstrass curves with cofactor 1 a) for efficiency and b) to avoid possible weaknesses with unverified parameters. I believe that all of the NIST standard curves have cofactor 1 for example. By contrast Curve 25519 allows a cofactor so that it can have a compatible Edwards curve representation (Edwards curves are more efficient and have better anti-sidechannel properties; their order over prime fields is always divisible by 4 however). Similarly Curve 448 has a cofactor of 4 and an Edwards form.

ETA: kelalaka points out that 25519 pre-dates Edwards curves; it was a happy coincidence that it was Edwards compatible.

In pairing-friendly cryptography larger cofactors can be quite common as there are very stringent conditions on the curve order. Such curves are however not generally used for ECDSA.

Daniel S
  • 23,716
  • 1
  • 29
  • 67