Slightly tangential-- to my knowledge, many common curves (e.g. secp256k1 i.e. bitcoin) use order == 3 mod 4 because it enables usage of quick Tonelli-Shanks shortcuts [1],[2].<p>Perhaps the claim that the selection of the curve has no cofactor, and thus doesn't require the validation cost of e.g. clearing the cofactor, ensuring torsion safety. Not sure what other performance tricks this type of curve may enable.<p>I'm still reading and understanding how precisely they select the curves to have no cofactor, but that's definitely interesting. There's more desirable security considerations than just a low cofactor, however; but going through the paper, they definitely check a lot of other boxes.<p>[1] <a href="https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm" rel="nofollow">https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorit...</a><p>[2] <a href="https://go-review.googlesource.com/c/go/+/11522/" rel="nofollow">https://go-review.googlesource.com/c/go/+/11522/</a>
"Double-odd" is a confusing term. Makes it sound like it's odd in two ways. A more common term for a number that's 2 mod 4 is "singly even" (because 2 only divides it once).
For anyone that needs an intro to ECC in general: <a href="https://qvault.io/cryptography/elliptic-curve-cryptography/" rel="nofollow">https://qvault.io/cryptography/elliptic-curve-cryptography/</a>