Why this over Curve448 and Ed448. Does the curve lend itself to an easier implementation? From what I can see there doesn't seem to be a compelling story here.
They say coefficient b is determined via BLAKE3, but unless I'm missing it, they don't actually say how?<p>They also claim that the prime modulus was chosen "carefully", and enumerate its favourable properties, but do not elaborate on <i>how</i> it was chosen. Presumably they had some code that looped until they found a prime that gave them all the right properties, but it would be good if they shared that process.
Well, I've tried manually verifying the curve parameters and I don't trust this.<p>* The generator isn't selected deterministically<p>* The BLAKE3(seed) in the OpenFrogget code doesn't match what I get with Python & Javascript implementation of Blake3, the index & seed aren't specified in the paper<p>* The paper doesn't provide a reference for why `a=-7` was chosen (presumably because of the GLV endomorphism)<p>* the various parameters differ between the reference implementation and the paper and the spec...<p>There are enough many holes in this that I wouldn't touch it yet, as a very quick glance into the spec & the code leaves me wondering why their claims of reproducibility & determinism re: the constants aren't true, and the documentation & code don't match what I can reproduce locally.<p>So uhh yea... No