Distribution of elliptic twins over fixed finite fields: Numerical results

We report numerical results, and describe plans for future experiments, related to the number of prime-order curves and “elliptic twin” curves over the primes P-224, P-256, and P-384 standardized by NIST for cryptographic applications. Although these results are not sufficient to confirm the formula of Shparlinski and Sutantyo 2014 over these fields, they strongly suggest (~99% probability) that the NIST curve P-384 was not chosen from a uniform distribution over prime-order curves.

💡 Research Summary

The paper presents a preliminary numerical investigation into the frequency of “elliptic twins” – elliptic curves over a finite field whose group order is prime and whose quadratic (non‑trivial) twist also has prime order – on the three NIST‑standardized prime fields P‑224, P‑256, and P‑384. The motivation stems from the notion of twist‑security, introduced after the 2001 “unsafe‑twist” attack, which requires that both a curve and its twist resist discrete‑log attacks.

Two experimental approaches are described. In Experiment 1 the authors exhaustively scan j‑invariants from 1 to 2²⁰ (excluding the singular value 1728). For each j they compute the point count of the corresponding curve E_j and its twist eE_j using a modified PARI/GP routine based on Michael Hamburg’s code. Counting stops early if either #E_j or #eE_j contains a small prime factor, which speeds up the search for prime‑order curves. The results are:

• P‑224: 2 790 prime‑order curves, 31 elliptic twins (ratio ≈ 1.1 × 10⁻²).
• P‑256: 1 956 prime‑order curves, 15 elliptic twins (ratio ≈ 0.8 × 10⁻²).
• P‑384: 1 131 prime‑order curves, 20 elliptic twins (ratio ≈ 1.8 × 10⁻²).

Experiment 2 adopts a “waiting‑time” method: a pseudorandom j‑invariant is generated repeatedly until an elliptic twin is found; the number of trials needed provides an estimator for the inverse probability 1/p(π′|π). Resource constraints limited the run to 441 discovered twins. By bootstrapping the combined data from both experiments the authors obtain a 99 % confidence interval for the conditional probability that a random prime‑order curve is a twin: p(π′|π) ∈