P.S. for an example of why I need the math PhD's assistance and review, I need help to understand what Gregory Maxwell is referring to about the non-unity cofactor for EdDSA:
https://bitcointalk.org/index.php?topic=380482.msg4083612#msg4083612That is an example where my math is sorely lacking. I could figure it out with a lot of time, but right about now we need me to be coding and not teaching myself higher abstract algebra maths.
In which case, you meet an inverse
3-Generals Problem wherein a plutocrat or plutocratic body is "the commander" (
Lamport, Shostak, Pease), your mathematician is "the loyal lieutenant" (Lamport, Shostak, Pease), and you are "the other lieutenant" (Lamport, Shostak, Pease).
There are other criteria that the implementations of the recommended curves fail e.g. it looks like curve25519 requires the most significant bit of the private key is set. Beyond reducing the keyspace this has the effect of making it impossible to use schemes like BIP32 for public derivation of addresses. (At least, while using the standard constant time implementations). Perhaps more interesting is that the page does not penalize curve25519 for having a non-one cofactor. As mentioned this reduces the rho-hardness, but since failure to handle it correctly has resulted in cryptographic weaknesses (e.g. in PAKE schemes). Cryptographic protocols need to multiply their values by the cofactor it's an implementation trap along the lines of the "completeness" examples and this is easier to get wrong if your cofactor is one as it is in secp256k1.
(Red colorization mine.)