Which SafeCurves critics about Brainpool twisted curves apply to the corresponding random curves?

Question

In SafeCurves: choosing safe curves for elliptic-curve cryptography, Daniel J. Bernstein and Tanja Lange characterize Brainpool curves of the twisted variety (e.g. brainpoolP256t1) as not "Safe", specifically failing the "ladder", "twist", "complete" and "ind" criteria.

Which of these critics apply to the corresponding random version of these curves (e.g. brainpoolP256r1), and why?

---

The random and twisted Brainpool curves share the same field, are cyclic group of the same prime order thus are isomorphic, and as far as I understand the isomorphism is practical. So I wonder what security difference there can be beyond side channel considerations.

Answer 1

All critics applies in the same way to both the "t" and "r" Brainpool curves.

An efficiently computable isomorphism preserves all the curve's properties. It was done to support $a=-3$ which allows for faster implementation in Jacobian coordinate system.

Specifically:

• "Ladder" fails for all curves that are not birational equivalent to Montgomery curves, this includes all curves with prime cardinality such as Brainpool.
• "Twist" fails for all the curves for which the quadratic twist's order doesn't have a large prime subgroup. Brainpool weren't designed to take this property into account, resulting in a "random" order for the twist's cardinality which doesn't have a large prime factor
• "Complete" fails for all curves that are not birational equivalent to Twisted Edwards curves, this includes all curves with prime cardinality such as Brainpool. Actually a complete addition law has been found for curves of odd order, such as Brainpool, by Renes et. al. but SafeCurves wasn't updated to support that.
• "Indistinguishability" is a bit more subtle, but basically fails for all curves that are not birational equivalent to Montgomery curves, this includes all curves with prime cardinality such as Brainpool.

That said please consider that SafeCurves was created by a small but vocal part of the crypto community that at the time was strongly criticizing NIST curves and promoting X25519/ed25519. It can be argued that the safe properties were crafted in order to disqualify the family of short Weierstrass curves (like NIST). But that's a discussion for another question.