Standard Montgomery curves over prime field

Question

Is there some source of standard, vetted, efficient Montgomery elliptic curves over prime field?

I'm looking for curves $B\,y^2\equiv x^3+A\,x^2+x\pmod p$ engineered for efficient computation of scalar multiplication with $X/Z$ coordinates and Montgomery ladder, which if I'm not mistaken is faster with small^* $A_{24}=(A+2)/4$, because there's a multiplication by $A_{24}$ in the point doubling formula.

Ideally I'm looking for a curve with cofactor 4 over some 256-bit prime field, which would give about one extra bit of security compared to Curve25519 (255-bit $p$, cofactor $8$, $A_{24}=121665$, which is not quite optimum for $X/Z$ computations).

---

^* Incidentally: what's the lowest possible $|A_{24}|$ for a secure Montgomery curves over prime field when we can choose $p$ freely?

Answer 1

The Montgomery form of numsp256t1 matches those criteria, even if calling it "standard" is a bit of a stretch.

NUMS (Nothing Up My Sleeve) curves were curves proposed by Microsoft (Costello at al.) The curve generation algorithm and the resulting curves was proposed back in the days of the elliptic curve controversy against NIST.

They fit all known security requirements, and they were proposed in Short Weierstrass and Edwards form.

In particular numsp256t1 is defined over a 256-bit prime field (with $p= 2^{256} - 189$) an Edwards curve with cofactor=$4$. Using a 4-degree isogeny following proposition 2 of this paper it can be brought into Montgomery format, maintaining the security properties.

The resulting Montgomery curve has $B=1$, $A=61370$ (which gives $A_{24}=15343$). Its cardinality is $4 * 28948022309329048855892746252171976963404671476872247083542990644359122995957$ where $28948022309329048855892746252171976963404671476872247083542990644359122995957$ is a prime of bit-size $255$.