In standard elliptic curves for cryptography, there's need to choose a generator point. The standard way is choosing a random-like generator, per a public deterministic algorithm in order to insure a nothing-up-my sleeves number. There are notable exceptions: for secp256r1, it's lost how the generator's seed was chosen (see this question); and for secp256k1 and secp224k1, the generator is twice a point with a 166-bit X coordinate of unknown source (see my question).
What if instead we selected the generator as the curve's point of prime order with the lexicographically smallest compressed coordinate? That is, for curves on a prime field (the most common kind), the smallest X coordinate, and an even Y coordinate? E.g. for secp256k1 the generator point would have compressed coordinates
020000000000000000000000000000000000000000000000000000000000000001
that is X=1, Y=0x4218f20ae6c646b363db68605822fb14264ca8d2587fdd6fbc750d587e76a7ee.
Arguments towards that:
- easy
- nothing-up-my sleeves
- can save perceptible time when adding the generator, because adding a small X is faster
Arguments against:
- it might be somewhat harder to guard against side-channel attack
- the speedup of 3 above somewhat applies to attackers trying to recover private key from public key
- that won't catch for existing curves.
What do I miss? If this was proposed earlier, why was it rejected? Should we do that?
