cryptographically good random elliptic curves?

Question

After an answer here, about generate elliptic curves, I've start thinking about the algorithm. The mentioned algorithm will produce curves in the Weierstraß Reduced Form (WRF) over finite fields:

$y^2 = x^3 + ax +b$ with $a,b\in \mathbb{F}_p$

And this WRF is the representation used in the NIST (where $a\equiv-3\pmod p$), Brainpool, and probably some others, that can be used in standards like the extension for OpenPGP or TLS.

But this is only one of many ways to describe elliptic curves. In TLS specification it opens to the possibility to use arbitrary curve definition. Or other alternatives are Montgomery curves like the curve25519 "recently" proposed for EdDSA.

If I like to generate my curve (ignoring the fact that this would affect the maths in the implementations) are there differences between representations? I mean, would be faster to generate random cryptographically good curves depending on the representation? Will curves with different representation and the same bit length, have the same strength?

Answer 1

No, not all curves are created equal. For one thing, the number of points on an elliptic curve defined over $\mathbf{F}_p$ varies in the interval $[p+1-2\sqrt{p},p+1+2\sqrt{p}]$ (Hasse's Inequality). There are also weak instances which must be avoided, the most catastrophic being when the number of points on the curve is exactly equal to $p$ (anomalous curves) or to $p+1$ (supersingular curves).