What are the properties a cryptographically secure Elliptic Curve must have?
I have started to create a list and wanted to know if I forgot some important points, and if it is correct so far:
A curve $E$ over a finite field $\mathbb{F}_q$ with $\#E(\mathbb{F}_q)=h\cdot p$ is considered to be cryptographically secure if:
rigidity, as mentioned before the generation of the curve should be documented or random
$p>2^{200}$ so that the ECDLP is hard.
$p\not|(q^k -1)$, for $k<30$ to exclude the possibility of transfers (such as MOV or Frey-Rück)
$p\not=q$, as well to avoid MOV and Frey-Rück and the Anomalous curve Attack
$q$ should be a large prime
the cofactor $h$ should be very small to avoid the Pohlig-Hellman attack
$p$ should be a large prime so that the Pollard-Rho algorithm is inefficient
twist security, check that the twists of the elliptic curve are cryptographically secure as well
little plus: prime in efficient form (such as Merzenne-primes)
Complete addition- and multiplication- formulas to avoid side-channel attacks
