Small subgroup alternative curve verification of group law #308
Description
04:22 < gmaxwell> Which I think also suggests another test we can add. Our group law should also hold for all B even when B results in a curve that has low order points.
04:23 < gmaxwell> We can exhaustively test low order subgroups.
04:23 < gmaxwell> e.g. this is something tests.c could do.
04:28 < gmaxwell> this has the benefit of allowing an 'exhaustive' test of the group law without changing the field.
E.g. on y^2 = x^3 + 4 there is a subgroup with a generator of order 199, and we can 'exhaustively' verify the group law on this subgroup by generating all the points and trying all pairs of adds and multiplies. (Though this doesn't cover all possible projective points).