Consider redefining decaf377 in terms of a new underlying curve

[hdevalence]

https://eprint.iacr.org/2021/1152 proposes a new curve defined over the BLS12-381 scalar field called Bandersnatch. This curve has an endomorphism that allows use of the GLV method, making it faster in the software context (outside of a circuit).

Currently, decaf377 is defined in terms of the Edwards-on-BLS12-377 curve created as part of the Zexe paper. But there's no really compelling reason to use that curve in particular — unlike the scenario for ristretto255, there is not a large deployment base already using that curve.

So, instead, it might be better to try to apply the same techniques in the Bandersnatch paper to create a GLV-compatible Edwards curve defined over the BLS12-377 scalar field, and then define decaf377 in terms of that curve.

[hdevalence]

From the paper, it looks like they got lucky, finding a compatible curve that happens to have cofactor 4:

It would be good to find out if the search scripts can be adapted to the BLS12-377 case.

[hdevalence]

@asanso pointed to the script here: https://github.com/asanso/Bandersnatch/blob/main/python-ref-impl/small-disc-curves.py but suggested that there might not be any suitable curves for BLS12-377.