[opheliate]

Hm, with regard to timing attacks, I’m not talking about clearing the cofactor, but rather setting the most significant bit to zero & the second most significant to one. My understanding is that this is to defend against an insecure implementation of the scalar multiplication operation which takes a varying length of time depending on which bit is the first non-zero one, thereby revealing information about the key. The linked article supports this (I believe), but I’m always happy to be corrected about these kinds of things :)

[charlieyu1]

I think it is simpler, the algorithm used repeated doubling to find the point on the elliptic curve, so by setting the highest bit to one it ensured that the operation is done to a fixed number of times no matter the input

[tptacek]

Nope, you're probably right!

[john_alan]

You’re correct!