Slightly tangential-- to my knowledge, many common curves (e.g. secp256k1 i.e. bitcoin) use order == 3 mod 4 because it enables usage of quick Tonelli-Shanks shortcuts [1],[2].
Perhaps the claim that the selection of the curve has no cofactor, and thus doesn't require the validation cost of e.g. clearing the cofactor, ensuring torsion safety. Not sure what other performance tricks this type of curve may enable.
I'm still reading and understanding how precisely they select the curves to have no cofactor, but that's definitely interesting. There's more desirable security considerations than just a low cofactor, however; but going through the paper, they definitely check a lot of other boxes.
The groups do have a cofactor of 2 ("Curve order must be equal to 2r for a prime integer r"). When they say "There is no cofactor to deal with", they mean they pick a generator that's divisible by 2 (like G=(2,2) in do255e) and use curve point representations that only allow multiples of G.
Perhaps the claim that the selection of the curve has no cofactor, and thus doesn't require the validation cost of e.g. clearing the cofactor, ensuring torsion safety. Not sure what other performance tricks this type of curve may enable.
I'm still reading and understanding how precisely they select the curves to have no cofactor, but that's definitely interesting. There's more desirable security considerations than just a low cofactor, however; but going through the paper, they definitely check a lot of other boxes.
[1] https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorit...
[2] https://go-review.googlesource.com/c/go/+/11522/