curves.txt

Here we briefly describe the supported curves

1. ED25519 - This is the Bernstein et al Edwards curve https://ed25519.cr.yp.to/ed25519-20110926.pdf
2. C25519 - The original Bernstein Montgomery curve https://cr.yp.to/ecdh/curve25519-20060209.pdf
3. NIST256 - The NIST standard 256-bit curve secp256r1 http://www.secg.org/SEC2-Ver-1.0.pdf
4. BRAINPOOL - The 256-bit Brainpool twisted curve P256r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf
5. ANNSI - French standard 256-bit curve https://safecurves.cr.yp.to/
6. HIFIVE - Our own suggested curve https://eprint.iacr.org/2015/991
7. GOLDILOCKS - New standard 448-bit Edwards curve https://eprint.iacr.org/2015/625
8. NIST384 - The NIST standard 384-bit curve secp384r1 http://www.secg.org/SEC2-Ver-1.0.pdf
9. C41417 - An efficient high-security 414-bit curve https://eprint.iacr.org/2014/526
10. NIST521 - The NIST standard 521-bit curve secp521r1 http://www.secg.org/SEC2-Ver-1.0.pdf
11-16. The Microsoft NUMS suggested standard curves - https://www.microsoft.com/en-us/research/publication/selecting-elliptic-curves-for-cryptography-an-efficiency-and-security-analysis/
17. SEC256K1 - The other NIST standard Bitcoin curve
18. SM2 - Chinese standard curve - https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
19. C13318 - Barreto's Weierstrass curve with C25519 modulus - see https://eprint.iacr.org/2019/1166
20. JUBJUB - The Zcash elliptic curve - https://z.cash/technology/jubjub/
21. X448 - Montgomery version of GOLDILOCKS - https://tools.ietf.org/html/rfc7748
22. SECP160R1 - A NIST standard 160-bit curve http://www.secg.org/SEC2-Ver-1.0.pdf - for those that like to live dangerously!
23. C1174 - A 251 bit Edwards curve suggested by Bernstein et al here - https://eprint.iacr.org/2013/325.pdf
24. C1665 - A fast 166-bit Edwards curve for ~80-bit security
25. Million Dollar Curve - A super-secure 256 bit Edwards curve, suggested here - https://eprint.iacr.org/2015/1249
26. Tweedledum - An amicable pair of elliptic curves - see https://github.com/daira/tweedle
27. Tweedledee - An amicable pair of elliptic curves - see https://github.com/daira/tweedle

Pairing-friendly curves

Note that efforts to standardise these curves seem to have stalled, probably due to new insights
into their true security. There seems to be a move from BN curves to BLS curves for 128-bit
security and above.

28. BN254 - The Nogami BN curve - https://eprint.iacr.org/2005/133
29. BN254CX - The CertiVox standard BN curve
30. BLS12383 - Our own suggested new standard curve, a 383-bit GT-Strong BLS12 curve - https://eprint.iacr.org/2002/088
31. BLS12381 - The zk-SNARK BLS12 standard curve - https://blog.z.cash/new-snark-curve/
32. FP256BN - An ISO standard 256-bit BN curve, as recomended for use by FIDO - https://tools.ietf.org/pdf/draft-kasamatsu-bncurves-02.pdf
33. FP512BN - An ISO standard 512-bit BN curve, as recomended for use by FIDO - https://tools.ietf.org/pdf/draft-kasamatsu-bncurves-02.pdf
34. BLS12461 - A 461 bit BLS12 curve suggested by Barbulescu and Duquesne https://eprint.iacr.org/2017/334
35. BN462 - A 462 bit BN curve suggested by Sakemi, Kobayashi and Saito https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves/
36. BLS24479 - An experimental (approx AES-192 bit security) BLS24 GT-Strong curve
37. BLS48556 - An experimental (approx AES-256 bit security) BLS48 GT-Strong curve
38. BLS48581 - A 581 bit BLS48 curve suggested by Sakemi, Kobayashi and Saito https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves/
39. BLS48286 - A 286 bit BLS48 curve (approx AES-128 bit security) inspired by https://eprint.iacr.org/2020/760 which optimises operations in G1

Note that it is quite easy to add new curves, and some programs are supplied to assist in the process.
Let us know if you have a particular request - mike.scott@miracl.com