bwbush
commented
4 days ago From OpenAI . . .
Several elliptic curves have become widely adopted as cryptographic standards due to their security, efficiency, and well-vetted properties. These curves are used in a variety of cryptographic protocols, including encryption, digital signatures, key exchange, and more.
1. Secp256k1
- Standard: Used in Bitcoin and other cryptocurrencies.
- Equation: ( y^2 = x^3 + 7 ) over the prime field ( \mathbb{F}_p ), where ( p = 2^{256} - 2^{32} - 977 ).
- Field Size: 256-bit prime field.
- Group Order: ( n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 ).
- Uses: Primarily used in Bitcoin for ECDSA (Elliptic Curve Digital Signature Algorithm) and Elliptic Curve Diffie-Hellman (ECDH).
- Special Property: Lacks a "twist security" feature, but it is still widely used because of its high adoption in blockchain-based applications, especially in Bitcoin.
2. P-256 (also known as secp256r1)
- Standard: Specified by the NIST (National Institute of Standards and Technology) and included in the FIPS 186-4 and ANSI X9.62 standards.
- Equation: ( y^2 = x^3 - 3x + b ) over the prime field ( \mathbb{F}_p ), where ( p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 ).
- Field Size: 256-bit prime field.
- Group Order: ( n = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 ).
- Uses: Common in various security protocols like TLS (Transport Layer Security), HTTPS, and digital signatures. It is often used in commercial products for secure communications.
- Special Property: Designed with comprehensive security evaluations by NIST.
3. P-384 (also known as secp384r1)
- Standard: NIST curve from the FIPS 186-4 standard.
- Equation: ( y^2 = x^3 - 3x + b ) over the prime field ( \mathbb{F}_p ), where ( p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 ).
- Field Size: 384-bit prime field.
- Group Order: ( n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973 ).
- Uses: Used in security protocols requiring a higher security margin than P-256, such as government applications, financial institutions, and TLS in high-security environments.
- Special Property: Provides a higher security level (192-bit security) than P-256, and is commonly used when more security is needed.
4. P-521 (also known as secp521r1)
- Standard: NIST curve from the FIPS 186-4 standard.
- Equation: ( y^2 = x^3 - 3x + b ) over the prime field ( \mathbb{F}_p ), where ( p = 2^{521} - 1 ).
- Field Size: 521-bit prime field.
- Group Order: ( n = 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ).
- Uses: Similar to P-384 but for applications requiring even more security, such as in military, diplomatic communications, or high-assurance applications.
- Special Property: Highest level of security among the NIST curves, providing 256-bit security.
5. Curve25519
- Standard: Proposed by Daniel J. Bernstein; widely used and standardized in RFC 7748 for key exchange.
- Equation: ( y^2 = x^3 + 486662x^2 + x ) over the prime field ( \mathbb{F}_p ), where ( p = 2^{255} - 19 ).
- Field Size: 255-bit prime field.
- Uses: Primarily used for Elliptic Curve Diffie-Hellman (ECDH), especially in modern cryptographic protocols such as TLS 1.3, Signal, WireGuard VPN, and other secure communication protocols.
- Special Property: Highly efficient and secure, designed to avoid side-channel attacks. Known for its ease of implementation and its robustness against many forms of cryptographic attacks.
6. Ed25519
- Standard: An EdDSA (Edwards-curve Digital Signature Algorithm) scheme based on Curve25519, standardized in RFC 8032.
- Equation: Uses the twisted Edwards curve ( -x^2 + y^2 = 1 + dx^2y^2 ), where ( d = -121665/121666 ) over the prime field ( \mathbb{F}_p ) with ( p = 2^{255} - 19 ).
- Field Size: 255-bit prime field.
- Uses: Commonly used for digital signatures in modern cryptographic applications like SSH, TLS, and blockchain-based systems.
- Special Property: Provides fast, secure, and deterministic signatures with strong security properties, including resistance to side-channel attacks.
7. BLS12-381
- Standard: Part of the Barreto-Lynn-Scott (BLS) family of pairing-friendly curves, used for pairing-based cryptography.
- Equation: A pairing-friendly curve that enables efficient bilinear pairings.
- Field Size: 381-bit prime field.
- Uses: Widely used in advanced cryptographic protocols, especially in zero-knowledge proofs, zk-SNARKs, aggregate signatures, and cryptographic proofs in blockchain systems (e.g., Ethereum 2.0).
- Special Property: Supports efficient bilinear pairings, making it ideal for applications that rely on complex cryptographic proofs and efficient multi-party computations.
8. Brainpool Curves (e.g., BrainpoolP256r1, BrainpoolP384r1)
- Standard: Defined in RFC 5639 by the Brainpool consortium.
- Equation: Uses curves of the form ( y^2 = x^3 + ax + b ) with different prime field sizes (e.g., 256-bit, 384-bit).
- Uses: Employed in cryptographic protocols, especially in European security environments. Considered an alternative to NIST curves.
- Special Property: These curves were generated using publicly verifiable parameters to avoid concerns about potential hidden vulnerabilities in curves like the NIST curves.
Summary Table:
| Curve Name | Field Size | Group Order (Security Level) | Key Uses |
|---|---|---|---|
| Secp256k1 | 256-bit | ( \approx 2^{256} ) (128-bit security) | Cryptocurrencies, Blockchain (e.g., Bitcoin) |
| P-256 | 256-bit | ( \approx 2^{256} ) (128-bit security) | TLS, HTTPS, general cryptography |
| P-384 | 384-bit | ( \approx 2^{384} ) (192-bit security) | TLS, government, financial systems |
| P-521 | 521-bit | ( \approx 2^{521} ) (256-bit security) | High-security applications, military |
| Curve25519 | 255-bit | ( \approx 2^{255} ) (128-bit security) | ECDH, TLS 1.3, Signal, WireGuard |
| Ed25519 | 255-bit | ( \approx 2^{255} ) (128-bit security) | Digital signatures (SSH, TLS, blockchain) |
| BLS12-381 | 381-bit | ( \approx 2^{381} ) (128-bit security) | Pairing-based crypto, zk-SNARKs, Ethereum 2.0 |
| BrainpoolP256r1 | 256-bit | ( \approx 2^{256} ) (128-bit security) | Alternative to NIST curves, European applications |
Conclusion:
The most prominently used elliptic curves include those standardized by NIST (P-256, P-384, P-521), Curve25519 and its signature variant Ed25519, and secp256k1 (especially in cryptocurrencies). For pairing-based cryptography, BLS12-381 is widely used in advanced cryptographic protocols. Each curve is designed for different cryptographic needs and security levels, depending on the use case and efficiency requirements.
See https://github.com/paulmillr/noble-curves/blob/main/src/secp256k1.ts, for example.