Is There Just One or Two Elliptic Curves Used in Cryptography?
Well, the answer to this is yes and no. Basically, there are two main curves used in most applications: NIST P256 and secp256k1 (as used in Bitcoin). Although Curve 25519 is now advancing fast, too. But there are so many more curves to pick from, and are defined as part of Brainpool, ANSI/ANSI1 X9.62, NIST/FIPS and SEC2 (Standards for Efficient Cryptography Group):
- Certicom Research, SEC2. “Recommended Elliptic Curve Domain Parameters”, Standards for Efficient Cryptography (SEC) 2,
September 2000 [here]. - National Institute of Standards and Technology. “Digital Signature Standard (DSS)”, FIPS PUB 186–2, December 1998 [here].
- American National Standards Institute. “Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)”, ANSI X9.62, 2005 [here].
The Bitcoin and Ethereum curve is secp256k1 [here]:
Type: secp256k1
G=79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
N (order)=115792089237316195423570985008687907852837564279074904382605163141518161494337
H=1
A=0
B=7
Field size=256
DER=3081E0020101302C06072A8648CE3D0101022100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F3044042000000000000000000000000000000000000000000000000000000000000000000420000000000000000000000000000000000000000000000000000000000000000704410479BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8022100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141020101
And where G is the base point on the curve, N is the order (and defines the actual number of points on the curve), a is 0 and b is 7, and so we have the equation of y² = x³ + 7 (mod p).
Also, secp256r1 is the same as NIST-256 [here]:
Type: P-256
G=6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, 4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
N (order)=115792089210356248762697446949407573529996955224135760342422259061068512044369
H=1
A=ffffffff00000001000000000000000000000000fffffffffffffffffffffffc
B=5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
Field size=256
DER=3081F7020101302C06072A8648CE3D0101022100FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF305B0420FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC04205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B031500C49D360886E704936A6678E1139D26B7819F7E900441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5022100FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551020101
Basically, the security is around half the size of the field, and where a 256-bit field size has equivalent security to 128-bit security. If we have a 256-bit field, then the scalar value will also have 256 bits, and the public key will have 512 bits (as we have an x and y coordinate value).
DER is a binary format which defines the curve. If we convert, we get [here]:
[U] SEQUENCE (30)
[U] INTEGER (02): 1
[U] SEQUENCE (30)
[U] OBJECT (06): 1.2.840.10045.1.1
[U] INTEGER (02): 115792089237316195423570985008687907853269984665640564039457584007908834671663
[U] SEQUENCE (30)
[U] OCTET STRING: 0xb'0000000000000000000000000000000000000000000000000000000000000000'
Private key: 0000000000000000000000000000000000000000000000000000000000000000
[U] OCTET STRING: 0xb'0000000000000000000000000000000000000000000000000000000000000007'
Private key: 0000000000000000000000000000000000000000000000000000000000000007
[U] OCTET STRING: 0xb'0479BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8'
Private key: 0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
[U] INTEGER (02): 115792089237316195423570985008687907852837564279074904382605163141518161494337
[U] INTEGER (02): 1The ECC Brainpool curves overcome of the weaknesses in the creation of the standard curves and have been generated in a verifiably pseudo-random way.
Here are the curves:
https://asecuritysite.com/csharp/bc_ec01
and a basic overview: