ECC Curve Reference

What this reference is for

Elliptic-curve cryptography packs the security of much larger RSA keys into far smaller numbers, which is why it dominates modern TLS, code signing, hardware wallets, and FIDO authenticators. The catch is that "ECC" is not one thing: dozens of named curves exist, each defined by a different standards body, with overlapping aliases and very different ecosystem support. This page collects the curves an engineer actually encounters and answers the two questions that matter in practice — what is this curve good for, and can I use it where I am standing right now (the browser).

The table groups curves into three families. The NIST prime curves (P-192, P-224, P-256, P-384, P-521) are the Weierstrass curves baked into FIPS 186 and almost every TLS stack. The special and regional curves include secp256k1 — the Koblitz curve behind Bitcoin and Ethereum signatures — and the German Brainpool curves preferred by some European and government systems. The modern curves are the Edwards and Montgomery curves derived from Curve25519 and Curve448: Ed25519/Ed448 for signatures and X25519/X448 for key agreement.

When to use it

Reach for this tool when a config file, certificate, or library names a curve you do not recognise and you need to know its strength and whether it interoperates. It is handy when picking a curve for a new key, when debugging a "curve not supported" error from a browser or library, and when explaining to a colleague why prime256v1 in their OpenSSL output is the same thing as the P-256 their browser advertises. The demo key generator is useful for inspecting the exact shape of a public key — the JWK fields and the raw uncompressed point — without spinning up a command line.

Inputs and outputs

The reference table needs no input; type in the filter box to narrow it by name, alias, or use case, or use the buttons to show every curve or only the ones your browser's Web Crypto can actually run. The Web Crypto column is computed live: P-256, P-384, and P-521 are mandated by the specification, while Ed25519 and X25519 are probed and shown as supported only when your browser exposes them. secp256k1, Brainpool, and the 448-bit curves are marked reference-only because no browser exposes them through Web Crypto.

For a supported curve, Generate calls crypto.subtle.generateKey and exports the public key two ways: as a JSON Web Key (JWK) showing the curve name and the affine coordinates, and — for the P-curves — as the raw uncompressed point in hex (the 04 || X || Y form you see in certificates and COSE keys). The private key is created but never displayed or stored. For an unsupported curve the panel honestly reports that the browser cannot generate it rather than printing fabricated values.

Common mistakes

• Assuming every curve works in the browser. secp256k1 is everywhere in crypto-currency tooling but is not in Web Crypto — you need a JavaScript library or WASM for it on the web.
• Mixing up the aliases. secp256r1, P-256, and prime256v1 are identical; the r1/k1 suffix matters because secp256k1 is a completely different curve.
• Treating signing and key-agreement curves as interchangeable. Ed25519 signs; X25519 does Diffie-Hellman. Using one where the other is expected fails.
• Reaching for P-192 or P-224. They are below the 128-bit comfort line and deprecated for new use — prefer P-256 or a modern curve.
• Reading raw key bytes as Base32 or text. A raw EC point is binary; inspect it as hex, then decode structure with an ASN.1 or COSE tool.

Related tools