In August 2020 at the virtual CRYPTO conference, during Friday session Cryptanalysis 2, there was a live discussion on the security of pairingfriendly curves, and which ones are the best at the 128bit security level (asked by F. Vercauteren). This page is an answer summary.
This question is also discussed in an IETF draft mentioned by Hoeteck Wee on the IACR chat.
First online: September 10, 2020,
Last updated: February 22, 2021.

February 22, 2021: The paper On the alpha value of polynomials in the Tower Number Field Sieve algorithm, Aurore Guillevic and Shashank Singh, is published in the journal Mathematical Crypotology, vol 1 no 1 (eprint 2019/885).
The paper Curves with Fast Computations in the First Pairing Group, Rémi Clarisse, Sylvain Duquesne, and Olivier Sanders, appeared in the proceedings of CANS 2020, LNCS 12579, pages 280–298, DOI 10.1007/9783030654115_14 (eprint 2020/760). 
November 24, 2020: Added a reference to the paper Implementing Cryptographic Pairings at Standard Security Levels by Enge and Milan, DOI 10.1007/9783319120607_3, arxiv 1407.5953, HAL hal01034213, for implementing pairings with embedding degrees 9 to 27 including prime embedding degrees, and a Miller loop without twists compatible with 2NAF form.
Pairingfriendly curves at the 128bit security level
Broadly speaking, there are two sets of keysizes at the 128bit security level: nonconservative choices and conservative choices. They depend on the choices when estimating the cost of computing a discrete logarithm in F_{pk} with the new variants of the Number Field Sieve (NFS) algorithm.
For efficient nonconservative pairings, choose BLS12381 (or any other BLS12 curve or Fotiadis–Martindale curve of roughly 384 bits), for conservative but still efficient, choose a BLS12 or a Fotiadis–Martindale curve of 440 to 448 bits.
the security between BLS12446 and BLS12461 is not worth paying an extra machine word, and is close to the error margin of the security estimate.
Curve  k  D  u  ref  p (bits)  r (bits)  p^{k/d} (G_{2}, bits)  p^{k} (bits) 

Curve for fastest pairing  
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  (2^{73}+2^{72}+2^{50}+2^{24})  eprint 2017/334  440  295  p^{2}, 880  5280 
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  (2^{12}2^{48}2^{71}+2^{74})  eprint 2017/334  442  296  p^{2}, 884  5296 
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  (2^{74}+2^{73}+2^{63}+2^{57}+2^{50}+2^{17}+1)  eprint 2019/885  446  299  p^{2}, 892  5352 
Fotiadis–Martindale FM17, Aurifeuillean r(x)  12  3  2^{72}2^{71}2^{36}  eprint 2019/555  447  296  p^{2}, 894  5356 
Kachisa–Schaefer–Scott KSS16  16  1  2^{34}+2^{27}2^{23}+2^{20}2^{11}+1  eprint 2017/334  330  257  p^{4}, 1320  5280 
Kachisa–Schaefer–Scott KSS16  16  1  2^{34}2^{30}+2^{26}+2^{23}+2^{14}2^{5}+1  eprint 2019/1371  330  256  p^{4}, 1320  5268 
Kachisa–Schaefer–Scott KSS16  16  1  2^{35}2^{32}2^{18}+2^{8}+1  eprint 2017/334  339  263  p^{4}, 1356  5411 
Curve with small embedding degree k  
Cocks–Pinch modified  6  3  2^{128}2^{124}2^{69}, h_{t}=xx, h_{y}=0xXX 
eprint 2019/431  672  256  p, 672  4028 
Cocks–Pinch modified  8  1  2^{64}2^{54}+2^{37}+2^{32}4, h_{t}=1, h_{y}=0xdc04 
eprint 2019/431  544  256  p^{2}, 1088  4349 
Curve with smallest G_{1}  
Freeman–Scott–Teske 6.6 BW13P310 , cyclotomic r(x) 
13  3  0x8b0 
eprint 2020/760  310  267  p^{13}, 4030  4027 
Freeman–Scott–Teske 6.6 BW19P286 , cyclotomic r(x) 
19  3  0x91 
eprint 2020/760  286  259  p^{19}, 5434  5427 
Barreto–Lynn–Scott BLS24, cyclotomic r(x)  24  3  2^{32}+2^{28}2^{23}+2^{21}+2^{18}+2^{12}1  eprint 2019/885  318  256  p^{4}, 1272  7621 
Barreto–Lynn–Scott BLS24, cyclotomic r(x)  24  3  2^{32}+2^{28}+2^{12}  eprint 2019/485  318  256  p^{4}, 1272  7632 
Barreto–Lynn–Scott BLS48, cyclotomic r(x)  48  3  0xf5ef 
MIRACL  286  256  p^{8}, 2288  13698 
Scott–Guillevic KSS54, Aurifeuillean r(x)  54  3  0x2886 
Mike Scott, personal communication  283  255  p^{9}, 2547  15264 
Other popular curve  
Barreto–Naehrig BN, Aurifeuillean r(x)  12  3  2^{110}+2^{36}+1  eprint 2010/429  446  446  p^{2}, 892  5343 
Some of the parameters can be found in the Python file testvector_sparseseed.py
More info
BLS12381
Challenges with Assessing the Impact of NFS Advances on the Security of Pairingbased Cryptography by Menezes, Sarkar and Singh, published at Mycrypt 2016 conference, LNCS 10311, pp. 83–108, (DOI 10.1007/9783319612737_5, eprint 2016/1102) is the first paper to analyze thoroughly the consequences of TNFS, STNFS and their variants to target groups of pairingfriendly curves. The conclusion recommends BLS12 or BN curves over 384bit prime fields instead of BN curves over 256bit fields. Based on this work, the curve BLS12381 was chosen by ZCash. This curve is now widely deployed.
BLS12461, BN462
In 2017 (published in 2019), Barbulescu and Duquesne wrote Updating key size estimations for pairings, Journal of Cryptology, vol. 32, pp. 1298–1336, DOI 10.1007/s0014501892805, eprint 2017/334. They advised the following curves:
 a BLS12 curve over a 461bit field;
 a BN curve over a 462bit field;
 a KSS16 curve over a 330bit field and another over a 339bit field;
 a KSS18 curve over a 348bit field.
Their contribution is a refined model of cost compared to the previous work of Menezes, Sarkar and Singh.
BLS12446, Fotiadis–Martindale, Cocks–Pinch, Brezing–Weng
I wrote the paper A short list of pairingfriendly curves at the 128bit security level presented at PKC2020 and eprint 2019/1371. A SageMath version (for easy copypaste) is available on gitlab, this is project tnfsalpha/alpha Then under sage
, the file example_curves_short_list.sage
contains this short list.
For each embedding degree from 9 to 17, the best option is selected. The final result is Table 6 page 20 reproduced below.
Curve  k  D  u  ref  p (bits)  r (bits)  p^{k/d} (G_{2}, bits)  p^{k} (bits) 

Cocks–Pinch modified  6  3  2^{128}2^{124}2^{69}, h_{t}=xx, h_{y}=0xXX 
eprint 2019/431  672  256  p, 672  4028 
Cocks–Pinch modified  8  1  2^{64}2^{54}+2^{37}+2^{32}4, h_{t}=1, h_{y}=0xdc04 
eprint 2019/431  544  256  p^{2}, 1088  4349 
Brezing–Weng, cyclotomic r(x) (FM15)  10  15  2^{32}2^{26}2^{17}+2^{10}1  eprint 2019/1371  446  256  p^{5}, 2230  4458 
Brezing–Weng, cyclotomic r(x)  11  3  0x1d2a 
eprint 2019/1371  333  258  p^{11}, 3663  3663 
Brezing–Weng, cyclotomic r(x)  11  11  2^{26}+2^{21}+2^{19}2^{11}2^{9}1  eprint 2019/1371  412  256  p^{11}, 4532  4528 
Barreto–Naehrig BN, Aurifeuillean r(x)  12  3  2^{110}+2^{36}+1  eprint 2010/429  446  446  p^{2}, 892  5343 
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  (2^{74}+2^{73}+2^{63}+2^{57}+2^{50}+2^{17}+1)  eprint 2019/885  446  299  p^{2}, 892  5352 
Fotiadis–Martindale FM17, Aurifeuillean r(x)  12  3  2^{72}2^{71}2^{36}  eprint 2019/555  447  296  p^{2}, 894  5356 
Freeman–Scott–Teske 6.6 BW13P310 , cyclotomic r(x) 
13  3  0x8b0 
eprint 2020/760  310  267  p^{13}, 4030  4027 
Freeman–Scott–Teske 6.6, cyclotomic r(x)  14  3  0x2803c0 
eprint 2019/1371  340  256  p^{7}, 2380  4755 
Kachisa–Schaefer–Scott KSS16  16  1  2^{34}+2^{27}2^{23}+2^{20}2^{11}+1  eprint 2017/334  330  257  p^{4}, 1320  5280 
Kachisa–Schaefer–Scott KSS16  16  1  2^{34}2^{30}+2^{26}+2^{23}+2^{14}2^{5}+1  eprint 2019/1371  330  256  p^{4}, 1320  5268 
Implementing pairings on curves of embedding degrees 9 to 27 (in particular, prime degrees)
 Enge, A., Milan, J.: Implementing cryptographic pairings at standard security levels. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) Security, Privacy, and Applied Cryptography Engineering — 4th International Conference, SPACE 2014, Pune, India, October 1822, 2014. Proceedings. LNCS, vol. 8804, pp. 28–46. Springer (2014). DOI 10.1007/9783319120607_3, arxiv 1407.5953, HAL hal01034213.
This paper implements and compares pairings with embedding degrees between 9 and 27, in particular it presents a Miller loop compatible with 2NAF form and a prime embedding degree (such as 11, 17, 19). The paper made parameters choices in 2014, before the TNFS algorithm was published, the sizes would need to be increased. It compares the pairing efficiency on curves of embedding degrees 9 to 27, in particular it offers a valuable comparison between prime and composite embedding degrees.
Cocks–Pinch modified
with Simon Masson and Emmanuel Thomé we investigated variants of Cocks–Pinch in this paper: Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation, Designs, Codes and Cryptography, vol. 88 pp. 1047–1081 DOI 10.1007/s1062302000727w, eprint 2019/431.
Fotiadis–Martindale
There is also a family of curves introduced by Fotiadis and Martindale: eprint 2019/555. These curves have similar properties as BLS12 curves and have the same security. See also TNFS Resistant Families of PairingFriendly Elliptic Curves, Georgios Fotiadis and Elisavet Konstantinou, Journal of Theoretical Computer Science, vol. 800, pp. 73–89, 2019, DOI 10.1016/j.tcs.2019.10.017, eprint 2018/1017.
Clarisse–Duquesne–Sanders
Rémi Clarisse et al. investigated smallest possible G_{1} in – Curves with Fast Computations in the First Pairing Group, Rémi Clarisse, Sylvain Duquesne, and Olivier Sanders, CANS 2020, LNCS 12579, pages 280–298, DOI 10.1007/9783030654115_14, eprint 2020/760.
They obtained the curve BW19P286, a Brezing–Weng curve of embedding degree 19 defined over a 286bit prime field. This is the record in terms of smallest possible G_{1} and is wellsuited for 32bit architecture.
BLS24318
On a Github discussion page here, BLS24 curves are discussed, because they provide very small G_{1} (in other words, a very small p provides a fast arithmetic in G_{1}).
In this paper with Singh we estimated the security of another BLS24318 curve to be 162 bits in F_{pk}. The security on the curve is 128 bits with r of 256 bits. – On the alpha value of polynomials in the tower number field sieve algorithm, Aurore Guillevic and Shashank Singh, Mathematical Cryptology, vol 1 no 1, eprint 2019/885
In testvector_sparseseed.py there are other seeds so that r has 250 to 257 bits, and r1 and p1 have a high 2valuation, of 18 to 20.
BLS48286, KSS54283
Mike Scott investigated shortest G_{1} with high embedding degree k, and degree 6 twist. The curve BLS48286 is implemented in MIRACL. He also suggested to compare the performances to a KSS54 curve with p of 283 bits and r of 255 bits obtained with u=0x2886
.
BLS12381, BLS12461, or BLS12446?
In Barbulescu–Duquesne paper Updating key size estimations for pairings, Journal of Cryptology, vol. 32, pp. 1298–1336, DOI 10.1007/s0014501892805, eprint 2017/334, there is a remark (2 page 18) saying that a BLS12442 only has 127 bits of security. I guess this is because of this remark that cryptographers are not promoting BLS12 with 7 machinewords (448 bits) but prefer 461 bits as in the IETF draft mentioned by Hoeteck Wee on the IACR chat.
Barbulescu–Duquesne remark is below:
Remark 2.
Zhaohui Cheng communicated to us two choices of BLS12 curses which have 127 bits of security:
 equation y^{2}=x^{3}+9 and parameter u=(2^{73}+2^{72}+2^{50}+2^{24});
 equation y^{2}=x^{3}+7 and parameter u=(2^{12}2^{48}2^{71}+2^{74}).
The field p^{k} is 5280 bits long instead of the 5530 bits required by the general estimations in Table 7. Hence, our approach of first finding general recommendations for each family (assuming the attacker can apply all improvements), then checking specific values of u, only loses 5% in length.
For efficient modular arithmetic, finite fields elements (integers modulo p, also denoted Z/pZ) are represented in Montgomery form, and all the bits of the machinewords are filled. It means elements of F_{p} where p is 385 to 448bit long are stored in the full 448 bits. And elements of F_{p} where p is 449 to 512bit long are stored in 512 bits. From 7 machine words (BLS12446) to 8 machine words (BLS12461), the length in Montgomery form is increased by 14% (8/7*100), not 5%. Because the timings of modular multiplications are quadratic in the machineword size of the modular integers, the slowdown in time could be up to 30%. 2019/431 reports a slowdown of 25% for modular multiplication from 7 machinewords to 8 machinewords when benchmarking RELIC.
With the improved estimation implemented with Shashank Singh, we obtained that such BLS12 curves of 440 to 448 bits have roughly a security of 132 bits, these results are given in Section 7.2, in Table 7, and Appendix C of the paper On the alpha value of polynomials in the tower number field sieve algorithm (eprint 2019/885). The security of BLS12461 is estimated to be between 134 and 135 bits.
In short, the security between BLS12446 and BLS12461 is not worth paying an extra machine word, and is close to the error margin of the security estimate.
About eprint 2019/485
The preprint 2019/485 by Barbulescu, El Mrabet and Ghammam was posted on eprint on May 13, 2019. It lists curves mostly from Freeman, Scott and Teske paper A taxonomy of pairingfriendly elliptic curves, Journal of Cryptology vol. 23, pp. 224–280, 2010, DOI 10.1007/s001450099048z, eprint 2006/372. I contacted the authors of eprint 2019/485 on August 20, 2019 because our respective results did not match on many curves. The preprint was updated on September 13, 2020. Comments are on a separate page.
In July 36, 2020 at ITCCSCC 2020, Nagoya (Online Conference), these curves were implemented and compared. It turned out that they are slower (than BLS12 for example), because fewer optimisations are available (in particular, a quadratic twist only for k=10 and k=14, a cubic twist for k=15, instead of a sextic twist for BN, BLS12, Fotiadis–Martindale k=12 curves results in a slower pairing).
Curve  k  D  u  ref  p (bits)  r (bits)  p^{k} (bits) 

Brezing–Weng, cyclotomic r(x)  10  2  2^{36}+2^{30}+2^{12}+2^{6}+1  1  503  289  5024 
Brezing–Weng, cyclotomic r(x)  14  2  2^{21}+2^{13}+2^{11}+2^{10}+2^{9}+1  2  377  253  5267 
BLS15 Barreto–Lynn–Scott, cyclotomic r(x)  15  3  2^{32}2^{22}+2^{17}+2^{6}, 2^{32}2^{20}2^{14}2^{3}  3, 4  383  257  5737 
 a k=10, D=1 Brezing–Weng curve in R. Matsumura, Y. Takahashi, Y. Nanjo, T. Kusaka and Y. Nogami, Implementation and Evaluation of Ate Pairings on Elliptic Curves with Embedding Degree 10 Applied TypeII AllOne Polynomial Extension Field of Degree 5, ITCCSCC, Nagoya, Japan, July 36, 2020, pp. 336–341, online paper 1. The parameters are p(x) = (x^{14} – 2 x^{12} + x^{10} + x^{4} + 2 x^{2} + 1)/4, r(x) = x^{8} – x^{6} + x^{4} – x^{2} + 1, t(x) = x^{2} + 1, c(x) = (x^{4} – 1)(x^{2} – 1)/4, y(x) = (x1)(x+1)x^{5}, and seed u=2^{36} + 2^{30} + 2^{12} + 2^{6} + 1 gives a 503bit prime p and a 289bit prime r.
 a k=14, D=1 Brezing–Weng curve in An Implementation and Evaluation of a Pairing on Elliptic Curves with Embedding Degree 14, Song, Matsumura, Takahashi, Nanjo, Kusaka, Nogami, Matsumoto, ITCCSCC 2020, Nagoya, Japan, July 36, 2020, pp. 293–298, online paper 2. The parameters are p(x)=(x^{18} – 2 x^{16} + x^{14} + x^{4} + 2 x^{2} + 1)/4, r(x)=x^{12} – x^{10} + x^{8} – x^{6} + x^{4} – x^{2} + 1, t(x)=x^{2} + 1, curve cofactor is c(x)=(x^{4} – 1)(x^{2} – 1)/4, y(x)=(x – 1)(x + 1)x^{7}, and seed u=2^{21} + 2^{13} + 2^{11} + 2^{10} + 2^{9} + 1 gives a 377bit prime p and a 253bit prime r.
 a k=15, D=3 BLS curve in Y. Nanjo, M. Shirase, T. Kusaka and Y. Nogami, An Explicit Formula of Cyclotomic Cubing Available for Pairings on Elliptic Curves with Embedding Degrees of Multiple of Three, ITCCSCC, Nagoya, Japan, July 36, 2020, pp. 288–292, online paper 3. Y. Nanjo, M. Shirase, T. Kusaka and Y. Nogami, A Technique for Fast Miller’s Algorithm of Ate Pairings on Elliptic Curves with Embedding Degrees of Multiple of Three, ITCCSCC, Nagoya, Japan, July 36, 2020, pp. 283–287, online paper 4. The parameters are p(x) = (x – 1)^{2}/3(x^{2} + x + 1)r(x) + x, r(x) = x^{8} – x^{7} + x^{5} – x^{4} + x^{3} – x + 1, t(x) = x + 1, c(x) = (x – 1)(x^{3} – 1)/3, y(x) = (x – 1)(2 x^{5} + 1)/3, and seeds u= – 2^{32} – 2^{22} + 2^{17} + 2^{6} and u= – 2^{32} – 2^{20} – 2^{14} – 2^{3} give 383bit prime p and 257bit prime r.
Pairingfriendly curves for zkSNARKs
In the zeroknowledge community, there are other needs (cycles of MNT curves, chains of curves, parameters p1 and r1 with a high 2valuation…) A cycle of curves (available only with MNT curves for now) is a pair of pairingfriendly elliptic curves E_{1}, E_{2} such that E_{1} is defined over a finite prime field F_{p} and has prime order r, and E_{2} is defined over the finite field F_{r} (where r is E_{1} order) and has order p.
BLS12 and BLS24 curves
Curve  k  D  u  ref  p (bits)  r (bits)  p^{k/d} (G_{2}, bits)  p^{k} (bits) 

Popular BLS12381 curve  
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  0xd201000000010000 =2^{63}2^{62}2^{60}2^{57}2^{48}2^{16} 
ZCash  381  255  p^{2}, 762  4569 
Curves with 2^{n}p1, 2^{m}r1  
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  0x8508c00000000001 =2^{63}+2^{58}+2^{56}+2^{51}+2^{47}+2^{46}+1 
Zexe, eprint 2018/962, Table 16  377  253  p^{2}, 754  4521 
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  0x9b04000000000001 =2^{63}+2^{61}2^{58}2^{56}+2^{50}+1 
testvector_sparseseed.py  379  254  p^{2}, 758  4537 
Barreto–Lynn–Scott BLS12, cyclotomic r(x)  12  3  0x105a8000000000001 =2^{64}+2^{59}2^{57}2^{55}+2^{53}+2^{51}+1 
testvector_sparseseed.py  383  257  p^{2}, 766  4592 
Barreto–Lynn–Scott BLS24, cyclotomic r(x)  24  3  0xbfcfffff =2^{32}+2^{30}+2^{22}2^{20}+1 
testvector_sparseseed.py  315  253  p^{4}, 1260  7543 
MNT curves
Two cycles of elliptic curves are widely deployed: 298bit parameters and 753bit parameters (see DOI 10.1007/9783662443811_16, eprint 2014/595). I generated other parameters (with the algorithms from Karabina–Teske, eprint 2007/425, DOI 10.1007/9783540794561_6) to have an idea of the security for larger parameters, there are at tnfs/param/TestVectorMNT_k_cycle_D_1e9.py
. But the curves are not optimized for zkSNARKs, the valuation at 2 of p1 and r1 is low.
Curve  k  D  ref  p (bits)  r (bits)  p^{k} (bits)  estimated security 

MNT4298  4  614144978799019  eprint 2014/595  298  298  1192  2^{77} 
MNT6298  6  614144978799019  eprint 2014/595  298  298  1788  2^{87} 
MNT4753  4  241873351932854907  eprint 2014/595, CODA  753  753  3012  2^{113} 
MNT6753  6  241873351932854907  eprint 2014/595, CODA  753  753  4517  2^{137} 
MNT4992  4  95718723  gitlab file  992  992  3966  2^{126} 
MNT6992  6  95718723  gitlab file  992  992  5948  2^{156} 
The seeds are the following.
Curve  seed 

MNT4298  u = 0x1eef5546609756bec2a33f0dc9a1b671660000 
MNT6298  u = 0xf77aaa3304bab5f61519f86e4d0db38b30000 
MNT4753  u = 0x15474b1d641a3fd86dcbcee5dcda7fe51852c8cbe26e600733b714aa43c31a66b0344c4e2c428b07a7713041ba18000 
MNT6753  u = 0xaa3a58eb20d1fec36e5e772ee6d3ff28c296465f137300399db8a5521e18d33581a262716214583d3b89820dd0c000 
MNT4992  u = 0xc85f1924b404f160077c049739e871907e407900a6d59abd8e25f63eaec03b9f974bfa92dd5cc38cb09ffdcdd3d19ab23bad8e228130bedd0e0859c32774 
MNT6992  u = 0x642f8c925a0278b003be024b9cf438c83f203c80536acd5ec712fb1f57601dcfcba5fd496eae61c6584ffee6e9e8cd591dd6c71140985f6e87042ce193ba 
For a 128bit security level, an example of cycle for comparison (in terms of length) is the following. Roughly 1024bit parameters provide a 128bit security level. For the curve MNT4992 the estimated cost of NFSConjugation is 2^{126} in F_{p4} and for MNT6992 the estimated cost of STNFS is 2^{156} in F_{p6}.
# MNT4_992
k = 4
u = 0xc85f1924b404f160077c049739e871907e407900a6d59abd8e25f63eaec03b9f974bfa92dd5cc38cb09ffdcdd3d19ab23bad8e228130bedd0e0859c32774
D = 95718723
c = 1
a = 3
b = 0x1c517e4f1632c3879c949ad49791cd8d9a6fc4bba403a3e69053e909ecbd42dbafb80100e0e46c53e85a07d869637e75ca6c3371de1bb090517613b30782f01489562fe913cd858d6671ab2a9d7ceb5c3ce8ea426c577ebb16b3c87a501e4bef0df989d7ec1037f32e852df87dce54696805764e1a072268d650a1ea
pnbits = 992
rnbits = 992
p = u**2 + u + 1
r = u**2 + 1
t = u + 1
y = 0x914c26752f9ff10b6a9060342744c1971bd11ee0a5a9f3dbff85fd462a6807cdbe69fef2c1fc2731306a180a5490999b3e810db101c100f78eee893a3
assert t**24*p == D*y**2
assert p+1t == r*c
(p1) % (2**2 * 3 * 5**5 * 13) == 0
(r1) % (2**4 * 3**2 * 5**10) == 0
Fp = GF(p)
E4 = EllipticCurve([Fp(a),Fp(b)])
# MNT6_992
k = 6
u = 0x642f8c925a0278b003be024b9cf438c83f203c80536acd5ec712fb1f57601dcfcba5fd496eae61c6584ffee6e9e8cd591dd6c71140985f6e87042ce193ba
D = 95718723
c = 1
a = 3
b = 0xa0c214d66abeed117834b3812f966d30b7ce0cef1dc8aec978c8da94cbcf67a2d99c2c1428f9ffb86b280c13144154fb1be8a9e1f4fd886271c3816e25f623c01e344d24440dd2873f6b207862dab186fde6c075b5a0dccdcd86c7656865d75ca94f63a091cf6fc5d538342b81b871bda4b63fac1a9ed8b36ccd906
pnbits = 992
rnbits = 992
p = 4*u**2 + 1
r = 4*u**2  2*u + 1
t = 2*u + 1
y = 0x914c26752f9ff10b6a9060342744c1971bd11ee0a5a9f3dbff85fd462a6807cdbe69fef2c1fc2731306a180a5490999b3e810db101c100f78eee893a3
assert t**24*p == D*y**2
assert p+1t == r*c
(p1) % (2^4 * 3^2 * 5^10) == 0
(r1) % (2^2 * 3 * 5^5 * 13) == 0
Fp = GF(p)
E6 = EllipticCurve([Fp(a),Fp(b)])