There’s lots of big curves out there, like brainpoolP512, which offer 256 bits of security. In practice, however, 128 bits of EC security can be compared >128 bits of AES security, simply because EC attacks remain challenging to optimize and finding collisions cannot be optimized the way that ciphers and preimages can be.

More info here on why we should be more worried about our symmetric ciphers: http://loup-vaillant.fr/tutorials/128-bits-of-security

Finally, the future of EC crypto is pairing — the number of use cases seems to rise the more I work with them (searchable encryption, homomorphic encryption, etc.). It seems to me that *starting* any new crypto-system with a pairing friendly curve makes sense — simply because of the unknown use cases that will inevitably arise.

I’d be more interested to improve upon and work with secure and efficient EC curves offering 192 bits of security, like some BL24 pairings.