something i find rather disconcerting about bitcoin is a lack of justification/explanation for some of the design decisions, in particular the choice of doing 256-bit ecdsa keypairs over secp256k1 vs secp256r1 (a.k.a. P-256) for wallets.

the best i could find on the forum is this thread from 2011 - https://bitcointalk.org/?topic=2699.0

NIST recommends use of secp256r1, and more generally prefers random curve parameters to the Koblitz ones. i can only speculate why this choice was made, here are a couple possible reasons:

* NIST sets standards for NSA / US govt crypto and is genuinely concerned about everyone's security. they have found that random curves are more secure than Koblitz ones.
* NIST has made an intentionally poor suggestion to use secp256r1, so it acts as a honeypot. they have found that Koblitz curves are actually more secure than the random ones.

with those reasons in mind i could see bitcoin having analogous justifications:

* Satoshi had information which led him/them to believe that secp256r1 was indeed a honeypot and that secp256k1 was the better choice for real security
* Satoshi knew that secp256k1 was weak and intentionally included it in bitcoin to make bitcoin into a honeypot

considering that the design decisions for both BTC and NIST ciphers are both entirely opaque, it is difficult to make a good guess as to their motivation. i have similar reservations about using base58 everywhere, but that is less a concern from a security perspective.

can anyone provide a justification for using secp256k1 over secp256r1 besides "that's just the way it is" or "so it was written in the great book"?