Re: why did bitcoin choose secp256k1 over secp256r1?

Quote from: behindtext on March 09, 2013, 01:21:18 PM

something i find rather disconcerting about bitcoin is a lack of justification/explanation for some of the design decisions, in particular the choice of doing 256-bit ecdsa keypairs over secp256k1 vs secp256r1 (a.k.a. P-256) for wallets...

can anyone provide a justification for using secp256k1 over secp256r1 besides "that's just the way it is" or "so it was written in the great book"?

Since 2007 there is evidence that the supposedly random constants in secp256r1 may have been manipulated by the NSA to provide a backdoor. See http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115. Presumably Satoshi was aware of this. The Koblitz curves cannot have been so "cooked"; see http://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters/10273#10273.