It is also very interesting that Satoshi used secp256k1 and not the common secp256r1, isn't it?
Yeah; it was discussed a few times on this forum. You find it all through the search function.
Here's a quote from Mike Hearn:
I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time.
However it sounds like there's no real consensus that the k1 curve is really a terrible thing and indeed it may even be helpful in future as ECDSA verification is the primary CPU bottleneck for running a network node. So if Koblitz curves do indeed perform better we might end up grateful for that in future ...
And gmaxwell:
But I'm really not at ease knowing that every signature in a Bitcoin transaction is implemented using a very particular and unusual elliptic curve that has been selected for an unknown reason that his chooser is unwilling to elaborate on.
You mean you are uneasy that he chose the _only_ standardized curve at the time without unexplained parameters?