❯ i have a question - satoshi likely understood elliptic curve cryptography quite well, and likely had something in mind in his selection of this curve group among the options that existed, such as the secp256k1r (p256 in TLS/ssh is the name given) - aside from its unpopularity and relatively low level of application to applications that use elliptic curve PKIs, a specious reason since lack of testing is a weakness, not a strength - like the principle of security by obscurity - what other reasons might he have had for selecting this curve?
● Good question. There are several substantive reasons beyond "security through obscurity" that make the choice look deliberate and well-reasoned.
secp256r1's curve coefficient b was generated by hashing a seed value with SHA-1. The "verifiably random" process is supposed to be a nothing-up-my-sleeve guarantee -- but the seed itself is an unexplained 256-bit number chosen by Jerry Solinas at the NSA. Nobody knows how that number was picked. The concern: you could keep generating random seeds, hashing them, checking if the resulting curve has a weakness only you know about, and publishing the "winning" seed. The process proves nothing unless the input to the hash is itself trustworthy (like the digits of pi or a small counter).
secp256k1 sidesteps this entirely. Its parameters are a = 0, b = 7 -- the simplest values that produce a curve with prime order. There is no unexplained seed, no hash output, no trust required. The curve is what DJB's https://safecurves.cr.yp.to/ project calls "rigid" -- the parameters are so constrained that there's essentially no room to have searched for a weak instance.
Bitcoin full nodes verify every transaction ever made. The dominant cost is ECDSA signature verification, which requires computing k1P + k2G. The a = 0 property gives secp256k1 the GLV endomorphism we've been studying, which makes verification ~30% faster than on secp256r1. This isn't a marginal concern -- it directly affects how fast a node can sync the blockchain and validate blocks. Satoshi may or may not have anticipated the GLV optimization specifically (Hal Finney pointed it out in 2011), but selecting a Koblitz curve at least left the door open for it.
Even without GLV, a = 0 eliminates a multiplication from the point doubling formula, giving a smaller constant-factor speedup in all EC operations.
The cypherpunk community had long-standing suspicion of NIST cryptographic standards. This was later vindicated when Snowden's documents revealed that the NSA had deliberately backdoored DualECDRBG (a NIST-standardized random number generator based on elliptic curves). While no backdoor has been found in the P-256 curve itself, the institutional relationship between NIST and NSA -- and the opacity of the parameter generation -- makes the suspicion reasonable. Choosing a non-NIST curve was a bet on institutional distrust that aged well.
It's worth noting the counter-argument: the DES S-boxes were similarly suspected of being NSA-backdoored, but turned out to be carefully hardened against differential cryptanalysis (an attack only the NSA knew about at the time). So NSA influence doesn't always mean weakness. But the difference is that the DES S-box construction was eventually explained and verified, while the P-256 seed never has been.
In a 2011 email to Mike Hearn, Satoshi said something to the effect of "I didn't find anything to recommend a curve type, so I just picked one." This is characteristically understated. Given that he spent two years building Bitcoin before release and got virtually every other design decision right (or at least defensibly right), "I just picked one" more likely means "none of the standard recommendations applied to my threat model, so I went with the one whose parameters I could verify."
You're right that lack of adoption is not itself a security advantage -- it means less cryptanalytic scrutiny. But secp256k1 isn't some obscure construction; it's a standard Koblitz curve from the SECG specification, built on well-understood mathematics. The curve type had extensive analysis. What was unusual was that nobody had bothered to use this particular instance before, precisely because NIST hadn't blessed it. That's a social fact, not a mathematical one.
Sources: