Thanks to Snowden & Bruce Schneier, we now know the answer. secp256r1 has an NSA backdoor - see
http://www.linuxadvocates.com/2013/09/is-openssls-cryptography-broken.htmlSo - while a backdoor is not really a "honeypot" this is the best answer:-
* NIST has made an intentionally poor suggestion to use secp256r1, so it acts as a honeypot. they have found that Koblitz curves are actually more secure than the random ones.
* Satoshi had information which led him/them to believe that secp256r1 was indeed a honeypot and that secp256k1 was the better choice for real security
I know this is a somewhat old thread, but as this comes up as a top answer when searching for secp256r1 , I feel some of the above points need to be clarified.
Firstly, people are comparing secp256r1 to Dual_EC_DRBG as if they're interchangeable (And some even seem to think that they're the same thing). They're not. They're two completely different algorithms that serve completely different purposes. Dual_EC_DRBG has been suspicious from the second it was published and plenty of people from the security industry have warned against using it. I believe someone recently was able to demonstrate a proof of concept of breaking the encryption when using their own curve parameters. The issue is that the specification gives a default curve that doesn't indicate where those parameters came from - it should be random.
However, secp256r1 has no such proof. There is a theoretical issue with it, though - its curve parameters are taken from a SHA1 hash (unlike Dual_EC_DRBG) of a seed value. It's very, very difficult to reverse a hash like that, which is what the NSA will have to have done in order to "trap" the algorithm. It's still theoretical and relies on them having undisclosed exploits that we're unaware of (unlike Dual_EC_DRBG which doesn't) - certainly a possibility and if you value your privacy, don't use it, but it's not quite as obvious as Dual_EC_DRBG. That doesn't make it "safe" per se, but then again it requires a much bigger leap for the NSA to have compromised. There hasn't been a "leak" (from Snowdon or otherwise) that I am aware of that indicates that secp256r1 is a honeypot, but there has for Dual_EC_DRBG.
By all means, if you're sceptical then don't use secp256r1 but let's not confuse it with a completely different algorithm.
