Yeah using secp256r1 would have been a nightmare. The NSA doesn't screw up this badly. Cryptographic constants should be "nothing up my sleeve numbers". Lets look how the NSA "randomly" came up with the parameters for secp256r1
Previous versions of this Standard contained a method for the generation of the domain
parameters p and q using SHA-1 and probabilistic methods. This method is no longer approved
for domain parameter generation; however, the validation process for this method is provided in
Appendix A.1.1.1 to validate previously generated domain parameters.
A method for the generation and validation of the primes p and q using probabilistic methods is
provided in Appendix A.1.1.2 and is based on the use of an approved hash function; this method
shall be used for generating probable primes. The validation process for this method is provided
in Appendix A.1.1.3.
The probabilistic methods use a hash function and an arbitrary seed (domain_parameter_seed).
Arbitrary seeds could be anything, e.g., a user’s favorite number or a random or pseudorandom
number output by a random number generator (see SP 800-90). The domain_parameter_seed
determines a sequence of candidates for p and q in the required intervals that are then tested for
primality using a probabilistic primality test (see Appendix C.3). The test determines that the
candidate is either not a prime (i.e., it is a composite integer) or is “probably a prime” (i.e., there
is a very small probability that a composite integer will be declared to be a prime). p and q shall
be the first candidate set that passes the primality tests. Note that the domain_parameter_seed
shall be unique for every unique set of domain parameters that are generated using the same
method.
Ok so lets work backwards.
We want p & q to be prime numbers (or probably prime).
So we use a generator to try values in sequence and use the first curve for a given security strength which meets our requirements. Why do we use the FIRST value? To provide a level of reassurance that it is legit and not chosen for a malicious reason. If there were 4872498374938247398 valid curves and the NSA picked the 4872498374938247399th one that would be suspicious right. Alright so we are using the first one we find, building some trust here. That is good.
Ok so how do we seed the generator. We take the hash of some number at random? WTF? Did some 2 bit scammer on bitcointalk come up with this method? I mean this is the fracking NSA. They know a "little" about cryptography. There is no possible way they "forgot" that this makes all the subsequent steps worthless. I mean it is like saying "You can trust me because you can trust me" See I am not asking you to trust me blindly. I gave you a specific reason why you can trust me."
Now the NSA isn't stupid. The obvious elephant in the room is how do we know the "random" seed value is random. Maybe the NSA went through quadrillions of random seed values until they found one which when hashes produces a sequence such that the first valid curve is the one which has a property that the NSA knows has a weakness. In other words all the song and dance about following this generator sequence and performing various checks is predicated on the generator seed being chosen "fairly" but they just happened to forget that the seed for the generator isn't provable or even probably fair (nothing up my sleeve) and thus the entire process is security theater.
Formally
D.5 Generation of Pseudo-Random Curves (Prime Case)
Let l be the bit length of p, and define
v = ( l – 1) /160
w = l – 160v – 1.
1. Choose an arbitrary 160-bit string s as the domain parameter seed.
2. Compute h = SHA-1(s).
3. Let h0 be the bit string obtained by taking the w rightmost bits of h.
4. Let z be the integer whose binary expansion is given by the 160-bit string s.
5. For i from 1 to v do:
5.1 Define the 160-bit string si to be binary expansion of the integer
(z + i) mod (2 160).
5.2 Compute hi = SHA-1(si).
6. Let h be the bit string obtained by the concatenation of h0 , h1, … , hv as follows:
h = h0 || h1 || … || hv.
7. Let c be the integer whose binary expansion is given by the bit string h.
8. If ((c = 0 or 4c + 27 ≡ 0 (mod p))), then go to Step 1.
9. Choose integers a, b ∈GF(p) such that
c b^2 ≡ a^3 (mod p).
(The simplest choice is a = c and b = c. However, one may want to choose differently for
performance reasons.)
10. Check that the elliptic curve E over GF(p) given by y^2 = x^3 + ax + b has suitable order.
If not, go to Step 1.
You can stop reading at step #1. The foundation is sand. So what was the domain parameter seed picked at random over all others (you can trust us <wink> <wink>)?
c49d3608 86e70493 6a6678e1 139d26b7 819f7e90
A totally arbitrary number. Was this the first one the NSA tried? Or did they have their super computer crunching for years before they came up with this seed which when you follow the rest of their "sleight of hand" generator produced the "random" curve which is EXACTLY what they wanted it to be for some reason only they know? The rest of their security process is just feel good security. It is the wand in a magic trick so you don't look closely to the fact that the magician is just cheating with his other hand.
Now if the seed for secp256r1 was say the first 160 bits of pi well we would have at least some confidence that the curve produced was strong. It would be a rather extreme coincidence that the first 160 bits of pi happened to produce a curve which the NSA knew was weak.
