The one you're remembering is secp256r1 - it was for a long time the most popular group in use for TLS on the internet. Plus a few other contexts, it was basically 'industry standard' until the DJB stuff (curve25519/ed25519) slowly took over.
(the 'k' is for Koblitz curves, named after Neal Koblitz. I forget what the 'r' stands for. The 'p' is for prime, i.e. prime order curve. And SEC = 'standards for efficient cryptography').
ah, ty
prime, 256 bit, koblitz
https://crypto.stackexchange.com/questions/18965/is-secp256r1-more-secure-than-secp256k1
koblitz method is very deterministic, and thus widely regarded as strong against backdooring via random values, which are used with these keys with ECDH to generate shared secrets
the R is from random, meaning that it is more likely to be possible the group was selected because of it having a convenient symmetry to enable a backdoor
so, yeah, koblitz ftw, he may well deserve some lionizing from us bitcoiners
Re the 'few bits weaker' for Koblitz curve, I *believe* they refer to the fact that curves of this type (j-invariant 0, y^2=x^3 + 0x +C), have a non trivial endomorphism y-> -y, x -> qx, where q is a cube root of unity in the finite field. Through some dark arts this reduces the amount of work needed to brute force a private key by a factor 6, i.e. you lose 2 to 3 bits of security. But I don't even know what paper I read that in, so barely above the 'revealed to me in a dream' level of citation here.
About suspicions about parameter selection, the big story was the hashing used to create the group generators, but it is also here that using a prime order group *should* help .... in a cyclic group of prime order every element (except the identity) is a generator, and there's some vague sense in which "if one generator were not secure, nor would any other be" (see: "random self-reducibilty").
If you want to see a world class expert explain people's concerns about the NIST p256 generators, check this out:
God damn it i forgot the timestamp, start at 15:13
