What are the advantages (and disadvantages) of using this over other specifications such as secp256r1?
Secp256k1 is less widely used than secp256r1 so for some time there were faster implementations of r1 than k1. That isn't true today, and the fastest implementations of k1 are considerably faster than r1.
Secp256k1's security critical parameters are essentially fixed by its design criteria, while r1's parameters are generated based on a 'random number' with no documented origin, causing some to worry that it might have been intentionally weakened.
I don't believe a new application would standardize on a 256-bit curve at this time, but if I had to pick between k1 and r1 for something where compatibility wasn't a concern picking k1 would be an easy decision.
Thanks for that, but that makes it seem like Satoshi just randomly choose one of the many specifications available -- which may in fact be true. Nonetheless, I'm looking for specific differences between specifications that might effect things like signature performance, overall security, etc... – John Henry 1 hour ago – John Henry – 2013-09-14T22:59:06.917
1I had heard that he had a very good reason to choose this one over another, I'll also try to find the reference, though this was perhaps just a rumor when there was the big thing with the NSA having backdoor in some SHA algorithms. I would love to see this answered! – Mark – 2014-08-15T13:53:58.370