So you're saying that there is something inherently insecure about the constants defining the curves themselves. I've read some of Bernstein's stuff on 25519, and everything there is about selling curve25519 as making the engineering challenges easier by avoiding common pitfalls of the Weierstrass normal form.

And I can't find anyone anywhere giving evidence of mathematical insecurity of any NIST standard curves. Evidence might come in the form of a (significantly more than state of the art)-subexponential but still superpolynomial time algorithm. Dual_EC has something even better: a proof of insecurity.

Here, just read Bernstein:

http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf

And I quote, "So what's the problem? Answer: If you implement the NIST curves, chances are you're doing it wrong"

This is just reinforcing my point. There is nothing known to be mathematically wrong with the standard curves. Bernstein just warns against all the (admittedly many) pitfalls in implementations, and that the Weierstrass normal form makes it easier to run into problems than the normal form he proposes. This is the only reason he says NIST doesn't guarantee security, and of course they don't guarantee against engineering errors.

But that's extremely different from saying NSA planted backdoored curves intentionally. The only thing in Bernstein's analysis that I could possibly construe as suggesting malicious behavior is that the NIST curves are outdated (the suggestion being that they are intentionally left outdated).

First, SECP256K1 isn't (IIRC) a NIST curve.

Second, if NSA backdoored a curve standard, they probably did it in a fashion that only allows them privileges. Google [NOBUS NSA]. Dual_EC is a NOBUS backdoor, unless you can efficiently solve the ECDLP, in which case the backdoor doesn't matter anyways.

Finally, even if you stipulate for argument that a curve was backdoored in such a way that a researcher might find the backdoor, who's to say that curve researchers care that much about Bitcoin?