If the entire Taproot/Schnorr soft-fork was going to implement an entirely new signing scheme anyway that was completely independent from the previous ECDSA scheme, why did it use secp256k1?
Couldn’t it have used other curves, like Curve25519 and its signature schemes that are being used by many other projects? Wouldn’t that come with a lot of advantages — like key aggregation, signature aggregation and threshold signature schemes already well-developed and deployed in other projects? Aren’t these schemes generally faster on Curve25519?
What was the advantage of sticking to secp256k1?
