Bitcoin
Why does BIP-340 use secp256k1?
If the entire Taproot/Schnorr soft fork was going to implement a completely new signature scheme completely independent of the previous ECDSA scheme, why did they use secp256k1?
Couldn’t you just use other curves like Curve25519 and the signature scheme used in many other projects? Wouldn’t there be many benefits, such as key aggregation, signature aggregation, and threshold signature schemes, that are already well developed and deployed in other projects? Isn’t this generally faster in Curve25519?
What was the benefit of sticking with secp256k1?