Here's something counterintuitive to non-practitioners: curve P-521 is often less secure in practice than curve P-256.
The latter is more popular, and so better tested. The risk of implementation bugs dwarfs the risk of partial cryptanalysis of ECC, so picking P-521 optimizes for the wrong thing.
The latter is more popular, and so better tested. The risk of implementation bugs dwarfs the risk of partial cryptanalysis of ECC, so picking P-521 optimizes for the wrong thing.
Comments
You need to be dealing with very specific constraints for it to not be best (like significant bandwidth restrictions, etc)