I was playing around with an implementation of the NIST P-256 elliptic curve and I noticed that the field order and the order of the base point in the implementation are "close" :
Field order: $115792089210356248762697446949407573530086143415290314195533631308867097853951$
Group order: $115792089210356248762697446949407573529996955224135760342422259061068512044369$
I see this as a consequence of Hasse theorem, and as an evidence that the base point is generating the whole group of the curve, which is then of rank 1.
Is it just a coincidence or is it something desirable for cryptographic purpose that the group of the underlying curve should have a rank equal to 1 ?
In Cryptography we choose a curve $E$ over a finite field $K$ then the $E(K)$ is the groups of the points and $|E(K)|$ is the order of $E(K)$, i.e. cardinality, or the number of the rational points.
Then we choose a base point $G$, which is usually chosen as nothing-in-my-slave number to prevent suspicious curve parameters. It is clear that the multiples of $[k]G$ ($\langle G\rangle$) form a subgroup of $E(K)$. Let call order of this subgroup $r = r = \left|\langle G\rangle\right|$ than by the Lagrange theorem $$h = \frac{|E(K)|}{r}.$$ We call this $h$ as the cofactor
There is a small subgroup attack (Lim–Lee active small-subgroup attacks ). The attacker chooses $P$ and the user reveals $[k]P$. The obvious method for the attacker is choosing $P$ in a small group where the ECDLP is easy. If the curve $|E(K)|$ is prime then there are no non-trivial subgroups for the attacker. If near the prime like 8 in the Curve25519 the prevention is easy (see below).
We also want the $r$ to be prime to resist the Pohlig–Hellman algorithm.
Does cofactor affect security?
It is clear that when the cofactor is 1 then $\langle G\rangle$ is the whole curve and any non-zero point can be a generator. Lim–Lee, and Pohlig-Hellman will fail.
What if the cofactor >1? There is only some special need for checking that the incoming point is not on the small subgroup, rather than the $\langle G\rangle$. The designers of the curves take this into consideration, for example for Curve25519 has cofactor 8. When used with Diffie-Hellman key exchange then while selecting the private key, the three least significant bit set to zero to guarantee that the private key in the $\langle G\rangle$
So $cofacor =1$ is easy to use. However, having larger some other advantages like the Montgomery Curves
Note that: the curve P-256 is suspicious since the coefficients generated by hashing the unexplained seed
c49d3608 86e70493 6a6678e1 139d26b7 819f7e90