The relevant issue is best described by this reply by Schneier:
Bruce Schneier • September 5, 2013 4:07 PM
On the crypto bits in your guardian piece, I found especially interesting that you suggest classic discrete log crypto over ecc. I want to ask if you could elaborate more on that.
I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.
There is no such suspicion for curve25519 at this time, so it has nothing to do with "cracking" ECC. It has everything to do with ECCs engineered from the ground up to be compromised through a related curve that is only known by the designer, and the possibility of such a compromise in the NIST curves.
So, the logic behind a preference for curve25519 is not that the NSA cannot crack it, is that the NSA would have to crack it.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds