Think about Dual_EC_DRBG: it had large constant numbers. It has been shown that whoever generated these numbers could at the same time generate a related set of numbers, which when known allows one to reverse the function. Recent revelations imply that the NSA knows these numbers.
AFAIK, no such mechanism is known to exist for the NIST curve constants, but that might be just because nobody has found one yet. And the NSA is known to be involved with it.
Now contrast it with Curve25519. Every single constant in the algorithm has been explained by its creator, and is the smallest value with some desirable property (performance or security). Unsurprisingly, all these constants are quite small. Quoting Wikipedia: "The curve used is y^2 = x^3 + 486662x^2 + x (a Montgomery curve) over the prime field defined by the prime number 2^255 − 19, and it uses the base point x = 9." That's it.
It's possible (and even probable) that the NIST curves do not in fact have a backdoor. But with the DJB curves, you can be certain that they do not have a backdoor, and they are also simpler and faster.
Take a look at http://safecurves.cr.yp.to/rigid.html for more on the subject.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds