>>So Curve25519 is pretty much rock solid unless (a) someone discovers genuinely new math or
After the NSA news happened , schneier said the math is safe , saying/implying you can trust Diffie-Hellman. And now it's not secure. So how can we be so sure of Curve25519 ?
There's nothing new about the math here. 1024 bit DH has been precarious for over a decade, at least since Tromer costed out an RSA-1024 factoring machine.
In other words, people a decade ago were also telling you to avoid DH-1024. What we're looking at today is a more efficient way of exploiting a bug we've known about for a long time.
You could never really trust, e.g. 32-bit DH. Context matters.
The security of 2048-bit DH versus 1024-bit DH isn't the difference between "one year" and "two years", it's the difference btween "one year" and centuries.
After the NSA news happened , schneier said the math is safe , saying/implying you can trust Diffie-Hellman. And now it's not secure. So how can we be so sure of Curve25519 ?