> but if you want to tinfoil hat it, just do what every modern system does and use Curve25519.
What is your take on the NIST curves being "officially" blessed for government data via Suite B (or whatever they're calling it)?
If it's good enough for government work, would it be good enough for us in the private sector? What are the chances the the NSA know weaknesses in Curve25519 or ChaCha like they knew about differential cryptanalysis attacks DES ahead of everyone else?
Frankly I think the kremlinology is a lot less interesting and useful than the engineering facts, which are that Curve25519 is more misuse-resistant, faster, and easier to implement in constant time. People shouldn't be using the P-curves anymore.
What is your take on the NIST curves being "officially" blessed for government data via Suite B (or whatever they're calling it)?
If it's good enough for government work, would it be good enough for us in the private sector? What are the chances the the NSA know weaknesses in Curve25519 or ChaCha like they knew about differential cryptanalysis attacks DES ahead of everyone else?