[CiPHPerCoder]

I would recommend against using them if your adversary is the NSA and your threat model comes wrapped in tin foil (and if I didn't, I'd get ignored anyway).

If so, use NaCl/libsodium at the application layer and don't rely on ECDSA alone.

If your threat model is "criminals", ECDSA is less insane than RSA (provided, once again, you're not implementing it yourself, you're relying on developed by a team of cryptographers and security engineers).

[Dylan16807]

Threat model wrapped in tin foil? I don't understand what you mean, are you suggesting paranoia?

My threat model includes NSA dragnets but not being specifically targeted by the NSA.

[CiPHPerCoder]

In that case, active attacks against Weierstrass field arithmetic isn't part of your threat model and ECDSA/ECDH over the NIST curves is fine.

[Dylan16807]

So this is something that can't be done en masse? Okay, thanks.

[IncRnd]

>> Threat model wrapped in tin foil? I don't understand what you mean, are you suggesting paranoia?

That term likely means one of two things: guarding against a particularly capable attacker or paranoia for others

[mkj]

NSA dragnets won't decrypt things using dodgy curves for signatures (ECDSA), only things using dodgy curves for key exchange (ECDH).