[Dylan16807]

Threat model wrapped in tin foil? I don't understand what you mean, are you suggesting paranoia?

My threat model includes NSA dragnets but not being specifically targeted by the NSA.

[CiPHPerCoder]

In that case, active attacks against Weierstrass field arithmetic isn't part of your threat model and ECDSA/ECDH over the NIST curves is fine.

[Dylan16807]

So this is something that can't be done en masse? Okay, thanks.

[IncRnd]

>> Threat model wrapped in tin foil? I don't understand what you mean, are you suggesting paranoia?

That term likely means one of two things: guarding against a particularly capable attacker or paranoia for others

[mkj]

NSA dragnets won't decrypt things using dodgy curves for signatures (ECDSA), only things using dodgy curves for key exchange (ECDH).