[cyphar]

The paper[1] makes it much clearer. They aren't using elliptic curves, they're using prime fields with ElGamal (with a weird construction using three separate keys for some reason). The security is similar to RSA-256 (in other words, "awful") -- it makes sense that they could crack it in 20 minutes.

[1]: https://arxiv.org/pdf/1908.05127.pdf

[api]

Why do people do weird stuff like this when there is gobs of good ECC code for things like ed25519 and ECDSA with standard curves that is easy to use and just sitting on GitHub?

Implementating complex crypto correctly is hard but its really not that tough to use common constructions in a secure way. A few days of reading can tell you how to build a cryptosystem that is at least not total holey cheese.

[cyphar]

One theory that the paper has (in the last page) is that the reason for the construction was a consequence of Solidity only having support for 256 bit integer arithmetic. So as a workaround (to avoid writing a library that does larger bit operations) they came up with a scheme using three 256-bit keys instead.

Obviously using Curve25519 would've made it possible to have a secure setup under the "256 bit arithmetic only" constraints, but I have a feeling (assuming this theory is correct) that someone who thinks that three 256-bit keys are significantly more secure than one 256-bit key probably would've messed that up too.