[JCBird1012]

A backdoor in Curve25519 hasn’t really been a concern, because unlike P-256, the parameters for the curve didn’t come from NIST. Curve25519 is a djb (https://en.wikipedia.org/wiki/Daniel_J._Bernstein) special.

So unless djb was secretly working with the NSA and willing to risk his reputation to backdoor a highly scrutinized elliptic curve, the risk is low.

[a1369209993]

More importantly (because that's definitely something the NSA would try to do), curve25519 has fewer degrees of freedom to hide a backdoor in than P-256; 2^255-19 is the largest uint255 that's prime, and the other parameters (mostly the coefficent A=486662) were chosen by a similar "first value that satisified the security requirements" process - there's a paper by DJB explaining the parameter selection rationale around somewhere[0], although they could definitely stand to be more conspicuous about it.

0: The value of A is (poorly) explained in passing in https://cr.yp.to/ecdh/curve25519-20060209.pdf under heading "Why this curve?", but that doesn't explain any details for someone who's not a cryptographer.

[marcosdumay]

I believe that the thing is more that DJB created that huge paper about how to create a curve so that everybody can know it's not backdoored, with advice that appears to be almost unanimous, and created Curve25519 by following it.

It's not a matter of trusting him, instead, it's a matter of using the algorithm that requires less trust of them all (including RSA).

[sudosysgen]

The issue is that RSA isn't backdorable, while elliptic curves are. Even if we trust the author, it's better not to trust anyone.