[littlestymaar]

> Additionally, the best attack on ECDLP (Pollard's rho) is much easier to understand than the best attack on RSA (the number field sieve).

Only if RSA is implemented properly. Naive textbook RSA implementations are very vulnerable[1]

[1]: https://sci-hub.st/https://link.springer.com/chapter/10.1007...