[todd8]

I've wondered about this, but I don't trust myself to figure out the answer. Even though I have a background in math and I've done some cryptography related work, I know enough about the crypto space to know that I don't know enough to make my own decisions. The featured article by Filippo Valsorda makes a lot of sense.

On the other hand, if the NSA really could find backdoors into elliptic curves (perhaps with a great deal of work) they would be motivated to gaslight the rest of us about elliptic curves by creating article like TFA.

[tptacek]

If that's really a concern of yours, the only logical responses are:

(1) Don't do any cryptography

(2) Seriously study cryptography so that you can attempt to analyze conclusions axiomatically.

Any other answer requires your to trust people that might be agents of NSA.

[wolf550e]

I guess there is also the approach, not favored by cryptography engineers, which is to decide for some projects that you don't care about efficiency, you would securely combine too many primitives. Like stream chunks for bulk encryption, but each chunk uses both AES-CTR-256 and ChaCha20, both with extended nonces, and HMAC-SHA256 for MAC. The asymmetric part combines X448, P-521, Kyber-1024 and NTRUPrime-whatever, the way normal people combine X25519 with Kyber-512. If people I trust would build "tinfoilhatcrypto" this way, I would use it for some things. The environmental impact of using this for small amounts of data would probably be negligible.