| The argument for a back door goes like this: 1. The NSA is one of the world's only institutions that has any use for the otherwise irrelevant specialism of designing asymmetrically backdoored cryptography algorithms. They also have (or had) lots of maths PhDs writing internal papers. It's reasonable to assume they know things about kleptography that others don't, as it's not a well funded sub-field of cryptography outside the signals intelligence world. So if there was an attack they'd discovered it wouldn't be surprising if others didn't find it. 2. A good protection against kleptographic attacks is to use "nothing up my sleeve numbers", where the constants that go into an algorithm are derived from some well known source that isn't suspicious. 3. The NIST curves know about this sort of risk and attempt to use NUMS numbers. The constants are derived from the output of SHA1, which at the time was considered secure. 4. But the input to SHA1 is a giant random-looking number, not something obvious and above suspicion. Thus the setup fails to provide the assurance it was supposed to create because the NSA could have searched for a weak curve (if there was such a thing to begin with). The argument that curve25519 wouldn't be susceptible is simply that curve25519 uses NUMS numbers properly, and so there's no wiggle room where djb or anyone else could have done a secret scan to find curves with certain properties. As may be clear, how strong you think the above argument / problem is, will depend entirely on your intuition about how well explored kleptography is by non-secret research. Unfortunately as people generally don't publish negative results that's very hard to judge. |