[tptacek]

The word "may" is doing a lot of work in the sentence "may have been backdoored". What cryptographers are observing about the NIST P- curves is that it isn't impossible for them to have been backdoored; that there is a plausible technique that NSA could have used, given some an advance in ECC cryptanalysis unknown to public science but known to them, that could result in a backdoor.

Everything beyond that is the precautionary principle.

It's also really important to understand the difference between Dual_EC (the random number generator) and the NIST curves. There is much more circumstantial evidence against Dual_EC. Importantly, the potential backdoor in Dual_EC isn't really related to elliptic curves; you can describe a functionally similar backdoored RNG using other public key algorithms.

[pja]

Your glass appears to be half full, mine half empty :)

[tptacek]

No, it's not; the fullness of our glasses is orthogonal to the specific cryptographic issue we're discussing. I would recommend against the NIST P- curves.

One fortunate result of the Snowden disclosures is that for several reasons, some rational and some irrational, the market value of NIST/FIPS certification has plummeted --- it's still an issue if you're selling to the government, but no longer carries security cachet.

As a result, there's minimal upside to adopting cryptographic primitives and constructions simply because they have NIST standards backing them. Which means there's minimal upside to using the NIST curves.

Meanwhile, there are multiple downsides. One of them is the potential for backdoors, but I don't need to reach that issue in my analysis because another is the difficulty of safely implementing curve software with the NIST P-curves.

[chinpokomon]

If that's the standard, mine must be empty.