> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
Personally I'd stay away from NIST recommended curves for long term keys (as used in OpenPGP). Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.
> Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.
That's not a problem of NIST recommendations. There aren't any post-quantum secure elliptic curve public-key systems. The fundamental computational problem used by ECC public-key cryptography isn't post-quantum secure, so it's not really a matter of curve choice.
The problem with NIST curves (vs ed25519) is the choice of parameters (it is not clear why they have such and such values) and the implementation edge cases. You already know it but maybe someone else will find it interesting: https://safecurves.cr.yp.to/
The comment about post quantum crypto did not relate to ECC directly. I just would like to see some PQ crypto in OpenPGP :)
Personally I'd stay away from NIST recommended curves for long term keys (as used in OpenPGP). Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.