"As far as I know, no cryptographer seriously believes the curves to be backdoored, but nonetheless seems to be a hot topic of online discussion. DJB lists them as “unsafe”."
I'm not very well educated in this space. Is DJB historically prone to exaggeration?
the NIST curves are unsafe, regardless of if they are backdoored. In order to use them safely, you have to carefully prepare your private key, because some keys are unsuitable. for curve 25519, you just need a decent secure random, all keys in the keyspace are good.
Apart from clamping not being fully and clearly justified in most of the earliest specs and papers (which led to a few broken and/or insecure implementations), it makes the whole narrative of the curve being "safe" quite arguable and leaving a flavor of marketing in the mouth (NIST P curves have cofactor 1 so they are "safer" in that respect).
"NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic interests of U.S. companies"
Because it would destroy their credibility in this field forever. Like, it's not impossible, but it'd have to be "burn all this accumulated trust right down" important. They can advance the US' interests in more subtle ways by just being above board.
Not that that's any guarantee with this administration, of course, but in general it's sound.
...While also making it more resistant to differential cryptanalysis (called DCA from now on). DES died because of the small keyspace. Without the NSA/NBS changes it would have been insecure from the start and would have been a lot easier to crack once DCA was out in public.
The changes proposed made DES harder to crack for the NSA, but less "future safe" once computational power caught up. I don't know enough about DCA to know whether DCA-weak-DES could have been made safer with something like 3des, but I wouldn't want to bet on it.
I'm not very well educated in this space. Is DJB historically prone to exaggeration?