And I quote, "So what's the problem? Answer: If you implement the NIST curves, chances are you're doing it wrong"
This is just reinforcing my point. There is nothing known to be mathematically wrong with the standard curves. Bernstein just warns against all the (admittedly many) pitfalls in implementations, and that the Weierstrass normal form makes it easier to run into problems than the normal form he proposes. This is the only reason he says NIST doesn't guarantee security, and of course they don't guarantee against engineering errors.
But that's extremely different from saying NSA planted backdoored curves intentionally. The only thing in Bernstein's analysis that I could possibly construe as suggesting malicious behavior is that the NIST curves are outdated (the suggestion being that they are intentionally left outdated).
This is just reinforcing my point. There is nothing known to be mathematically wrong with the standard curves. Bernstein just warns against all the (admittedly many) pitfalls in implementations, and that the Weierstrass normal form makes it easier to run into problems than the normal form he proposes. This is the only reason he says NIST doesn't guarantee security, and of course they don't guarantee against engineering errors.
But that's extremely different from saying NSA planted backdoored curves intentionally. The only thing in Bernstein's analysis that I could possibly construe as suggesting malicious behavior is that the NIST curves are outdated (the suggestion being that they are intentionally left outdated).