Popularity
Curve25519 was first released by Daniel J. Bernstein in 2005,[7] but interest increased considerably after 2013 when it was discovered that the NSA had implemented a backdoor into Dual EC DRBG. While not directly related,[8] suspicious aspects of the NIST's P curve constants[9] led to concerns[10] that the NSA had chosen values that gave them an advantage in factoring[11] public keys.[12]
I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry
— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)
Since then, Curve25519 has become the de facto alternative to P-256, and is used in a wide variety of applications.[13] In 2014 OpenSSH[14] defaults to Curve25519-based ECDH.
https://en.wikipedia.org/wiki/Curve25519I agree that Wikipedia article isn't as clear as it could be - in that the context of the Bruce Schneier quote isn't particularly clear to readers not familliar with the history of the curves being discussed here. But I assure you that Bruce was
not talking about Curve25519 there.
The reason for the inclusion of that particular quote in the article is to explain why Curve25519 has become popular in recent years: there are concerns about the choice of constants in
other curves, which has resulted in many more people using Curve25519 precisely because there are no such concerns with Curve25519.
Curve25519 is generally considered to be safe. That said, there are those who worry (Bruce Schneier included) that the NSA may have made advances in the cryptanalysis of ECC in general - but if that's the case then any attacks might affect
all curves - or at least, we have no way of knowing which curves are vulnerable. If that
were to be the case, it would be a concern for pretty much all cyrptocurrencies, though - potentially necessitating a move to larger keys (depending on how bad the attack is).
Actually, using a different curve to the one used by Bitcoin and most other coins is a
good thing because it gives the market an opportunity to hedge the risk by holding coins that use different curves. If an attack on ECC is found (by the NSA or someone else) it's quite possible (although by no means a given) that the attack might work better against some curves than others - although there's no real way to know which curves are safer in advance of the attack being found.
EDIT: Actually, looks like I was wrong - Monero uses Ed25519 and EdDSA (not Curve25519 and ECDSA). So it shares even less crypto with most other coins that I had thought.
