Why doesn't GoodCrypto use ECC?

GoodCrypto's avoidance of elliptic curves is very controversial to some. Our biggest objection is that ECC is a state sponsored standard. You may disagree if you believe that state crypto standards are intended to protect you, and not crippled so the state can spy.

Multiple compromises of elliptic curves by NSA are now well known (RSA warning and NIST alert). In one case NSA paid $10 million dollars for a backdoor in ECC.

We agree with Bruce Schneier when he says, "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry". As Colin Percival suggests, "You should use elliptic curves only if your name is Daniel J. Bernstein." And djb is very skeptical of ECC standards.

It's also interesting that many mathematicians have found that they can't analyze the magic ECC constants. That makes auditing a matter of "Trust me" with an implied "You're too stupid". That doesn't fly any more.

Mathematicians hate the implication that they are stupid. Many opt out of the discussion, leaving the field to elliptic curve promoters. This could be a good way to hide a backdoor.

There is no clear need for ECC. ECC is still a popular forward secrecy choice, and may be useful as an additional encryption layer for that purpose. The RSA algorithm is a tested and trusted alternative. RSA is auditable. The excuses for replacing RSA are not convincing to us.