[OTR-dev] Fwd: Some DH groups found weak; is OTR vulnerable?

[Shnatsel .]

> But how do you know those arguments aren't cherry-picked ?

We don't. We don't know they're good, all we know is they're
relatively better than NIST curves, both based on publicly available
research and on their developers having better rationale for their
parameters than NIST as well as potentially less of an incentive to
backdoor them.

If crypto primitive backdoors are real a problem, BADA55 curves with
verifiably random parameters might be worth considering:
http://safecurves.cr.yp.to/bada55.html