Backdoored or not, the P-curves (or more specifically the standard algorithm we use for them) are hard to use and easy to misuse.
djb dedicated an entire page listing all the theoretical issues with the P-curves and other elliptic curves[1], but their main weakness in practice is that they are just too prone to bad implementation and misuse.
The most well-known failure has to be the PS3 jailbreak [2]. Sony just failed to implement their RNG (or alternatively copied their RNG code from xkcd #221), which rendered their ECDSA-based crypto completely worthless.
Another famous case is the long list of JWT/JWE libraries which were vulnerable to invalid curve attacks, again completely destroying the security of their NIST p-curves (when used for encryption) [3].
Really, I don't think nobody should be using NIST P-curves if they have any choice, unless you verified your implementation yourself. And I don't even want to claim to be able to do it.
(I don't think tptacek ever said you should use the NIST curves[4], so there's no controversy there)
The most well-known failure has to be the PS3 jailbreak [2]. Sony just failed to implement their RNG (or alternatively copied their RNG code from xkcd #221), which rendered their ECDSA-based crypto completely worthless.
Another famous case is the long list of JWT/JWE libraries which were vulnerable to invalid curve attacks, again completely destroying the security of their NIST p-curves (when used for encryption) [3].
Really, I don't think nobody should be using NIST P-curves if they have any choice, unless you verified your implementation yourself. And I don't even want to claim to be able to do it.
(I don't think tptacek ever said you should use the NIST curves[4], so there's no controversy there)
[1] https://safecurves.cr.yp.to/
[2] https://www.youtube.com/watch?v=LP1t_pzxKyE
[3] https://auth0.com/blog/critical-vulnerability-in-json-web-en...
[4] https://latacora.micro.blog/2018/04/03/cryptographic-right-a...