Came here to post just that.
As I understnd it, the trick is that the constants in ECC cryto could be random, or they could have been generated out of some source data known to insiders to the process. Looking at the numbers, there’s no way to tell. But, if it was the latter, then whoever knows the source data, can easily defeat the crypto.
And guess who it was that pushed for the specific constants in use in the main ECC crypto implementations?
So, you could design a protocol that does ECC crypto, but generates random constants at the beginning of the connection - but most protocol designers wont do that.
