mikedilger
commented
1 week ago It we switched to new crypto, we'd lose all current nostr identities.
Better is if we have a crypto-specified identity: 32 bytes plus a flag indicating which crypto scheme to use.
Yes, devs will need to support "both" crypto schemes, which breaks fiatjaf's rule of only one way, but I think it might be worth it. Whether it is worth it or not depends on how bad secp256k1 is. So probably not worth it right now, but the scheme for additional crypto should be put in place so we can change it later. E.g. have a flag but only offer one value right now being secp256k1.
I don't know all the reasons for certain, but cryptographers advise "just use ed25519". SafeCurves gives some reasons, and some have said secp256k1 is slower.