I assume that the argument is that a break in secp256k1 has an especially straightforward monetization, where breaking the cryptography in TLS, while much more destabilizing to the Internet and the things running on it, wouldn't immediately net you a bunch of cash, but rather would just enable further attacks that might get you that.
Ah, I see, thanks. Somewhat reminiscent of 'why waste 0-days stealing WoW gold'. Still feels like the argument is complicated up by things like Very Lorge or State Actors (to whomst money is not even money, as you like to point out) and that the value they seek to derive is also not necessarily financial or at least not immediately so. Like, surely more effort has been spent trying to break TLS than secp256k1 specifically.
> I assume that the argument is that a break in secp256k1 has an especially straightforward monetization
Exactly. Considering the sheer effort put into Bitcoin, including volume manufacture of custom ICs, if this was possible, someone would have done it by now. It wouldn't even be illegal.
What I think your analysis misses is that the security of a cryptosystem isn't an absolute thing. All sorts of cryptosystems exist that haven't been broken, and may never be broken, but would likely get someone else broken if emulated in a different setting. So the reason cryptography engineers probably wouldn't use ECDSA in a modern signing system, if they had a choice, is that ECDSA includes a bunch of footguns that better signing systems avoid.
