## Why Is the NSA Moving Away from Elliptic Curve Cryptography?

In August, I wrote about the NSA’s plans to move to quantum-resistant algorithms for its own cryptographic needs.

Cryptographers Neal Koblitz and Alfred Menezes just published a long paper speculating as to the government’s real motives for doing this. They range from some new cryptanalysis of ECC to a political need after the DUAL_EC_PRNG disaster—to the stated reason of quantum computing fears.

Read the whole paper. (Feel free to skip over the math if it gets too hard, but keep going until the end.)

EDITED TO ADD (11/15): A commentary and critique of the paper by Matthew Green.

Lisa • October 28, 2015 2:39 PM

In order to get the required superpositions of qubit states, will this be possible in linear or exponential time/power relative to the number of qubits? I am not aware that physicists have properly answered this question yet.

If it takes more energy than the sun, or trillions of years to break a single RSA or ECC key with a quantum computer, then this exercise of migrating into alternative public key algorithms is pointless.

One might as well work on designing crypto systems that take into account time travel. (Not PFS, but dealing with brute force methods in which after countless years the results can be transmitted to the past.)