In August, National Security Agency officials advised US agencies and businesses to prepare for a not-too-distant time when the cryptography protecting virtually all sensitive government and business communications is rendered obsolete by quantum computing. The advisory recommended backing away from plans to deploy elliptic curve cryptography, a form of public key cryptography that the NSA spent the previous 20 years promoting as more secure than the older RSA cryptosystem.
Almost immediately, the dramatic about-face generated questions and anxiety. Why would the NSA abruptly abandon a series of ECC specifications it had championed for so long? Why were officials issuing the advice now when a working quantum computer was 10 to 50 years away, and why would they back away from ECC before recommending a suite of quantum-resistant alternatives? The fact that the NSA was continuing to endorse use of RSA, which is also vulnerable to quantum computing, led some observers to speculate there was a secret motivation that had nothing to do with quantum computing.
On Tuesday, researchers Neal Koblitz and Alfred J. Menezes published a paper titled A Riddle Wrapped in an Enigma that compiles some of the competing theories behind the August advisory. The researchers stressed that that their paper isn't academic and at times relies on unsourced facts and opinions. And sure enough, some of the theories sound almost conspiratorial. Still, the paper does a good job of evaluating the strengths and weaknesses of the NSA's highly unexpected abandonment of ECC in a post quantum crypto (PQC) world.