The NSA gives pretty good reasons for using ECC, and they are not alone in supporting it. The cryptography research community is also very supportive of ECC.
If that does not convince you or if you would prefer systems with security reductions to worst-case NP-hard problems, you should look here:
There is a lot of theoretical excitement about LWE right now, not only for public key encryption and signing systems but also for exotic things like fully homomorphic encryption and attribute based encryption. Unfortunately, there is are costs that hamper practical deployment. There keys will be larger. There are even more parameters to set, and bad choices can be fatal to security. The security of LWE-based systems is not as well-understood as ECC (making parameter choices even more difficult). Widely used standards like TLS and PGP do not have support for lattice / hidden codes systems. High-performance implementations are still under development.
Aye, aware of LWE, and it's interesting stuff, and understand the theory as to why ECC is secure, and why DH key exchanges are increasingly not so.
I'm just inherently suspicious of anything the NSA are in favour of, as their focus seems to be on breaking crypto, rather than recommending strong crypto - to recommend a key exchange mechanism that they can't snoop on seems to be a counterintuitive step.
Actually, the NSA both breaks crypto and recommends crypto systems for government use. Much of their ability to recommend cryptosystems comes from their expertise in attacking cryptosystems.
This played out in a very interesting way with DES. Most of the theories about an NSA conspiracy to weaken DES have been falsified. The changes to the s-box structure was later discovered to strengthen the cipher against a certain class of attacks. The small key size was later discovered to be right around the actual security level the cipher provides (larger key sizes would not have improved security by much).
In the case of public key crypto, one of the most important things we need is to know what parameter sizes to use. Cryptanalysis is critical to making such estimates, and once again the NSA's expertise comes in handy here. To put it another way, if you knew nothing about factoring integers, 1024 bit RSA keys would appear to be overkill -- the only reason key sizes have become so large is because of GNFS and similar developments.
In general you should avoid assuming that large, sprawling agencies like the NSA have a single goal. Yes the NSA conducts signals intelligence and would prefer that those signals not be encrypted. On the other hand the NSA also wants to ensure that foreign governments cannot spy on American government communications. With the vast reliance on contractors to develop software for sensitive systems there is a need for the NSA to make good recommendations to the public (even at the risk of improving our opponents' security); it is a classic NSA dilemma.
I also believe that the NSA intended to strenghten DES. However, it was later discovered that the changed they made to the s-boxes also made it weak against a different form of cryptanalysis.
The NSA's changes to the DES s-boxes made them stronger against differential cryptanalysis, an observation that betrayed the NSA's prior knowledge of differential cryptanalysis long before it reached the academic literature.
It's been awhile since I've studied DES, but I'm not aware of any sense in which the s-box changes weakened it.
Linear cryptanalysis. Its been awhile since I've studied it as well, but Applied Cryptography sites a successful attack that took only 50 with 12 workstations (the book was published in 1996).
DES resists linear cryptanalysis --- the best linear attack on DES is 2^43 and requires 2^43 known plaintexts. Linear cryptanalysis of FEAL-8 takes just 4000 plaintexts.
According to Don Coppersmith, NSA picked DES's s-boxes by randomly generating them and choosing the ones that best resisted differential cryptanalysis --- again, this is something NSA did fifteen years before differential cryptanalysis was discovered by the public. They modified DES to resist an attack only they knew about.
They weakened DES by reducing key size from 128 to 56 bits. Everything suggests they didn't know about linear cryptanalysis at the time, and in any case their improved sboxes, by being stronger against DC, were also stronger against LC.
>The small key size was later discovered to be right around the actual security level the cipher provides (larger key sizes would not have improved security by much).
Yes, the NSA created sboxes that were resistant to differential cryptanalysis. I was asking for a citation in regard to the claim that:
>The small key size was later discovered to be right around the actual security level the cipher provides (larger key sizes would not have improved security by much).
I have never heard this claim before and without any source backing it up I am liable to doubt it.
If that does not convince you or if you would prefer systems with security reductions to worst-case NP-hard problems, you should look here:
https://en.wikipedia.org/wiki/Learning_with_errors
There is a lot of theoretical excitement about LWE right now, not only for public key encryption and signing systems but also for exotic things like fully homomorphic encryption and attribute based encryption. Unfortunately, there is are costs that hamper practical deployment. There keys will be larger. There are even more parameters to set, and bad choices can be fatal to security. The security of LWE-based systems is not as well-understood as ECC (making parameter choices even more difficult). Widely used standards like TLS and PGP do not have support for lattice / hidden codes systems. High-performance implementations are still under development.