What I find really interesting about the NSA is their Suite A: classified algorithms (!) used to protect the most sensitive documents (!!) with hilariously bad security records (!!!).

Take for instance the Skipjack cipher (https://en.wikipedia.org/wiki/Skipjack_(cipher)), a Type I cipher ("endorsed by the NSA for securing classified and sensitive U.S. Government information") which was evaluated, for the purpose of security, by "some of the world's most accomplished and famous experts in combinatorics and abstract algebra", and finally declassified due to concerns expressed by other cryptographers about its security.

Biham and Shamir broke it the day after it was declassified.

They broke 16 out of 32 rounds, with an unrealistic amount of chosen-plaintext. It's not really something to write home about. Rijndael was selected as AES when the best known attack broke 7 out of 10 rounds.

They broke 31 out of 32 rounds.

In cryptography, if you break 1 bit, you've broken it. No excuse.

  Skipjack was designed using building blocks and 
  techniques that date back more than forty years.

I think it's safe to assume they have much stronger stuff now.

I'm not sure if this would be true. It's a game theory problem, surely. I'm not especially crypto-literate, but if player A has the ability to read the majority of currently encrypted comms world-wide, broadcasting that ability (by suddenly and dramatically changing their own encryption methodologies) would be a very silly move unless there was a very serious reason to believe somebody else was very close to developing the same abilities... and if they were, then they would also be changing their own encryption standards, which we haven't seen.

So it basically comes down to whether or not we 'assume our enemies are advancing their own tech at roughly the same rate.' The NSA probably has an okay idea of what 'roughly' is, and if you had this ability you wouldn't be showing your hand lightly.

Way more speculatively, I'd be curious to know whether or not it would be possible to add 'next-gen' crypto to existing practices in such a way that it might be transparent?

I also think that since this would be exploited against non-state actors as well as states changes the payouts calculations significantly. Much, if not most, of the value is derived from exploiting non-state actors (i.e. Al Qaeda) who almost certainly would not have this capability or would not be able to keep it quite if they did. By signaling to the state actor on these capabilities, they would be giving up the value of exploiting the information from the non-state actors. So, even if you believed that state actors had these capabilities, it may be better to be kept a secret between the two countries and allow low priority secrets to be exploited than to have the info publicly known and the capability lost.

There is very good reason to believe that once you have developed something someone else is close too. The reason is you found it.

If you check some scientific breakthroughs during the Cold War they were very close on the both sides in the matter of months.

Also with 5% of the world population NSA have limited talent pool. Assuming you are first to the goal in that case is ... overly confident. (Even if we correct for a lot of people that are not easy to tap in the outside populations chances are not on the NSA side). And I am sure a lot of the messages in other countries communications are fake and testing just to see if someone is snooping.

Suite B does not contain RSA.

EDIT: To your latter point, some people would consider this to be a telling fact.

Judging from the wikipedia link, Suite B does not contain a public key cypher. Which either tells us, that the NSA does not use asymmetric cyphers because they are broken. Or that they have a technical reason for it, like being able to do everything they want with key exchange, signature and symmetric cypher. So it is probably worth pointing out, that this speculations are interesting, but ultimately fruitless since we simply do not have enough information.

There's ECDH and ECDSA.

Yes, I should have read the wiki link. However my point was, that Suite B is so generic that we can not really speculate why the NSA did recommend this set of algos and not something else.

They've written up a case for ECC. More elsewhere in the comments, but a key point is "RSA's really slow if you want 2^256 security": http://www.nsa.gov/business/programs/elliptic_curve.shtml

Or non-EC DH, either. (It does include ECDH.)

Perhaps they were simply anticipating DLP progress and wanted to be future-proof?

It's more likely because you can't achieve modern security levels with cryptosystems built on the DLP or IFP at acceptable performance.

Suite B aims for 128-bit or 192-bit security levels; for comparison 1024-bit modulus RSA is currently thought to provide 73-bit security.

(The next natural question is why the internet community is still failing to widely deploy cryptosystems with appropriate security levels. I don't know. But HTTPS, OTR and DNSSEC are all built of cheese in this respect.)

It's telling that RSA is not practical to deploy at 256-bit security today.

By "our enemies" you mean enemies of the USG, I assume.

I agree with your point, but do you think they'd force widespread cipher switch across government bodies? Or leave other government entities using broken encryption so they can more easiler spy?

This depends - in reality all governments are going to be forced to realise what they used to think was security has all along simply been privacy - anyone who could tell what they were upto was too polite / disinterested to do so. He guy with the cottage across from XXX research centre does not care about the tail numbers of the planes landing at night.

But now every plane spotter has instant cross-correlation with every other one - and those secret flights stand out as being, well, private flights.

So long story short, if I did magically invent quantum computing, I would let the rest of the low grade secrets go hang. One of the 3 million (!) security cleared US personnel will throw Assange a copy soon enough - so lets use the advantage, to our advantage.

This of course means that if our security services have the brains and the political muscle, they will need to choose themselves which are the truly secret things and arrange a government in a government to keep it in shape. That's not likely to be a good thing.

as far as i understand it, ciphertext is indistinguishable from random text. and, afaik, this is true of all modern algos. so, how do you notice they switched? you don't.

you only notice once they call upon the more public parts of gov to switch to another 'secure' algo. also, NSA themselves probably use the Suite A algos that we know batshit about.

but, reality check: THIS IS ALL SPECULATION. there is no evidence that they have broken anything.