Earlier this week, the NSA announced plans to make plans to transition to quantum-resistant algorithms—so much as they currently exist—while advising everyone else to starting planning to plan for the same. While quantum computers don't really exist at useful scales, nor are they likely to in the very near future, their emergence at some point seems reasonably assured. And this will be very, very bad for encryption as we know it—where "bad" translates roughly to "completely destroy."
At the moment, the NSA's Information Assurance Directorate (IAD) uses Suite B algorithms for protecting classified and unclassified National Security Systems. This is a collection of four NIST-specified algorithms employed for such ends as digital signatures, message hashing, anonymous key agreement protocols, and symmetric encryption. The Suite B algorithms have been around since 2005 and are an open standard widely employedin the private sector via the Internet Engineering Task Force.
The agency now says it's time to move on, with its most recently published guidance offering the following:
IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms. Our ultimate goal is to provide cost effective security against a potential quantum computer.
So, that's probably a good thing. Every single digital security protocol suddenly failing at once would be less than ideal.
Behind Suite B is what's known as elliptic-curve cryptography (ECC). As with the integer factorization problem employed in RSA encryption, ECC depends on a certain prohibitively difficult math calculation, which is finding the discrete logarithm at a certain point along an elliptical curve. The advantage is mostly in key size—the security of a 3072-bit RSA key can be had for a mere 256 bits in an ECC scheme—and many companies and organizations have not yet made the ECC/Suite B switch.
Now, the NSA is telling them to not bother with it, basically. Keep that money in the bank so it's ready for quantum-proof encryption algorithms and post-Suite B standards, none of which quite exist as of yet. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, which has made it clear that elliptic curve cryptography is not the long term solution many once hoped it would be," the agency concedes.
The concession is really to quantum computing in general, which is a statement about the power of the technology itself, given that it doesn't even really exist yet outside of arduous and conceptual experimentation. Or maybe it's a statement about our rather sudden reliance on encryption (read: really hard math problems) for pretty much everything we do.