Wouldn't the most parsimonious explanation be that the NSA got spooked by "unknown unknowns"? You've got a lot of researchers working in private on cloak-and-dagger projects, no doubt some of them get paranoid in the same way the public cryptography community blew a seemingly innocuous statement out of proportion.
The article supports this notion, noting many times that the Snowden leaks, despite being extremely damaging and thus unlikely to be intentional, did not reveal a back door into ECC.
Well, we still haven't got a standardised set of quantum-resistant cryptographic recommendations from NIST (expected to arrive 2022-2024), but since the article was released, the NSA have replaced Suite B with the CNSA [0]. CNSA is similar to Suite B, in that it is also not quantum-resistant, and also recommends AES, ECDH, ECDSA, and SHA-2. However, it also recommends RSA & classic Diffie-Hellman over multiplicative groups of integers, while Suite B exclusively recommended elliptic curve-based public-key crypto.
Things are definitely in a bit of a weird state, the current messaging from the NSA [1] is pretty mixed:
> For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.
> For those vendors and partners that have already transitioned to Suite B, we recognize that this took a great deal of effort on your part, and we thank you for your efforts. We look forward to your continued support as we work together to improve information security for National Security customers against the threat of a quantum computer being developed. Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, which has made it clear that elliptic curve cryptography is not the long term solution many once hoped it would be. Thus, we have been obligated to update our strategy.
> It is important to note that we aren't asking vendors to stop implementing the Suite B algorithms and we aren't asking our national security customers to stop using these algorithms. Rather, we want to give more flexibility to vendors and our customers in the present as we prepare for a quantum safe future. Where elliptic curve protocols are to be used, we prefer Suite B standards be used to the fullest extent possible as they have a long history of security evaluation and time tested implementation that newer proposals do not yet have.
I think from any other crypto vendor, it would be a lot easier to take this at face value, but the NSA's incentives are so mixed, it's difficult to know what to think.
> However, it also recommends RSA & classic Diffie-Hellman over multiplicative groups of integers, while Suite B exclusively recommended elliptic curve-based public-key crypto.
I think their reasoning is probably along the lines of "large RSA keys will buy you a little bit more time to migrate than small ECC keys if a quantum computer emerged today, due to memory constraints with what we think quantum computer will look like".
I find the theory that the NSA knows something about quantum computing that the public does not a bit compelling. Mainly because it is a seemingly simple explanation.
The papers primary argument against this theory seems to be that the NSAs budget for related work is not high enough to suggest that they are concerned about this or have the capability of discovering this. However, I believe that it is likely that this budget was allocated before these revelations about quantum computing. And that the discovery did not have to come from quantum computing research.
The next argument is more compelling, it references experts saying that this type of development is not coming soon. But this could possibly incorrect of the scale of investment by an entity is much larger than publically known.
For there to be something that the NSA knows that the public does not, it would probably have to have been discovered by an entity with more funding. Like another nation, and the NSA found out about it through intelligence collection.
For this to be the case, an entity would have to have invested significantly and also leaked the results of this investment. Or perhaps just the scale of the investment leaked and that was enough to elicit concern.
In short, the most straight forward explanation is IMO more plausible than the paper suggests.
The article supports this notion, noting many times that the Snowden leaks, despite being extremely damaging and thus unlikely to be intentional, did not reveal a back door into ECC.