NIST doesn't build systems. It standardizes technology for the US. NIST standardizes far more than just crypto algorithms, but in the crypto cases, NSA reviews potential standards before the standard is published, for suitability to DoD. It is entirely reasonable to propose that NSA pushes NIST towards standardizing crypto that NSA is in a better position to use than industry is.

I was hoping you would respond, thanks tptacek. In light of your comment, is it reasonable to assume that NSA is going to supply the custom chips to the rest of the federal government? Given federal procurement standards it seems that the majority of federal IT departments rely on industry to provide hardware. Is it still reasonable to propose that NSA pushes NIST in a direction that serves NSA's interest at the cost of weakening other governmental agencies? What is the implementation deadline for federal use of SHA-3? Is it unreasonable to assume that the standards committee expects SHA-3 hardware implementation similar to AES-NI?

On a related note AES is the NIST standard for protecting sensitive but unclassified information:

"Applicability. This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P. L. 100-235) requires cryptographic protection.

Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard. Federal agencies or departments that use cryptographic devices for protecting classified information can use those devices for protecting sensitive (unclassified) information in lieu of this standard." [1]

I have always assumed that this scope limitation within FIPS197 meant that NSA, DoD, Secret Army of Northen VA, etc had a different standard/requirements (NSA Suite A&B) for classified (and up) information. Is this the case? If so why would NSA have so much skin in the game if they were not restricted to FIPS197 requirements?

[1] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

I wouldn't expect the NSA to be involved with sourcing of hardware for the rest of the federal government (unless the continued fear around supply chain management completely takes over, which I suppose is possible, as it's probably the number one concern presently among a lot of agencies).

While they exert a disproportionate amount of guidance to other agencies, that is generally orthogonal to their primary motivations.

You can certainly make a case that NSA pushes NIST towards making guidelines for things that they favor, but I don't seriously believe that's at the expense of weakening other agencies (at least not as a goal).

As to classified and up information, the NSA can't get enough ECC, and many of the Suite B implementations of other standards are just a version of the standard that works (and is "certified") to use Elliptical Curve Cryptography (like TPM Suite B, which we work on).

I apologize for not being clearer about NSA's motivations. I did not mean to imply that there was any malicious intent when it comes to weakening federal IT standards. (It seems that NSA would be aware of the negative side effects of their recommendations.)

Could NSA's hardware centric recommendations be motivated by an interest in leveraging economies of scale (due to the size of federal IT procurement) and purchasing COTS hardware that was optimized for AES?

It's possible (although they're already procuring hardware at GSA-approved rates, so I'm not sure if there's the same economies of scale that you see in the commercial realm).

The link between NSA's past work and NIST's tendencies today is weak, certainly. It's at best a rough guess on my part although, with the NSA, a rough guess is as good as we ever get :)

But I am claiming that there's a hardware orientated bias in the major recommendations that I see NIST making in the crypto space. I'm taking a flying guess at the reason, and perhaps I should simply have skipped any speculation. But the seeming bias is still worth highlighting I think.