[tptacek]

No, it would not be. If you're using algorithms or constructions that are physically within the reach of a conventional computer assembled for any amount of money obtainable from the treasuries of all the Five Eyes governments, you're doing something wrong. Don't use RSA-1024; don't use 1024 bit multiplicative group Diffie-Hellman, don't use RC4, and then stop worrying about NSA supercomputers.

[schoen]

Per our previous discussion, you should probably add hash and KDF issues to this list.

I also find supercomputers relevant to PRNGs, both on the overall PRNG security front and on the inadequate seeding front. Since CSPRNGs are not designed to be slow to calculate, supercomputers can be used to attack key generation from inadequate seeding, given some useful model of what the effective space of seeds could have been.

For instance, there are probably still many embedded systems that are initializing without anything that is reasonably called "environmental noise", and their state space is dangerously small, yet maybe still challenging for most organizations to search, depending on exactly what they initialized it with.

[tptacek]

The embedded systems cold start entropy problem is a good point I hadn't thought about before.

Of course (not that you disagree), if you have this problem, you have it with or without NSA supercomputers!

I don't think CryptGenRandom or urandom on general-purpose computers is a viable target for this, though, regardless of how "fast" the CSPRNG is.