Certicom Corporation of Ontario, Canada, which was purchased by BlackBerry Limited in 2009,[3] holds some elliptic curve patents, which have been licensed by NSA for United States government use.
As of October 2012, CNSSP-15[4] stated that the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.
However, as of August 2015, NSA indicated that only the Top Secret algorithm strengths should be used to protect all levels of classified information.
"Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."
For this reason, the US federal government requires not only the use of NIST-validated encryption algorithms, but also that they be executed in a validated Hardware Security Module (HSM) that provides physical protection of the keys and, depending on the validation level, countermeasures against electronic attacks such as differential power analysis and other side-channel attacks.