NSA ability to sniff traffic at major telecom exchanges is real. NSA ability to break $cipher or $hash based on the hearsay journalism involving an interview of (ex-)NSA employees (who would certainly be barred from talking about any real non-public attacks) is not real [1]. It's possible the NSA is setting up real systems that will brute force or factor or find collisions for known borderline algorithms/keysizes. Maybe they have a collection of old DES-encrypted traffic and they are building enough computing resources to do large-scale cracking of DES keys.
The idea that they can create collisions for hashes or crack ciphers believed to be relatively secure in the near to mid future is paranoid speculation.
However, if you're going to be paranoid, direct your attention to RSA and DH (plain, not ECDH). In Suite B, which the NSA recommends for use by government, RSA and DH are absent. If the NSA knows of a weakness in anything currently believed to be secure (I think that's unlikely), I would bet that it's RSA and DH, because the NSA no longer recommends them. I think RSA and DH are superseded by ECDSA/ECDH simply because of speed at comparable key strengths, not because the NSA knows something the public doesn't. As an aside, it indicates that the NSA has a fair amount of confidence in ECDSA/ECDH.
I do not think the NSA is stupid enough to play chicken with the public crypto community by recommending encrypting classified information with ciphers NSA knows to be weak. The public could discover those weaknesses tomorrow. The most sensitive information inside the U.S. government and military is presumably protected by the NSA's Suite A algorithms, but other important information is not, notably military communications between U.S. allies, for which Suite B is recommended.
I heard a story somewhere that public key cryptography was known to the NSA long before the 70s. Maybe they are 30 years ahead in cryptographic number theory? Maybe prime factorization isn't actually hard? Maybe...
What was essentially RSA was known to Britain's GCHQ (Government Communications Headquarters) in 1973. Is this what you were thinking of? Rivest, Shamir and Adleman rediscovered it in 1977.
The idea that they can create collisions for hashes or crack ciphers believed to be relatively secure in the near to mid future is paranoid speculation.
However, if you're going to be paranoid, direct your attention to RSA and DH (plain, not ECDH). In Suite B, which the NSA recommends for use by government, RSA and DH are absent. If the NSA knows of a weakness in anything currently believed to be secure (I think that's unlikely), I would bet that it's RSA and DH, because the NSA no longer recommends them. I think RSA and DH are superseded by ECDSA/ECDH simply because of speed at comparable key strengths, not because the NSA knows something the public doesn't. As an aside, it indicates that the NSA has a fair amount of confidence in ECDSA/ECDH.
I do not think the NSA is stupid enough to play chicken with the public crypto community by recommending encrypting classified information with ciphers NSA knows to be weak. The public could discover those weaknesses tomorrow. The most sensitive information inside the U.S. government and military is presumably protected by the NSA's Suite A algorithms, but other important information is not, notably military communications between U.S. allies, for which Suite B is recommended.
[1] https://www.schneier.com/blog/archives/2012/03/can_the_nsa_b...