Except there’s evidence they do, in fact, go both directions.
For example, DES had its s-boxes messed with by the NSA. At the time, the thought was that they were intentionally weakening it. Some years later, public cryptographers developed differential cryptanalysis for breaking ciphers. They found that the new s-boxes in DES made it resistant to differential cryptanalysis. It appears the NSA had already developed the technique and had made DES stronger, not weaker. Because again, they need to protect their own stuff, too, and they used and promoted DES to get there.
They also gave it a really short key that was expected to be broken by the '90s, which is also exactly what happened.
They appear to be going a similar direction with elliptic curves. They seem to be resistant against certain attacks, and the NSA was promoting them earlier than most public cryptographers.
Except there’s evidence they do, in fact, go both directions.
For example, DES had its s-boxes messed with by the NSA. At the time, the thought was that they were intentionally weakening it. Some years later, public cryptographers developed differential cryptanalysis for breaking ciphers. They found that the new s-boxes in DES made it resistant to differential cryptanalysis. It appears the NSA had already developed the technique and had made DES stronger, not weaker. Because again, they need to protect their own stuff, too, and they used and promoted DES to get there.
They also gave it a really short key that was expected to be broken by the '90s, which is also exactly what happened.
They appear to be going a similar direction with elliptic curves. They seem to be resistant against certain attacks, and the NSA was promoting them earlier than most public cryptographers.