I agree with the article. Perfect forward secrecy (given master private key, still can't figure out derived session keys) is a wonderful property.
However, it's a bit over-reaching to say it can "block the NSA". It won't stop them from backdoor-ing your hardware/software (keyloggers, compromised random numbers, etc). It won't stop them from storing the encrypted communication until (for example) quantum computers make it possible to decrypt it (assuming RSA).
Since we're assuming quantum computers, isn't Diffie-Hellman vulnerable as well? A bit of wikipediaing suggests DH is equivalent to a "discrete logarithm problem", which it also states has an "efficient" (polynomial time) quantum algorithm.
Sure, it won't "block the NSA" from discovering anything about you. But it raises the stakes.
It is much easier for the NSA to backdoor/crack/make deals with a few telecoms, collect all of the encrypted data, and then decrypt it at their leisure (via stealing RSA keys, getting them via legal channels, cracking RSA, taking advantage of compromised random numbers, or the like), than it is for them to backdoor your hardware (much larger surface of possible discovery), install keyloggers (need physical access, much more expensive to do so only makes sense to do in a targeted fashion) etc.
The whole point of this brouhaha is that the NSA appears to be hoovering up massive amounts of data, which it keeps and which even fairly junior employees at government contractors have access to and could abuse. I don't think that anyone (or most people, anyhow), object to specific, targeted wiretaps of targets that you have appropriate warrants for. It's the incredibly broad based collection of all records, without targeting, for later data mining, coupled with the first-amendment destroying demands of secrecy about discussion these practices, that have people up in arms.
The NSA has admitted that they retain encrypted data for longer than unencrypted, as they cannot as easily discard it as irrelevant. If you use a protocol with perfect forward secrecy, it substantially undermines the value of that collection.
Edit to add:
> It won't stop them from storing the encrypted communication until (for example) quantum computers make it possible to decrypt it (assuming RSA).
Actually, it will stop them from using quantum computers to crack RSA and thus be able to read past communications. That's the who point of perfect forward secrecy; even if you can crack the RSA layer (or obtain the private RSA keys), which is used for bootstrapping the authenticated encrypted channel, perfect forward secrecy generates the symmetric key in a way in which it is never actually communicated over that channel.
Perfect forward secrecy protocols, such as Diffie-Hellman key exchange, work by both sides coming up with two values, one of which is secret and one of which is passed over the channel, such that both of them can compute the same secret value by combining the private and public values. Even if the "public" values are intercepted, for instance by cracking RSA, you cannot determine the secret values, because you do not have the secret portions of the keys that each side generated.
The reason to use RSA in addition to key exchange is that Diffie-Hellman key exchange is not authenticated; someone could MITM you, doing both sides of the Diffie-Hellman protocol, and intercept your communication that way. RSA allows for signing of certificates which can be used to bootstrap the authentication process.
So, if RSA gets cracked in the future, then the NSA could at that point MITM all of your future connections. But they could not decrypt your prior conversations, which had been encrypted using a private key generated via a key-exchange protocol that provides perfect forward secrecy.
edit 2:
Hmm. After further investigation, it looks like quantum computers would be able able to break the common "perfect forward secrecy" algorithms as well. So yes, in the case of RSA being broken due to quantum computing taking off, it's likely that DH and other discrete log based perfect forward secrecy algorithms will be broken as well.
Sigh. Why can't we have any NP-complete problems that work cryptographically? While even that isn't a guarantee of security against quantum algorithms (after all, it may still be the case that P == NP), there's a fairly strong belief that P!=NP and that NP-complete is a disjoint category than quantum polynomial algorithms, and so would give us a better security margin against quantum attacks.
Cryptography needs problems that are hard on average, not in the worst case. This doesn't fit well with P/NP/NP-complete, which are all about the worst-case difficulty of a problem.
For example, see the Merkle-Hellman knapsack cryptosystem [1], which is based on the subset sum problem --- a NP-complete problem! Nevertheless, it is broken. As you can see, using a NP-complete problem as a computational basis for a cryptosystem is not a silver bullet.
Apparently it is very hard to prove results in average case complexity theory. We don't even know if computational problems that are hard on average assuming P!=NP exist, let alone actually designing a cryptosystem out of one.
It's true that we don't seem to know how to build a cryptosystem out of them. Part of it is that a cryptosystem needs something stronger than average-case complete, a property more like every instance being hard (possibly excluding trivially easy instances that can be detected and filtered out).
Average-case complexity is a not a topic I know a lot about, and I can't easily get the paper itself, but what the abstract seems to say is that for some particular NP complete problem, if an efficient average case algorithm exists for that problem then efficient average case algorithms exist for all NP complete problems. There is no mention of showing that such an algorithm does not exist.
My reference is Impagliazzo's 1995 survey paper "A Personal View of Average-Case Complexity" where he lays out five possible worlds based on open problems in complexity theory. He calls the world where P!=NP but all NP problems are easy on average "Heuristica." This is still an open problem as far as I know.
On your second point I can say a bit more. Cryptosystems in general do not need all instances to be hard. With RSA for example, there are all kinds of weird attacks, like the modulus n can easily be factored if phi(n) or phi(phi(n)) are products of small primes. There is no need to filter out these cases because the probability of them occurring is so small. There are cryptosystems where an arbitrary instance of the problem is as hard as the average case. This was a notable selling point for lattice cryptosystems when they were first invented.
In the RSA case the probability of these corner case attacks decreases with the size of the instance. So for current parameters the probability is near zero. However, even if you only had a scheme where the probability didn't diminish with the instance size and there are attacks that you can't check for, you can still securely send messages. Say the probability that your key generation algorithm gives you an instance that is hard is 50% (or any constant). You can securely send messages with arbitrarily small probability of having your message decrypted by using multiple keys and breaking up your message with a secret sharing scheme (Shamir's for example) and encrypting each message share with each of the keys. The attacker, able to only get a constant number of decrypted message shares will not be able to get decrypt your message.
I'll guess you've seen this[1], but if you want perfect security, you really do have to build from scratch. Of course, I doubt that any single human is really capable of building a truly-secure system.
I guess we have to live with a situation where some faith is required if we want to use computers.
Yes, in the same way that an excellent front-door lock doesn't stop someone from smashing your front window.
For the purposes of encrypting traffic to prevent eavesdropping, one of the recipients sending the unencrypted data to a third-party is not an attack vector of consideration. In your scenario the only viable measure is to send no data at all (aka "don't play").
However, it's a bit over-reaching to say it can "block the NSA". It won't stop them from backdoor-ing your hardware/software (keyloggers, compromised random numbers, etc). It won't stop them from storing the encrypted communication until (for example) quantum computers make it possible to decrypt it (assuming RSA).