> I don't like NIST for another, better reason: I think the whole enterprise of picking cryptography standards in advance is bankrupt, and holds the industry back.
In advance of what ? Not intended as a gotcha I'm genuinely interested.
I see past NIST competitions as a mixed bag in terms of whether what we got is important (e.g. AES) or not so much (e.g. SHA-3) but I don't see any cases where they made things worse. And the NIST competitions attract some attention whereas something more discrete like the CFRG PAKE selection process can be so quiet if you're not intimately involved you might not know the CFRG actually selected anything. If you build a new product with Serpent or Twofish inside it, that will attract questions about why not AES - does this happen if your product has SPAKE2?
It's not so much that NIST has chosen bad ciphers in their competitions, so much as that they've created institutional pressure against other totally reasonable constructions, which in turn make it harder for things like WireGuard to get adopted inside the USG. The ciphers are much less important than the protocols that use them.
In advance of what ? Not intended as a gotcha I'm genuinely interested.
I see past NIST competitions as a mixed bag in terms of whether what we got is important (e.g. AES) or not so much (e.g. SHA-3) but I don't see any cases where they made things worse. And the NIST competitions attract some attention whereas something more discrete like the CFRG PAKE selection process can be so quiet if you're not intimately involved you might not know the CFRG actually selected anything. If you build a new product with Serpent or Twofish inside it, that will attract questions about why not AES - does this happen if your product has SPAKE2?