I have previously told the Tor developers that they should work in PR, now I believe that the NSA is also very good at PR. I shall decode Simon and Speck: Block Ciphers for the Internet of Things for you. " In a stable world, it’s a good strategy to specialize, but when conditions change rapidly, specialists don’t always fare so well" everyone uses AES. Or Keeloq. Or RC4. People select the protocol for the application they will use, hence why the IoT won't use WPA2. Of course digital signal processing requires many many gates so... "For example, the consensus has long been that a budget of 2000 GE is all the chip area that might reasonably be allocated for security on the most constrained RFID tags" Who sets the consensus? I believe Snowden and John Gilmore had something to say about IPsec consensus? Regardless, nearly 40% of the registers for 256-bit secure Simon is for the temporary key. It isn't hard to beat Simon's security for better RFID performance, but that would hurt it's performance on other applications. Every cryptographer, particularly the ones who work on examining Keeloq have totally failed to notice this. "One further point about AES: not every application requires the same high level of security that AES is designed to provide." AES is the worst cipher to be adopted by American industry since DES. Should've gone with Skipjack. "that almost exactly matches PRINCE’s latency and area; it implements the combinational logic for 5 rounds, and encrypts in b 44 / 5 c 9 cycles." Yes, designing a hardware implementation with reasonable parameters will reduce latency and area. Would you be surprised if Prince would be better as a 2 cycle implementation? "This is excellent performance relative to other block ciphers; indeed CLEFIA realizes the 'world’s highest hardware gate e ciency'" Other block ciphers may have been incompetently designed. "The C implementations of Speck 128/256 have better overall performance than the best C implementations of ChaCha20, a stream cipher especially noted for its speed." ChaCha is a 512-bit poorly keyed block cipher. To achieve diffusion over such a large block size, more rounds and instructions are needed. To achieve non-linear dependency on each key bit, more rounds are needed. Naturally they said in a previous paper that ChaCha doesn't compare to Speck because it is a stream cipher (weird meme). It is a sad comedy when a protocol uses SHA-2-512 and truncates it to 256-bits to key a cipher when to avoid slide and Meet in the Middle attacks one needs at least twice the round keys. Anyway, embedded micro controllers for storage devices are 100 MHz ARM CPUs that cost half a cent each. There exists cheap FPGAs with a thousand slices. "AES, on processors with cache memory can be particularly vulnerable to these cache-timing attacks" they just trolling you now and you don't see it "Because of their simplicity (and perhaps because of their source!)" The NSA is very sexy. Join us. "Simon and Speck have been quite thoroughly vetted by the cryptographic community in the two years since their publication." Simon and Speck are very secure because numerous papers have incrementally improved upon each other, fortunately there wasn't a major breakthrough because that might halve the number of papers released. (oddly enough many of the papers were from Chinese researchers) The NSA manipulates you to your face, and you have failed. Each and every one of you. P.S. The phone system was a trade secret, but now WPA2 specification is a paywall. All these bought off cryptographers are in a cover their ass operation. They know they overlooked it, they have to explain to you why they overlooked it so they can still appear valuable to you. We could've had the Clipper chip, but now we may as well be using Tribler's OFB with same IV (nothing to see here). Anyway, WPA3 is needed for post-quantum eventually. Everything should head towards some sort of post-quantum algorithm, now that NTRU's patent expired. There is no reason why NTRU is not used, and I'd suggest conservative parameters for a given amount of input entropy. Smart cards and post-quantum for everything. P.P.S. Binney is a pathological liar. Just watch A Good American on Netflix. It is no wonder that the EFF is currently ineffectually complaining about unconstitutional laws. John Schindler is right, he doesn't express himself well, but I'm pretty sure he represents the opinions of the intelligence community in that many of you are blind and incompetent. (naturally the same could go for the intelligence community...) Bonus round because a helicopter flew over my house: Schneier said: "There is too much mistrust in the air. NIST risks publishing an algorithm that no one will trust and no one (except those forced) will use." That means trust me, I am opposed to what is happening and I am an expert. Schneier then said: I misspoke when I wrote that NIST made "internal changes" to the algorithm. That was sloppy of me. The Keccak permutation remains unchanged. What NIST proposed was reducing the hash function's capacity in the name of performance. One of Keccak's nice features is that it's highly tunable. Oh, I was just exaggerating, trust me, I have gone over to the other's side. When a familiar face changes their mind, will you go along with them if you were wavering to begin with?