Somewhere upthread, Brian refers to me as a cryptographer. That's flattering (thank you), but probably not really true even on a good day. And certainly not true next to Joan Daemen. I do have experience with crypto at scale and in ecosystems, though. Joan's count of cryptanalysis papers is a reasonable way to try and bring some quantitative clarity to an otherwise subjective topic. But still, despite lacking any counterpoint to it, I find myself believing that practical concerns are a stronger differentiater here. But the world is in a position where a new, common hash function might crystalise, and git could be the start of that. What that means for the ecosystem is is that numerous libraries need to grow implementations optimised for 3+ platforms and those platforms (esp Intel) often need multiple versions (e.g. for different vector widths) with code-size concerns pushing back at the same time. Intrinsics still don't cut it, so that means hand-assembly and thus dealing with gas vs Windows, CFI metadata, etc. Licensing differences mean that code-sharing doesn't work nearly as well as one might hope. Then complexity spreads upwards as testing matrices expand with the combination of each signature algorithm with the new hash function, options in numerous protocols etc. In short, picking just one would be lovely. For that reason, I've held back from SHA3 (which I consider distinct from K12) because I didn't feel that it relieved enough pressure: people who wanted more performance weren't going to be satisfied. Other than that, I don't have strong feelings and, to be clear, K12 seems like a fine option. But it does seem that a) there is probably not any more information to discover that is going to alter your decision and b) waiting a short to medium amount of time is probably not going to bring any definitive developments either. Cheers AGL
