[Cryptography] Sha3 and selecting algorithms for speed

[John Kelsey]

Most applications of crypto shouldn't care much about performance of the symmetric crypto, as that's never the thing that matters for slowing things down.  But performance continues to matter in competitions and algorithm selection for at least three reasons:

a.  We can measure performance, whereas security is very hard to measure.  There are a gazillion ways to measure performance, but each one gives you an actual set of numbers.  Deciding whether JH or Grostl is more likely to fall to cryptanalytic attack in its lifetime is an exercise in reading lots of papers, extrapolating, and reading tea leaves.    

b.  There are low-end environments where performance really does matter.  Those often have rather different properties than other environments--for example, RAM or ROM (for program code and S-boxes) may be at a premium.  

c.  There are environments where someone is doing a whole lot of symmetric crypto at once--managing the crypto for lots of different connections, say.  In that case, your symmetric algorithm's speed may also have a practical impact.  (Though it's still likely to be swamped by your public key algorithms.)   

--John