[Cryptography] a question on consensus over algorithmic agility

[Bill Stewart]

At 09:32 AM 6/30/2014, John Kelsey wrote:
>If you want to build one more complex algorithm instead of two 
>alternatives, that's doable.  But you'll have a couple problems:
>a.  There's a performance impact.  If you first encrypt each 
>plaintext with 3DES in CBC-mode, and then superencrypt with AES in 
>CTR mode, you have a lot more work per encrypted bit.  Probably that 
>doesn't matter most places, but there are some places where it will matter.

It'll cost you maybe double the CPU time, and a bit of extra memory, 
and that may still be cheaper than a round of negotiation.
Most of the places where that will matter are embedded hardware, 
which are also the places that are hardest to update, so you'll pay 
for it now or pay for it later.