Fun historical story that most people don’t know: when the US National Institutes of Standards and Technology selected Keccak to be the new Secure Hash Algorithm (SHA3), they knew that it was inefficient—that it did a lot computation that wasn’t necessary for security. ⤵️

People wondered if NIST were intentionally weakening SHA3 so that their partners at the National Security Agency could exploit users who relied on it. ⤵️

… I think that NIST just honestly believed (as I do) that Keccak was doing a lot of computation that didn’t help with security and that hurt practicality. ⤵️

However, people were right to be suspicious! NIST had a long history of secretly colluding with the NSA to insert backdoors into cryptographic standards. (See for a recent summary of some of the low points of that history.) ⤵️