SHA-3 was finished in the aftermath of Snowden's revelations, and NIST's credibility was very low at the time, they needed to be extra conservative about security margins for this reason.
> SHA-3 was finished in the aftermath of Snowden's revelations, and NIST's credibility was very low at the time, they needed to be extra conservative about security margins for this reason.
Yep. There was discussion about this among NIST, the Keccak team, and the other cryptographers contributing to SHA-3. The consensus was that because NIST had been involved in the Dual_EC_DRBG backdoor, that their credibility was dangerously low and that they couldn’t standardize anything that ill-informed people could misconstrue as “weakening” SHA-3, even if the actual cryptographers involved thought it would still be secure. So in one sense, you can chalk up the unnecessary computational cost of SHA-3 as collateral damage from the Dual_EC_DRBG backdoor.
