Reconsidering Speck

I think this helps calibrate the worries we're talking about here. RC4 is considered completely broken... but you actually need to do a lot of heavy lifting to get anywhere against RC4 with the best known attacks. The web is insanely friendly to an adversary because they're assumed to be allowed to tell both parties to do loads of encryptions / decryptions (public web servers, clients run Javascript) and the adversary gets to eavesdrop and time everything. So on the web when you say things like "With just $40k of pre-computation after 2^20 trial encryptions we were able to recover a byte with 84% success" that's rightly considered broken.

For comparison the Banburismus technique to attack the Kriegsmarine Engima were considered viable if about 200 messages had been intercepted.

And so with this calibration I have to agree with Google's original stance. This is much better than nothing. Even if it turns out that the NSA knows something we don't about Speck and it's to their advantage (which it seems is what so many observers imagine, even though the reality is just as likely that the NSA found nothing and _doesn't want anybody who does finds things to realise they're a step ahead of the NSA_) the NOBUS principle protects us from a lot of other adversaries.

If we get this complicated and perhaps somewhat fragile DJB-based alternative deployed instead, that satisfies me, and so in the end I'm not so worried as I was when it looked like the fanatics were determined to have nothing rather than risk approving of anything from the NSA. But I think we've strayed far into the weeds on this, which is disappointing, even if the NSA must take most of the blame for that.