> SHA-3 was finished in the aftermath of Snowden's revelations, and NIST's credibility was very low at the time, they needed to be extra conservative about security margins for this reason.
Yep. There was discussion about this among NIST, the Keccak team, and the other cryptographers contributing to SHA-3. The consensus was that because NIST had been involved in the Dual_EC_DRBG backdoor, that their credibility was dangerously low and that they couldn’t standardize anything that ill-informed people could misconstrue as “weakening” SHA-3, even if the actual cryptographers involved thought it would still be secure. So in one sense, you can chalk up the unnecessary computational cost of SHA-3 as collateral damage from the Dual_EC_DRBG backdoor.
> I don't have the same good feelings about the hashes or the asymmetric crypto yet.
You might be interested in https://electriccoin.co/blog/lessons-from-the-history-of-att... (caveat: it’s a few years old, and it might have mistakes). It’s an empirical view on the history of hash functions. The results were very interesting to me. Against collision attacks, it kind of seems like we figured out how to make hash functions secure against them in the 2000’s (compared to block ciphers, which I guess we mostly figured out in the 1970’s). Against preimage attacks, it seems like we figured out how to make hash functions secure against them as soon as we invented secure hash functions at all — in the 1990’s.