Panino

If SIMON and/or SPECK are NOBUS-breakable, then NSA probably has an unknown cryptanalytic technique that would likely threaten other widely used ciphers. Certainly possible but unlikely. However, that's not the issue IMO.

Instead of blindly supporting or rejecting an author, we should insist on public crypto competitions which are the best route for obtaining well-tested, studied, and trusted ciphers.

There are decent correlations between:

  * crypto that's been de jure standardized before deployment and bad crypto (DUAL EC, DNSSEC, etc.)

  * crypto that's been through a public competition before deployment and good crypto (Salsa20, Argon2)

  * crypto that's been de facto standardized and good crypto (Curve25519, Signal protocol, etc.)
As an aside, high-level APIs like in NaCl, libsodium, libtls (from LibreSSL), etc. are a new, in-progress form of de facto standardization. It would be hard to introduce a new low-level general-purpose crypto library and attract major adoption.
tptacek

Nacl/Sodium and libtls aren't suitable for small-footprint computing. That's probably why there's so much interest in lightweight ciphers: it's hard to get a lot of real-world attention for a new block cipher design targeting general-purpose computers, but there's no (de facto or de jure) standard lightweight cipher.

CiPHPerCoder
Have you had a chance to look at libhydrogen?

https://github.com/jedisct1/libhydrogen