I’m really surprised to not see Chacha/Poly on that list as an AEAD.

XTEA made it as a competitor but chacha didn’t?

I don’t understand cryptography at all.

Chapoly isn't a lightweight design; it's a conventional design. Gimli is, I think, Bernstein's lightweight design (or the core of it).

This site compares the lwc finalists to chachapoly https://rweather.github.io/lwc-finalists/performance_avr.htm...

I suppose being up to 3.8 times faster with these early implementations is somewhat significant benefit.

What is expected security margin? Chacha20 is many orders of magnitude more than impossibly strong, cf. AES which is as safe as needed and not safer.

This is in the paper.

The currently best cryptanalytic attacks on the Ascon authenticated encryption (excluding misuse scenarios) can recover the secret key with a time complexity of about 2 104 only if the initialization is reduced to 7 of 12 rounds, which corresponds to a security margin of 42%

There's an attack on 128-bit Salsa7 with time complexity 2^109, and an attack on 128-bit ChaCha6 with 2^107.

...on 8 bit.

On 32 bit the difference is much smaller and SLOWER on the IOT darling ESP32.

This whole thing seems entirely not worth it thb