> The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators. They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles

Edit because I hit the button too soon: no, wifi devices have enough resources to use better encryption, and do.

The encryption we're talking about with these constructions is quite strong. It'd be interesting to try to articulate what's "better" about the alternative "heavyweight" algorithms you might use instead.

These "lightweight" algorithms aren't just low resource usage, they're tuned for small messages. CAESAR also had a "high-performance" category, for AEADs optimized for large messages and streaming data.

If you're limited to small packets on rare occasions and want to have minimal battery drain (e.g. a battery-powered LoRaWAN-style sensor) a "lightweight" algorithm like Ascon is good. For most "normal" uses a "high-performance" algorithm like AEGIS is good, as are AES-GCM, AES-OCB, AES-GCM-SIV, and ChaCha20-Poly1305. When you'd pick which cipher is rather complicated to answer.

The "lightweight" category is also apparently much better at resisting side channel attacks and is also much easier to do cryptanalysis on.

It's not always clear in what ways the non-"lightweight" categories are better other than having bigger keys and state.

This; not many 64 bit MCUs out there, or with SIMD pipelines. Although RISCV could change that.

Sponge cipher is not seekable and as a consequence not parallelizable.

Somewhat confusing, because IoT implies they'd be connected to the internet, no?