has been announced by NIST. It appears Bruce Schneier (and his team's) entry of Skein did not win. Instead the winner is Keccak.
Many people thought Skein might be a lock this time because of some of it's interesting design features, as well as the fact that it included it's own block cipher (Threefish) along with it. On the other hand, Schneier himself said just a few days ago on his blog that he didn't think Skein would win (though he didn't give a reason). He also said he doesn't think we actually need a new hashing standard because SHA-2 has held up much better than people thought it would back when the SHA-3 competition started. Contrast this with DES, which was utterly broken (due to a small key) when the AES competition started back in the late 90's. AES was a necessity, SHA-3 is not, according to Schneier.
In a way he has a point -- if it ain't broke and still performs reasonably well on the speed and efficiency front, then don't change. After all, older and more well tested algorithms are almost always preferable because they have survived more scrutiny.
On the other hand, SHA-2 is an NSA designed algorithm, and to be frankly honest, that makes me nervous. It is widely believed that NSA is a number of years more advanced in cryptology than the academic world. Indeed, Brain Snow, a former NSA cryptologist has said as much publicly. Therefore, there is always a chance they have engineered some clever backdoor (or skeleton key) into the algorithms they release for public consumption. A lot of academics will scoff at the notion and say "it's hard to design a backdoor when we know exactly how the algorithm works and can study it openly." What these guys fail to consider is that their "state of the art" is almost certainly a number of years behind NSA's. And there doesn't really need to be a "backdoor" per se for the algorithm to be vulnerable. It could be the NSA knows "short-cuts" around the design that they know full well haven't been discovered publicly.
This phenomenon was evident back in the 1970's when NSA knew about differential cryptanalysis, which the public academic world didn't discover until 20 years later. A number of years ago Neils Ferguson (who is a cryptologist at Microsoft) discovered some strange going's on with an NSA CSPRNG (random number generator) known as Dual_EC_DRBG. He discovered that with the way it was designed, there could be "up my sleeve" constants the author has that allows him to recover keys generated by the RNG. A much more recent example is the MD5 collision used to forge certificates in the Flame malware. It is true MD5 collisions have been discovered publicly and known about for some time, but the technique used by Flame was unknown to academia. Indeed, one of the researchers who has worked on breaking MD5 said "the MD5 collision Flame uses is not the same one I discovered, but a new technique." He went on to say, "The Flame creators have world class cryptologists working for them." And everyone is pretty much in agreement that Flame, like Stuxnet, was a DoD/Israeli operation.
My point is, it never made sense to me that NSA would release their best and strongest designs to the public. Keep in mind that they have a dual role: to secure America's digital infrastructure (COMSEC) but also to break other people's communications systems (SIGINT). So, do you really think they would release a cipher or a hash algorithm to the public knowing it was impervious to their own attacks? Would they really release an algorithm they can't break knowing it will find its way offshore to enemy nation-states and terrorist organizations? (Most of the USA's intelligence, after all, comes from SIGINT). What makes more sense is they release algorithms just "state-of the art" enough to be unbreakable by anyone but themselves (and there is some evidence that SkipJack was designed this way). This solves the COMSEC problem here at home while also ensuring they don't hamper their SIGINT activities abroad.
So, when it comes to algorithms designed by NSA -- there are two ways to look at it: If they are putting their COMSEC hats on and making their designs as resistant to attacks as they know how, then there are probably no better algorithms out there. If, however, they are putting on their SIGINT hats, the algorithms, while strong, are probably not resistant to their own attacks. Such algorithms in category 2 are probably strong enough for all cases except for trying to keep information secure from them.
Keccak was not designed by NSA, but was designed by independent researchers in an open competition (as was AES). This means it has no backdoors. It also means we can be sure it is state-of-the-art and likely to remain that way for years to come. However, it does not mean NSA hasn't found weaknesses already with it. It is well known that NIST, in their selection process, works closely with NSA. Does this mean NSA is selecting weaker algorithms? Or are they putting on their COMSEC hats and picking the most secure option? We will probably never know. The best we can say is that these algorithms (like AES and Keccak) are secure from the cryptanalysis techniques that are publicly understood. We can never be sure what the army of mathematicians at Ft. Meade can or cannot do and I'm sure they prefer it remain that way.
In any case, I will take a publicly designed and open algorithm over an NSA designed one. At least with the public algorithm, we know it is as strong as can be made with publicly known techniques. NSA may or may not have techniques to break these public designs. I would rather take that gamble than have a cipher they designed from the get-go.