[tialaramex]

Over the past decades it's been clear that we should provide the consumers of a cryptographic system with everything they might reasonable expect, rather than define narrowly what we'll set out to do and then surprise the consumer when they actually needed more than was delivered.

AEAD is a big example of that, delivering integrity protection for symmetric encryption that too many engineers never even realised their application required. Moving from the Merkle–Damgård construction to Sponge construction for hashes is one way to deliver another unspecified requirement - preventing length extension attacks.

Way too often in cryptography when somebody is sure that they don't need a big complicated system with a bunch of features it turns out actually they just didn't understand their full requirements, and as those become clear all the baggage they were pleased to be rid of turns out to have been necessary all along.