[agl]

Thanks for that. I've updated the post to mention multi-target attacks and the quantum attack against McEliece (which I wasn't aware of, and is saddening because it appears to make McEliece a much less attractive PQ system).

I picked SHA-384 as an example of a case where one might want to spend resources on an "unbalanced" primitive because of the history of hash functions failing to meet design strengths, rather than as a quantum resistance.

Although, if you are looking to pick between SHA-256 and SHA-512/384 for speed on modern CPUs, SHA-256 (in an interleaved tree mode) wins for speed: http://eprint.iacr.org/2012/476.pdf.