And to fend off the messag that I bet somebody is composing right now:
Yes, I know about a "security first" mindset. But as I said earlier in the thread, there is a tradeoff here between crypto strength and code complexity, and "the strength of the crypto is all that matters" is NOT security first.