SHA256 is an instance of SHA2. Presumably you didn't mean that SHA512 was bad, or, better, SHA512/256.
ECDSA, ECDH, and ECIES (which we don't see a lot of) all require a curve. Saying "ECDH is good" isn't helpful if you can't safely choose a curve to run them over.
ECDSA has another problem: it has a hard randomness requirement. If you repeat the per-message nonce, leak bits of the message nonce, or even fail to fill the modulus for the message nonce, you set up a condition where attackers can recover your private key. DJB is trying to push ECDSA into disfavor, replacing it with deterministic signatures.
One-time pads are awful and should be avoided at all costs. Virtually every computer program developed by generalist programmers that claimed to be a "one-time pad" was instead a crappy stream cipher.
Shamir splitting is fine, although that's a strange thing to have in your "regular use" bag.
> SHA256 is an instance of SHA2. Presumably you didn't mean that SHA512 was bad, or, better, SHA512/256.
Right. But I don't see a reason why you would ever want either of those when SHA256 works just fine. Maybe because it's a bit more efficient per byte as a PRNG, but there are better specialized tools for that.
> ECDSA has another problem: it has a hard randomness requirement.
Not if you use RFC6979. In the Bitcoin space that's been standard since about three days after the Java.SecureRandom bug. As for curves, secp256k1 and curve25519 seem to be the most popular as far as I can tell.
> One-time pads are awful and should be avoided at all costs. Virtually every computer program developed by generalist programmers that claimed to be a "one-time pad" was instead a crappy stream cipher.
Well, yes, an OTP generated by a PRNG is a stream cipher by definition. You do need true randomness for them to work. I think they're very useful if (1) you're scared that NSA has a constructive proof of P=NP deep inside their lairs, or (2) you want ultimate deniable encryption.
ECDSA, ECDH, and ECIES (which we don't see a lot of) all require a curve. Saying "ECDH is good" isn't helpful if you can't safely choose a curve to run them over.
ECDSA has another problem: it has a hard randomness requirement. If you repeat the per-message nonce, leak bits of the message nonce, or even fail to fill the modulus for the message nonce, you set up a condition where attackers can recover your private key. DJB is trying to push ECDSA into disfavor, replacing it with deterministic signatures.
One-time pads are awful and should be avoided at all costs. Virtually every computer program developed by generalist programmers that claimed to be a "one-time pad" was instead a crappy stream cipher.
Shamir splitting is fine, although that's a strange thing to have in your "regular use" bag.