2023.09.17 16:23:08 (Mastodon 111081408995284601, Twitter 1703444395431768183) from Daniel J. Bernstein:
Plugging AES-256 into "beyond-birthday-bound security" has a lower security level and is easier to screw up than "bigger-birthday-bound security". This makes "beyond" attractive for academic cryptographers writing papers, and, as https://eprint.iacr.org/2023/1379 illustrates, for NSA etc.