2018.07.30 18:14:56 (1023965175219728386) from Daniel J. Bernstein:
Puzzled by the comparative cycles/byte claims for Google's Randen (https://github.com/google/randen) on Westmere. 1.54 for Randen, ok, but 3.02 for ChaCha8? I see 1.34 for ChaCha8 generating 1536 bytes, so 1536-byte fast-key-erasure RNG (https://blog.cr.yp.to/20170723-random.html) should be well under 1.54.
2018.07.30 18:18:58 (1023966188949463046) from Daniel J. Bernstein:
It seems to me that the 3.02 number comes from Jan Wassenberg reimplementing ChaCha8 and then reimplementing some sort of RNG on top of that, instead of reusing existing (faster) ChaCha8 stream software and fast-key-erasure RNG software from the SUPERCOP software collection.
2018.07.30 18:32:28 (1023969586696388613) from Daniel J. Bernstein:
To be clear, I recommend ChaCha20 instead of ChaCha8. It's hard to find applications where such a fast RNG is a bottleneck. More importantly, after DES and RSA-512 and SHA-1 and Sweet32 and so on, hasn't the cryptographic community learned to stop cutting things so close?