2022.02.24 16:55:28 (1496876437768343552) from Daniel J. Bernstein:
Happy to see the Linux RNG getting faster and, more importantly, easier for security reviewers. But let me emphasize that my blog post says "this RNG construction certainly isn't new"; e.g., mapping b-bit key to b-bit output + b-bit rekey is in the cited 2005 Barak–Halevi paper. https://twitter.com/EdgeSecurity/status/1496100508402081798