[hdevalence]

I haven't paid close attention recently but that doesn't seem that far off of performance available via (hardware accelerated) AES?

Looking at https://eprint.iacr.org/2018/392.pdf , it seems like:

- Intel CPUs can use AESNI to do AES at 0.64 cpb - AMD Zen cores have two AESNI cores and can achieve 0.31 cpb - Vectorized AES instructions (supposed to ship in Ice Lake five years ago, but maybe a casualty of Intel's AVX512 mishaps) were expected to bring it down to 0.16 cpb

In some sense this isn't a "fair" comparison in that it's fast because there's hardware acceleration, but that doesn't really matter, the hardware is there so it might as well be used.

[pclmulqdq]

Yeah, chacha was an odd choice because AES is a lot faster on CPUs with acceleration. Just doing a few AES rounds would be a pretty fast, good PRNG.

[dpwm]

For those interested in using AES with reduced rounds as a PRNG, it is covered in the paper "Parallel Random Numbers: As Easy as 1, 2, 3" by John Salmon et al.

https://www.thesalmons.org/john/random123/papers/random123sc...