On 2020-05-12 10:00, Jason A. Donenfeld wrote: > Djb has a nice post on chacha performance in > this context: <https://moderncrypto.org/mail-archive/noise/2016/000699.html>.
I shall leave this to the wireguard folks to explore but I'm not totally convinced. It is not just about speed. Perhaps Intel chips are different or perhaps DJB is biased towards use of his code? In my experience with small 4mm processors that have hw AES support. The CPU is basically idle and can sleep or able to do whatever it wants whilst awaiting for the AES peripheral to finish a block and 10 times faster than software. These processors are a few pounds and do a lot of other things, so for DJB to say hw AES is expensive for Intel? Perhaps it is true on FISC chips with much higher mhz/throughput requirements.