> It's a 64-bit counter, which we reduce to 32 bits. Since there is > progressively less entropy in the higher bits of a counter than in > the lower bits, it intuitively makes sense not just to do hi^lo, > but to bit-reverse one half in order to extract maximal entropy, > and on aarch64 bit reversal is a simple instruction.
That doesn't matter at all. First of all, this is +='d to multiple rounds in the ring which never clean. Then a crc is run over it ^= over old contents. Then at some timeout it does a sha256 and ^= it again, leaving that in a buffer, which a different timeout merges into the chacha state, yes you guess right some more ^=. But if it makes you feel better :)