After reading all these messages a bit too fast, it seems to be that we can add to Thor's analysis Moving the fast-not-super-strong PRNG to ChaCha8 is clearly a step forward from what we have now. (really this is his conclusion) It remains for Someone to do more formal work (perhaps in an academic context) to give specifications for good-enough-random, to analayze if our implementation meets the specification, and if our uses can reasonably rely on them. (I think the lack of this is the essence of what Paul is pointing out, and it's a fair point). I'll ask around to see if I can find a spare intern. (That's sort of a joke but not 100%; this does seem like useful work to do.)
Attachment:
pgp9KislZv6Ld.pgp
Description: PGP signature