История изменений

No. Concretely, several generations of Intel chips have run 12-round
ChaCha12-256 at practically the same speed as 12-round AES-192 (with a
similar security margin), even though AES-192 has "hardware support", a
smaller key, a smaller block size, and smaller data limits. For example:

   * Both ciphers are ~1.7 cycles/byte on Westmere (introduced 2010).
   * Both ciphers are ~1.5 cycles/byte on Ivy Bridge (introduced 2012).
   * Both ciphers are ~0.8 cycles/byte on Skylake (introduced 2015).

ChaCha20-256 is slower than ChaCha12-256 but this is entirely because it
has a much larger security margin. For reasons explained below, I
wouldn't be surprised to see ChaCha20-256 running _faster_ than AES-256
on future Intel chips.

Anyway, it's hard to find any applications that will notice any of these
gaps. We're talking about differences under 1 cycle/byte, on CPUs where
cycles are very fast in the first place, vs. multiple cycles/byte for
typical data processing.

No. Concretely, several generations of Intel chips have run 12-round
ChaCha12-256 at practically the same speed as 12-round AES-192 (with a
similar security margin), even though AES-192 has "hardware support", a
smaller key, a smaller block size, and smaller data limits. For example:

   * Both ciphers are ~1.7 cycles/byte on Westmere (introduced 2010).
   * Both ciphers are ~1.5 cycles/byte on Ivy Bridge (introduced 2012).
   * Both ciphers are ~0.8 cycles/byte on Skylake (introduced 2015).

ChaCha20-256 is slower than ChaCha12-256 but this is entirely because it
has a much larger security margin. For reasons explained below, I
wouldn't be surprised to see ChaCha20-256 running _faster_ than AES-256
on future Intel chips.

Anyway, it's hard to find any applications that will notice any of these
gaps. We're talking about differences under 1 cycle/byte, on CPUs where
cycles are very fast in the first place, vs. multiple cycles/byte for
typical data processing.