GCM is theoretically less secure with its' 12 byte initialization vector (nonce) and you have to roll over the key after deriving 4gb of keystream

as far as i know, nip-44 uses chacha-20-poly-1305 keystream hash function, which is like 4x faster than AES or something like this

there is a CSPRNG library written by Luke Champine called `frand` which uses chacha12 or chacha20... for our needs we'd need to stick with 20 but for decent entropy for test environments chacha12 is fast enough to provide extremely fast key streams or random numbers based on random seeds (like timestamps)

it's best to use a fresh secret whenever possible with ECDH key derivation as the more you reuse the same key pair the more likely you are to expose a possible plaintext attack

i have thought about but not yet benchmarked using SHA256 as the cipher stream derivation hash in a CTR mode cipher for a custom noise protocol encryption mode... maybe i'll get back to that at some point... the reason why i'm talking about it is there is AVX2 implementations of SHA256 that if you deliberately use the parallelism possible in a counter mode encryption using this: https://github.com/minio/sha256-simd you can have it doing at least 2 hash calculations in parallel if the code is written right, which wouldn't be possible with a feedback mode