[Cryptography] An interesting little pseudorandom number generator

[John Kelsey]

The multiply step is non-invertible and so loses entropy.  Specifically, if the low k bits of either word are zero, the low k bits of the output are zero, which seems like a bad property for this generator. 

I think you might want to put a rotate in there somewhere so high bits can affect low
bits.  And maybe have your multiply be with an odd constant with balanced Hamming weight or something.  (Will integer multiply have constant time on most modern processors?)

--John