I've always been under the belief that larger block sizes require more rounds to achieve full diffusion. Rijndael, SPECK, and SIMON, for example, have a round multiplier based on the block size. The idea that a larger block size also necessitates more rounds for equivalent security also seems intuitively correct. However, reading DJB's paper introducing Salsa20, I came across the following:
The basic argument for a larger block size, say 256 bytes, is that one does not need as many cipher rounds to achieve the same conjectured security level. Using a larger block size, like copying state across blocks, seems to provide just as much mixing as the first few cipher rounds.
This goes against what I have always thought. Why is this?
