Comment by adrian_b
8 days ago
In PRNGs there is a compromise between speed and the quality of their statistical properties.
So you must choose a PRNG wisely, depending on the intended purpose.
There are PRNGs good enough for any application, including those that use cryptographic mixing functions, but in many cases people prefer the fastest PRNGs.
The problems appear when the fastest PRNGs are used in applications for which they are not good enough, so the PRNG choice must be done carefully, whenever it is likely to matter.
With recent CPUs, the PRNG choice is much simpler than in the past. They can produce high quality random numbers by using AES at a rate only a few times lower than they can fill memory.
Because of this, the speed gap between the fastest PRNGs and good PRNGs has become much narrower than in the past. Therefore, if you choose a very good PRNG you do not lose much speed, so you can make this choice much more often.
Many kinds of non-cryptographic PRNGs have become obsolete, i.e. all those that are slower than the PRNGs using AES, SHA-2 or SHA-1, which use the dedicated hardware included in modern CPUs.
The non-cryptographic PRNGs that remain useful, due to superior speed, contain a linear congruential generator or a Galois field counter, which guarantee maximum period and allow sequence jumps and the ability to generate multiple independent random streams, together with some non-linear mixing function for the output, which improves the statistical properties.
Note this doesn't apply to GPUs among other things. To that end, counter based PRNGs such as Philox that employ a weakened cryptographic function are useful.