[fpgaminer]

> Most development platforms should be defaulting to secure random number generators, and most developers should be reaching for secure random number generators as their default choice.

I was curious about this statement. So I did some research.

This page (http://vigna.di.unimi.it/xorshift/) indicates that xoroshiro128+ generates 64-bits in 0.81ns on a modern 3.6GHz CPU.

If I'm reading this page correctly (https://bench.cr.yp.to/results-stream.html) ChaCha20 gets about 0.8 cycles per byte these days on modern CPUs.

Running the math we get 9.88 GB/s for Xoroshiro128+ and 5.14 GB/s for ChaCha20 (assuming a 3.6GHz modern CPU for both).

Actually a _lot_ closer than I thought. It never occurred to me that a CSPRNG could compete, performance wise, with a non-CS PRNG.

I'm sure there's variation here. Sometimes CSPRNGs will have re-keying cycles, and probably most implementations aren't going to use the highly optimized version we see in the benchmark. I'm not sure if the Xoroshiro128+ benchmark I found used a version utilizing all the SIMD functionality of the CPU (like the ChaCha20 benchmark does). I'm also not sure if Xoroshiro128+ is the fastest PRNG or not.

But I have to say, if these numbers are accurate ... you're just plain right. There's no reason to default to a non-CSPRNG. CSPRNG is a safer default, and in the rare scenario that a developer needs more performance they can go seek out a specific PRNG for their needs.

[tptacek]

I'm not even saying you should never use an LCG. Go ahead, if you're absolutely sure you need it, in the very specific places that you actually need it. But not only are CSPRNGs performance competitive on modern machines, but most places that need RNGs aren't in the performance hot-spot anyways.