I think all these people complaining about PCG not being secure or the existence of a new insecure PRNG have never worked in simulations or HPC. Absurdly fast PRNGs that are reasonably well behaved are super useful in things like monte-carlo simulations and black-box optimization algorithms.
The AVX-512 version of PCG runs at around 4 bytes / CPU cycle. That's pretty hard to beat.
There are secure AEAD constructions that are <1cpb today, and they do extra MAC work that a simple PRF in a CSPRNG doesn't need to do. I'm sure PCG is faster, but for the overwhelming majority of applications, it's not so much faster as to matter; meanwhile, a fast CSPRNG also gives you security, which you might find you need later on.
Can you clarify this? A RNG is generating n bytes of output per cycle. An AEAD is consuming n bytes of input per cycle. And an AEAD doesn’t need to have uniformly random-looking output to be secure.
An AEAD is consuming n bytes of input per cycle and producing at least n bytes of output, that is, the output ciphertext plus tag.
The definition of authenticated encryption is, essentially, indistinguishability of the ciphertext plus MAC security of the tag. You're right, the tag does not need to be indistinguishable from random, but in the majority of the cases it is anyway.
One significant difference between these non-cryptographic generators and cryptographic ciphers is that of latency---generators often optimize for latency, whereas ciphers optimize for throughput. By taking a cipher and a sufficiently large buffer, you can have low latency as well, at the cost of some memory.
For comparison, consider MORUS, AEGIS, and Tiaoxin, three unbroken contestants of the CAESAR competition. MORUS uses only AND, XOR, and bitwise rotation, and achieves somewhere between 0.5 and 0.66 cycles per byte on current x86 chips. AEGIS and Tiaoxin use the AES round, and where AES-NI is available, performs at between 0.15 to 0.25 cycles per byte. The claim somewhere above is that PCG can do 0.25 cycles per byte (or 4 words per cycle) when going all out with AVX-512; that's only hard to beat if you've not been paying attention.
Ah. So the “AEAD” part had little to do with it, in the sense that a non-authenticated cipher without associated data would work just as well. ChaCha20 makes and excellent and quite fast RNG, whereas using ChaCha20-Poly1305 as an RNG would be rather silly.
The AEAD bit is just as a baseline of performance - look how fast you can make this go if you had to do all the work to be an AEAD scheme. For 'merely' a CSPRNG, you can go faster. The argument is, for lots of typical applications that require randomness, you might as well go with a CSPRNG because it will be fast enough.
Which implementation are you talking about? The only assembly I can see in the reference implementation is used because clang fails to optimize a rotation. There seems to be no explicit SIMD at all.
The AVX-512 version of PCG runs at around 4 bytes / CPU cycle. That's pretty hard to beat.