I've heard good things about PCG PRNGs. This thread encouraged me to find out more; I read part of the paper and agree that it's great. I've used LCG in a few programs for speed and simplicity, but will definitely use PCG instead from now on, for everything.
The "minimal C version" which is prominent on the website and which counting_pine translated to FB is called "PCG XSH RR 64/32 (LCG)" in the paper (discussed in section 6.3.1).
The C code has been written for optimising C compilers, which can compile the rotation to a single x86 instruction, but FB can't optimisations like that. If you actually cared about speed, you would just link the C code to your FB program, but if you refuse to do that and still care about speed, you're better off using the PCG XSH RS 64/32 variant instead, which "makes a slightly different trade-off—slightly worse statistical performance for slightly greater speed". But it does a shift instead of a rotation, so will more than just slightly faster in FB.
counting_pine wrote:The periodicity of the random numbers is the same as that of the simple PRNG, but the secure hashing means that without a massive lookup table you can't find out the internal state based on its output.
(In the example code's case, it returns 32 bits of output for a 64-bit state anyway, so it's definitely a one-way hash.)
I don't really understand the hashing method, although it's clearly pretty simple.
(Thanks for the great summary.)
The hashing is not "secure". It's not obvious how to reverse it, and that's major goal of the algorithm. But it's vastly simpler than all cryptographically secure random generators (CSRNGs) so I give it zero chance of standing that test -- doesn't matter how non-obvious it is; it only takes one person to come up with an algorithm. It seems that PCG XSH RR 64/32 requires a bare minimum of about 4 outputs to calculate the internal state (given unlimited computation), but it's likely an attack is more practical given a bit more than that. (This PRNG is not billed as secure, so breaking it might not even be considered publishable enough for most cryptographers to work on.)
There is one major shortcoming of the paper, which is that it doesn't compare to any modern CSRNG! The modern generation of sponge-based CSRNGs are very fast and versatile. The website compares to one: ChaCha20, but comparing to just one is far from adequate.
The hashing method is briefly described in section 6.3.1. Recall that in a LCG, higher bits are higher quality, because the b'th bit (counting from LSB) has period 2^b. "The strategy is to perform an xorshift to improve the high bits, then randomly rotate them so that all bits are full period". The top 5, best, bits are used for the rotation amount, then take the next 32 bits, xor in the top 18 bits of the state to give a better mix, before the crucial rotation. The bottom 27 bits are ignored, because they are low quality (but which I would guess weakens the security).