$ cat /methodology.txt
Mathematical algorithms and methods behind our random data generators
[ Methodology - Quick Summary ]
What: Generate-Random.org uses cryptographically secure pseudo-random number generation (CSPRNG) based on operating system entropy sources, combined with specialized algorithms for each data type (Diceware for passphrases, Fisher-Yates for shuffling, Luhn algorithm for validation).
Standards: NIST SP 800-90A (CSPRNG), NIST SP 800-63B (passwords), RFC 4122 (UUIDs), EFF Diceware wordlists, ISO 13616 (IBANs).
Entropy sources: /dev/urandom (Linux/macOS), CryptGenRandom (Windows) - hardware timing jitter, thermal noise, interrupt events.
Key principle: Uniform distribution with cryptographic unpredictability - no value can predict future values.
[CRYPTOGRAPHICALLY SECURE RANDOM NUMBER GENERATION]
All randomness on Generate-Random.org originates from Cryptographically Secure Pseudo-Random Number Generators (CSPRNG), which meet the requirements defined in NIST Special Publication 800-90A.
Core Properties:
• Unpredictability: Given outputs O₁, O₂, ..., Oₙ, predicting Oₙ₊₁ is computationally infeasible
• Uniform distribution: P(x) = 1/N for all x in output space of size N
• Forward secrecy: Compromising state at time t does not reveal previous outputs
• High entropy: Minimum 128 bits of entropy per seed (256 bits recommended)
Entropy Sources:
• Hardware timing jitter: CPU instruction cycle variations (nanosecond precision)
• Thermal noise: Semiconductor thermal fluctuations
• Interrupt timing: Keyboard, mouse, disk I/O, network packet arrival times
• System events: Process scheduling, memory allocation patterns
[ALGORITHM IMPLEMENTATIONS BY GENERATOR TYPE]
1. Passwords & Passphrases
Password Algorithm:
charset = [a-zA-Z0-9!@#$%^&*...]
for i = 0 to length-1:
random_index = CSPRNG(0, |charset|-1)
password[i] = charset[random_index]
Entropy per character: log₂(|charset|) bits
Example: 94-character set = 6.55 bits/char
Passphrase Algorithm (Diceware Method):
wordlist = EFF_Long_Wordlist[7776]
for i = 0 to word_count-1:
random_index = CSPRNG(0, 7775)
passphrase[i] = wordlist[random_index]
return join(passphrase, separator)
Entropy calculation: E = n × log₂(7776) ≈ n × 12.925 bits
Example: 6 words = 77.5 bits of entropy
EFF Wordlist Properties:
• 7,776 words (6⁵ = 7,776 possible 5-dice rolls)
• Average word length: 7 characters
• Edit distance ≥ 3 between words (typo-resistant)
• No profanity, homophones, or confusing words
2. Random Numbers & Integers
Uniform Integer Distribution:
// Unbiased algorithm (rejection sampling)
range = max - min + 1
bits_needed = ceil(log₂(range))
do:
random_bits = CSPRNG_bytes(bits_needed)
candidate = bits_to_int(random_bits)
while candidate >= range
return min + candidate
This avoids modulo bias - ensures P(x) = 1/range for all x
Decimal Numbers (Fixed Precision):
integer_part = CSPRNG(min_int, max_int)
fractional = CSPRNG(0, 10^decimals - 1)
return integer_part + fractional / 10^decimals
Number Type Algorithms:
• Prime numbers: Generate candidate, apply Miller-Rabin primality test
• Even numbers: n = CSPRNG(min/2, max/2) × 2
• Odd numbers: n = CSPRNG((min-1)/2, (max-1)/2) × 2 + 1
3. UUIDs (Universally Unique Identifiers)
UUID v4 (Random):
bytes = CSPRNG_bytes(16) // 128 bits
bytes[6] = (bytes[6] & 0x0F) | 0x40 // Version 4
bytes[8] = (bytes[8] & 0x3F) | 0x80 // Variant RFC 4122
return format_uuid(bytes)
Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
Effective entropy: 122 bits (6 bits used for version/variant)
Collision probability: ~2.7×10⁻¹⁸ after 1 billion UUIDs
UUID v7 (Time-Ordered):
unix_ts_ms = current_timestamp_milliseconds() // 48 bits
random_bits = CSPRNG_bytes(10) // 80 bits
uuid = (unix_ts_ms << 80) | random_bits
apply_version_variant_bits(uuid, v7)
return format_uuid(uuid)
Sortable by creation time, database-friendly
Other UUID Versions:
• v1: Timestamp + MAC address (48-bit timestamp, 48-bit node ID)
• v3/v5: Namespace + name hashing (MD5/SHA-1 deterministic)
4. Shuffling & List Randomization
Fisher-Yates Shuffle Algorithm:
array = input_array
n = length(array)
for i = n-1 down to 1:
j = CSPRNG(0, i) // Unbiased random index
swap(array[i], array[j])
return array
Time complexity: O(n), Space complexity: O(1)
Produces uniform distribution: each permutation has probability 1/n!
Applications:
• List randomizer: shuffle user-provided items
• Team generator: shuffle, then partition into groups
• Secret Santa: shuffle + derangement check (no self-assignments)
5. Validation Algorithms
Luhn Algorithm (Credit Cards):
// Generate 15 random digits
for i = 0 to 14:
card[i] = CSPRNG(0, 9)
// Calculate Luhn check digit
sum = 0
for i = 0 to 14 (right to left):
digit = card[i]
if i is_odd: digit *= 2
if digit > 9: digit -= 9
sum += digit
check_digit = (10 - (sum mod 10)) mod 10
card[15] = check_digit
Detects single-digit errors and most transposition errors
IBAN Check Digits (ISO 13616):
// Generate random account number
country = "DE"
bank_code = random_digits(8)
account = random_digits(10)
// Calculate mod-97 check digits
rearranged = bank_code + account + country_to_digits("DE") + "00"
check_digits = 98 - (rearranged mod 97)
iban = country + pad(check_digits, 2) + bank_code + account
Mod-97 algorithm detects up to 99% of transcription errors
6. Hashing & Encoding
Cryptographic Hash Generation:
• MD5: 128-bit output (vulnerable, legacy use only)
• SHA-1: 160-bit output (deprecated for security)
• SHA-256: 256-bit output (recommended minimum)
• SHA-512: 512-bit output (high security)
random_data = CSPRNG_bytes(length)
hash = hash_function(random_data)
return hex_encode(hash)
Bcrypt (Adaptive Hashing):
password = CSPRNG_string(length)
salt = CSPRNG_bytes(16) // 128-bit salt
cost = 10 // 2¹⁰ = 1,024 iterations
hash = bcrypt(password, salt, cost)
return format_bcrypt(hash) // $2y$10$...
Work factor increases computation time exponentially: 2^cost iterations
Cost 10 ≈ 100ms, Cost 12 ≈ 400ms (adjustable for future hardware)
Base64 Encoding (RFC 4648):
random_bytes = CSPRNG_bytes(length)
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
return base64_encode(random_bytes)
Output length: ceil(4 × input_length / 3) bytes (~33% size increase)
URL-safe variant: replace +/ with -_ and remove padding
[STANDARDS & SPECIFICATIONS COMPLIANCE]
NIST SP 800-90A Rev. 1
Recommendations for Random Number Generation Using Deterministic Random Bit Generators
→ CSPRNG implementation standards
NIST SP 800-63B
Digital Identity Guidelines: Authentication and Lifecycle Management
→ Password strength requirements
RFC 4122
A Universally Unique IDentifier (UUID) URN Namespace
→ UUID format and generation
RFC 9562 (2024)
Universally Unique IDentifiers (UUIDs) - Updated specification with UUID v7
→ Time-ordered UUIDs
RFC 4648
The Base16, Base32, and Base64 Data Encodings
→ Base64 encoding standard
ISO 13616
International Bank Account Number (IBAN) structure
→ IBAN validation (mod-97)
ISO/IEC 7812
Identification cards - Identification of issuers
→ Credit card number structure
EFF Diceware Wordlists
Electronic Frontier Foundation curated passphrase wordlists (2016)
→ Passphrase generation
[ENTROPY CALCULATIONS & SECURITY ANALYSIS]
Entropy measures the unpredictability of random data. Higher entropy = harder to guess.
Entropy Formula:
H = log₂(N)
where N = number of possible values
Examples:
Single coin flip (2 outcomes)
1 bit
Single dice roll (6 outcomes)
2.58 bits
Single digit 0-9 (10 outcomes)
3.32 bits
Single lowercase letter (26 outcomes)
4.70 bits
Alphanumeric character (62 outcomes)
5.95 bits
ASCII printable character (94 outcomes)
6.55 bits
Diceware word (7,776 outcomes)
12.925 bits
Security Thresholds:
< 40 bits: WEAK
Brute-forceable with consumer hardware in hours/days
40-64 bits: MODERATE
Resistant to casual attacks, vulnerable to determined adversaries
64-80 bits: GOOD
Sufficient for most applications, resistant to offline attacks
80-128 bits: STRONG
Recommended for sensitive data, long-term security
> 128 bits: MAXIMUM
Computationally infeasible to brute-force with current technology
Comparison Table:
| Type | Example | Entropy | Possible Values |
|---|---|---|---|
| 8-char password (lowercase) | abcdefgh | 37.6 bits | 2.1 × 10¹¹ |
| 8-char password (mixed + symbols) | aB3$dF8! | 52.4 bits | 6.1 × 10¹⁵ |
| 4-word passphrase | correct-horse-battery-staple | 51.7 bits | 3.7 × 10¹⁵ |
| 16-char password (mixed + symbols) | K9$mP2@vL7!qR4*z | 104.8 bits | 3.7 × 10³¹ |
| 6-word passphrase | correct-horse-battery-staple-pencil-cloud | 77.5 bits | 2.2 × 10²³ |
| UUID v4 | f47ac10b-58cc-4372-a567-0e02b2c3d479 | 122 bits | 5.3 × 10³⁶ |
| 256-bit API key | 7f8a9c2e... | 256 bits | 1.2 × 10⁷⁷ |
[ATTACK RESISTANCE ANALYSIS]
Brute-Force Time Estimates:
Assuming 1 billion attempts/second (10⁹ attempts/sec)
40 bits (1.1 trillion possibilities)
~18 minutes
56 bits (72 quadrillion possibilities)
~2.3 years
64 bits (18 quintillion possibilities)
~585 years
80 bits
~38 million years
128 bits
~10³¹ years (10 billion × age of universe)
256 bits
~10⁶⁴ years (effectively impossible)
Note: Modern GPUs can achieve 10¹¹-10¹² attempts/sec for simple hashes, but CSPRNG-generated values remain secure at sufficient bit lengths.
Defense Against Common Attacks:
Dictionary Attacks:
Passphrases use 7,776-word list → resistance via high word count
4 words = 51.7 bits, immune to standard dictionaries
Rainbow Table Attacks:
Not applicable - no hashing of user-chosen values
Generated values are direct CSPRNG output
Timing Attacks:
Constant-time algorithms for index selection
No conditional branches based on secret data
Pattern Analysis:
Uniform distribution prevents frequency analysis
Statistical tests: chi-square, Kolmogorov-Smirnov pass
[QUALITY ASSURANCE & TESTING]
We validate randomness quality through multiple statistical tests and algorithmic verification.
Statistical Tests:
• Chi-square test: Verifies uniform distribution of values
• Runs test: Checks for sequential independence
• Gap test: Analyzes spacing between repeated values
• Serial correlation test: Ensures no autocorrelation
• Spectral test: Validates multidimensional distribution
Validation Checks:
• Luhn algorithm verification for credit card numbers
• Mod-97 validation for IBANs
• UUID version/variant bit correctness
• RFC compliance for formatted outputs
• Entropy calculation accuracy