1

There are about million questions like this, but each and every answer I saw just uses Math.random() (and in the rare case where someone has managed to use crypto.getRandomValues(), it's incredibly biased), but I need something that's cryptographically secure. I'm looking especially something like Python's secrets.randbelow(). Even better if there's a counterpart to secrets.choice(). Is there anything like that available in the standard Javascript without jQuery or other insanely large and complex dependencies? I couldn't find anything from Mozilla's documentation either.

Or should I just implement it myself? Would something like the following work or is there something I have completely missed?

//Return a random int in the range [0, n).
function randbelow(n) {
  if (n < 1) {
    throw 'Upper bound must be positive.';
  }
  if (n === 1) {
    return 0;
  }
  const maxsize = 2 ** 32;
  if (n > maxsize) {
    throw 'Only unsigned 32-bit integers are supported.';
  }
  const rem = maxsize % n;
  const limit = maxsize - rem;
  let r;
  do {
    r = crypto.getRandomValues(new Uint32Array(1))[0];
  } while (r >= limit);
  return r % n;
}

// test
var arr = ['item1', 'item2', 'item3'];
console.log(arr[randbelow(arr.length)]);
oittaa
  • 599
  • 3
  • 16
  • according to the documentation for getRandomValues ... `The Crypto.getRandomValues() method lets you get cryptographically strong random values` - which is what you want. Your code, as I understand it, does a good job of handling potential bias in the results (i.e. the `limit` - simple but effective) - so, on the face of it (as I'm not a cryptographer) it looks like an excellent solution to your particular issue - unless you're dealing with nuclear launch codes or something – Bravo Feb 20 '22 at 02:42
  • 2
    @oittaa - I don't think a moderator closed it as a duplicate (spectric isn't a mod) - high rep people can vote to close a question and when enough do, the question is closed. higher rep (non moderator) people can unilaterally close a topic as duplicate. Happens all the time, don't sweat it. Won't do you any good around here, speaking from experience :p – Bravo Feb 20 '22 at 02:55

1 Answers1

-1

TLDR;

import { randomInt } from 'https://cdn.jsdelivr.net/npm/random-browser';

console.log('Random number chosen from (0, 1, 2): ' + randomInt(3));

Since every "answer" on this site basically boiled down to one of the following:

  1. Math.random().
  2. Doing something completely wrong like using "randomness" from mouse movement.
  3. Importing megabytes of random dependencies that haven't been updated in years.
  4. Not understanding modulo bias.

I wrote couple of functions that mimic crypto module from Node.js and borrow ideas from Python's secrets module. The whole thing is around one kilobyte without any other dependencies. I still find it kinda crazy that in 2022 JavaScript doesn't offer any way to natively generate cryptographically random integers.

<script type="module">
import { choice, randomBits, randomBytes, randomInt, tokenHex } from 'https://cdn.jsdelivr.net/npm/random-browser';

console.log('Pick a random fruit from array: ' + choice(['Apple', 'Banana', 'Orange']));
console.log('Pick a random character from string: ' + choice('ABCDEF'));
console.log('Random integer with 4 random bits (<16): ' + randomBits(4));
console.log('3 random bytes e.g. [218, 82, 127]: ' + randomBytes(3));
console.log('Random number chosen from (0, 1, 2): ' + randomInt(3));
console.log('The dice rolled: ' + randomInt(1, 7));
console.log('32 character hexadecimal string from 16 random bytes: ' + tokenHex(16));
</script>
oittaa
  • 599
  • 3
  • 16