D-Nice
commented
3 years ago Completed research on this problem, to rule out 1.3 as an appropriate solution.
This research will be re-used in the protocol spec. Finding essentially yielded an equation to calculate the maximum bias potential for a specific bit size with the algorithm in place. It concluded that 64-bits would require every person (8B assumed) to generate over 200k passwords each, before even 1 of these, yields a password with a 1 character bias, with a probability of 50%, and that is assuming the most biased alphabet set being used, and 20 characters per password. WolframAlpha calculation (59 denotes the character possibilities of bias in comparison to non-biased characters which is the huge second number)
These were derived using the following hand-crafted mathematica equation:
Maximize[{FractionalPart[x/y]/Floor[x/y], x == 2^32 && 2 <= y <= 255 && Element[x | y, Integers]}, {x, y}]
or in traditional notation
The 32 can be exchanged with 64 or whatever bits you want to search the maximum possible bias for, and in a more formal format should be rewritten as variable a or the like.
On the other hand, 32-bit, would yield 17881 passwords with a probability of 50% of already having been biased (containing 1 biased character), under the previous assumptions, thereby it cannot be considered insignificant and is being thrown out as a solution. WolframAlpha calculation
See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigUint64Array for compat
1.1 ideal
1.3 fallbackdowngrade to using uin32array, which all browsers support... would technically increase the probability of certain characters appearing more than others, based on their index, however, should still be negligible enough2.1 must
2.2 must