Published on June 24, 2025
MAR62: A Compact, Collision-Resistant URL Encoding Algorithm
Implementation GoToIt.us
GoToIt.us runs on a custom algorithm called MAR62 — a minimal, efficient, and cryptographically aware encoder that produces short, human-friendly link codes without tracking and without collision.
This document explains how MAR62 works, why it's unique, and how it supports optional metadata like password protection and expiration dates.
If you want to skip the tutorial, you can check out GotToIt.us now.
GoToIt.us
The GotToIt.us application is built using a React/Typescript/Vite front end hosted by Vercel, with a .NET API back end hosted (via a Docker image) on fly.io. Database is handled by MongoDB. I have nothing but love for all three of these organizations.
Overview of MAR62
At its core, MAR62 encodes essential metadata about a link into a compact, collision-resistant Base62 string — capped at 8 characters. It's designed for:
- High uniqueness, even under high write volume
- Low collision probability using timestamp, nonce, and HMAC hashing
- Obfuscation, without requiring external identifiers or database lookups
- Optional metadata like password hashes and expiration windows
How It Works
1. Input Composition
To generate a short code, MAR62 combines:
timestamp: Current UTC time in nanosecondsnonce: 6-char substring of a GUID (for entropy)url: Decomposed intoprotocol,domain,path,file,query
These parts are joined with pipes (|) into a single deterministic string:
{timestamp}|{nonce}|{url.Protocol}|{url.Domain}|{url.Path}|{url.File}|{url.Query}
2. HMAC-SHA256 Signature
The combined input string is hashed using HMAC-SHA256, with a mutating key:
var key = Encoding.UTF8.GetBytes(HmacKeyProvider.GetCurrentKey());
var hmac = new HMACSHA256(key);
var fullHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(input));
- The HMAC key is time-derived and rotates hourly.
- This provides temporal obfuscation and replay resistance.
3. Bit Packing and Base62 Encoding
The hash digest is truncated to the first 6 bytes (48 bits), packed into a 47-bit unsigned long:
ulong value = (
((ulong)fullHash[0] << 40) |
((ulong)fullHash[1] << 32) |
((ulong)fullHash[2] << 24) |
((ulong)fullHash[3] << 16) |
((ulong)fullHash[4] << 8) |
fullHash[5]
) & 0x7FFFFFFFFFFFUL;
This is then MAR62-encoded:
Mar62Encode(value).PadLeft(8, '0');
Optional Password Protection
If a password is provided during shortening, it is hashed and stored:
PasswordHash = password;
The hash can later be verified using a rotating list of time-derived keys.
Optional Expiration Metadata
Expiration dates are parsed and stored as:
ExpiresOn = expirationDate;
If the current time exceeds ExpiresOn, the redirect is refused.
Collision Avoidance
Even with only 8 characters, 62^8 = ~218 trillion combinations are available.
MAR62 minimizes collisions by combining:
- High-resolution timestamps
- GUID-derived nonces
- Rotating HMAC keys
- Fixed-length encoded identifiers
Why Not Use Incrementing IDs?
MAR62 is built for privacy and anonymity. Incrementing IDs expose:
- Total user count
- Link creation order
- Internal structure
MAR62 hides all of that in an opaque, non-reversible string.
Summary
| Feature | Value |
|---|---|
| Code Length | 8 characters max |
| Character Set | A–Z, a–z, 0–9 (Base62) |
| Encoding Source | Timestamp, nonce, parsed URL |
| Hashing | HMAC-SHA256 with hourly salt |
| Collision Resistance | High (47-bit random space) |
| Password Support | Optional HMAC-stored hash |
| Expiration Support | Optional ExpiresOn field |
| Open Source | Yes |
| Tracking or Analytics | LocalStorage only, optional |
| Dependencies | None (fully independent implementation) |
Built for Freedom
MAR62 is a philosophy.
You own your links. You control their lifespan. No cookies. No tracking. No hidden agendas.
It's compact. It's clever. And it belongs to everyone.