Pages:
Author

Topic: Are dices for generating seed words fair? (Read 3456 times)

sr. member
Activity: 1190
Merit: 469
January 11, 2024, 01:14:35 AM


I accept a bias of 30% for one side since it still has good entropy if i go for 24 word seed.
You're sure about that?

if one side had a 30% bias, that's almost double the normal theoretical bias of 1/6. there would have to be something REALLY wrong with a dice if it was that far off.  Shocked
legendary
Activity: 2268
Merit: 18711
January 10, 2024, 08:53:34 AM
I will runt it 500 times and see if theres a bias.
Rolling a die 500 times to look for bias is grossly insufficient. You need thousands of flips to exclude a small bias from a coin which only has two possible outcomes (which is why it is faster to not bother and just use a Von Neumann approach). For a die with (presumably) 6 possible outcomes you are looking at tens of thousands of rolls.

I accept a bias of 30% for one side since it still has good entropy if i go for 24 word seed.
You're sure about that? As soon as you deviate from a uniform distribution, then min entropy becomes more import than Shannon entropy. What's the min entropy of your biased die? If you don't know what I'm talking about, then how do you know your system is safe?

this method is from iancoleman website. Do you think its not good enough since he is the creator of the bip39? why do you think the coin flip method is better?
Ian Coleman did not create BIP39. You might also be interested in this discussion of bias on his GitHub: Bias in dice based entropy

A Von Neumann's coin flip method is better because it is faster, it is simpler, there is no possibility to introduce various biases such as modulo bias, and most importantly, it is verifiably random.
sr. member
Activity: 1190
Merit: 469
January 10, 2024, 01:16:52 AM

I would use casino grade dices and test it for its bias before using it. To convert it to binary without bias i would use this model : number1 : 1 number2: 0 number3: 00 number4: 01 number5: 10 number6: 11.

that sounds sketchy. but it could be valid. i have no idea. the thing is though that think about it. you're trying to get a 256-bit binary string. 4,5 and 6 reduce the entropy because they take more information to encode but they have the same probability of occuring as all the other numbers. that seems problematic maybe i'm not sure.

also, you have no idea how many dice rolls are going to be needed to generate your 256 bit number that seems problematic too. it could be 256 rolls but it could be 128 or anything in between which brings up another question: what if you roll the dice and have collected 255 bits and then on your final roll, you happen to roll a 4,5 or 6? then you have a problem.  Undecided it means you have to start all over again. i guess.

Quote
I would then use https://iancoleman.io/bip39/ on an old offline pc to get to 24 words
partly correct but you would not need to do all that fancy stuff you mentioned above since ian coleman has a "base 6" option. you can just enter your rolls using the digits 2-6. for example, 2342356533533225644331....


Quote
Do you think this is a a valid method?

not as valid as using  o_e_l_e_o's coin flipping bias eliminator method. it's in this thread...
jr. member
Activity: 37
Merit: 21
January 09, 2024, 07:14:38 PM

Which statistical tests are you going to use? What degree of bias are you trying to exclude? What p value are you happy with? How many rolls does that require?


I will runt it 500 times and see if theres a bias.I accept a bias of 30% for one side since it still has good entropy if i go for 24 word seed. Even though i know it cant have that bias since they are casino dice


this method is from iancoleman website. Do you think its not good enough since he is the creator of the bip39? why do you think the coin flip method is better?
legendary
Activity: 2268
Merit: 18711
January 08, 2024, 09:22:33 AM
I would use casino grade dices and test it for its bias before using it.
Which statistical tests are you going to use? What degree of bias are you trying to exclude? What p value are you happy with? How many rolls does that require?

To convert it to binary without bias i would use this model : number1 : 1 number2: 0 number3: 00 number4: 01 number5: 10 number6: 11.
This method has always "felt" like the best way to turn dice rolls in to bits to me, but I am not a cryptographer and I cannot rule out some bias or other flaw of which I am unaware. And this is why I always recommend that people don't come up with their own ad hoc schemes and instead stick to the tried, tested, and verified methods.

It will be far quicker using a Von Neumann approach to flipping a coin to generate a provably random stream of bits than it will be to even begin to test the fairness of your dice.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
January 08, 2024, 06:13:22 AM
I would use casino grade dices and test it for its bias before using it.
How are you going to test this?
jr. member
Activity: 37
Merit: 21
January 07, 2024, 04:26:35 PM
Is this really necessary ?
I'll refer you to an answer I gave in another thread on this topic:

Maybe. Maybe not. The numbers given so far in this thread discuss the Shannon entropy, but have you calculated the min-entropy you would achieve from doing this? What randomness extractor algorithm are you planning to use to turn those dice rolls in to usable entropy? How are you converting those dice rolls to binary without introducing modulo bias? It's not as simple as just "roll the dice more" - it's a very complex topic which most people do not fully understand (and I do not profess to either), which is why whenever the topic of manually generating entropy comes up, I always suggest von Neumann's coin flips to simply, quickly, and most importantly verifiably generate 128 or 256 bits of provably unbiased entropy.

If the answer to generating true random numbers was as simple as "Take any old non-random and biased process and just repeat it a bunch of times", there would not be an entire field of research dedicated to it.

We have methods were are provable and verifiable. Why risk everything by coming up with your own ad hoc scheme?

I would use casino grade dices and test it for its bias before using it. To convert it to binary without bias i would use this model : number1 : 1 number2: 0 number3: 00 number4: 01 number5: 10 number6: 11.

I would then use https://iancoleman.io/bip39/ on an old offline pc to get to 24 words and then burn the pc on my furnace.

Do you think this is a a valid method?
legendary
Activity: 2268
Merit: 18711
December 28, 2023, 06:16:38 AM
what's the problem with Trezor as a company though, just curious.
They are anti-privacy and actively support blockchain analysis via their partnership with Wasabi.

so if you were storing $1,000,000 (or whatever you consider to be a large amount of money  Shocked) you wouldn't have any issue slapping in 2 AAA batteries into it and the first seed phrase it generates you go with that one?
I'm probably never going to store that much money in a hardware wallet (or indeed, in a single wallet at all). Multiple separate cold storage wallets is the way to go.

Although I would also be using a separately generate and secure passphrase, so even if my seed phrase was compromised my funds would still be protected.

so you can create your seed phrase by flipping a coin and then use that on the hardware wallet? they let you put in your own seed phrase, i'm assuming. would that be an acceptable thing for you?
For an open source and airgapped hardware wallet, yes. For a Ledger device, no.
sr. member
Activity: 1190
Merit: 469
December 26, 2023, 08:13:33 PM
Ledger hardware wallets can "phone home" to send your seed phrase, so no, connected to an online computer I still wouldn't trust them. It's basically a hot wallet nowadays.

i see what you mean: https://cointelegraph.com/news/crypto-community-reacts-to-ledger-wallet-s-secret-recovery-phrase-service


legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 26, 2023, 08:25:17 AM
so you can create your seed phrase by flipping a coin and then use that on the hardware wallet? they let you put in your own seed phrase, i'm assuming. would that be an acceptable thing for you?
Ledger hardware wallets can "phone home" to send your seed phrase, so no, connected to an online computer I still wouldn't trust them. It's basically a hot wallet nowadays.
sr. member
Activity: 1190
Merit: 469
December 26, 2023, 04:48:08 AM
Ledger no, because it is closed source and actively malicious.

and you have stuff like this:

https://www.coindesk.com/business/2023/12/14/defi-protocol-sushis-cto-warns-of-possible-exploit/

It confirmed that a former Ledger employee fell victim to a phishing attack, which allowed a hacker to insert malicious code into Ledger's Connect Kit.


Imagine that, you lose your money because some employee was dumb and let someone else put some wallet draining code into the Ledger. Software attack. I guess part of that wallet draining code had the hacker's Ethereum address so it could send everyone's tokens to him or her. that's really bad security on ledgers part that something like that could even be theoretically possible.

Quote
Trezor maybe since it is open source, but there are a variety of reasons I don't trust Trezor as a company so I'm never going to buy one of their products.
plus they're kind of pricey too. but all hardware wallets seem to be really pricey these days. what's the problem with Trezor as a company though, just curious.

Quote
I would use an entirely open source hardware wallet like Passport, though, where I can see exactly how it is generating its random numbers.
so if you were storing $1,000,000 (or whatever you consider to be a large amount of money  Shocked) you wouldn't have any issue slapping in 2 AAA batteries into it and the first seed phrase it generates you go with that one?  what if there was some type of electronic glitch?

Quote from: LoyceV
This is one of the reasons I'd never trust a hardware wallet with a lot.
Yeah I can see why. I don't think I could either. Imagine losing all your bitcoin and then saying "if only I would have just flipped a coin..."

Quote
But the solution, at least for this part, is simple: create your own seed from flipping coins.
so you can create your seed phrase by flipping a coin and then use that on the hardware wallet? they let you put in your own seed phrase, i'm assuming. would that be an acceptable thing for you?

legendary
Activity: 2268
Merit: 18711
December 26, 2023, 03:46:28 AM
would you consider using a trezor or ledger or some hardware device that you can't really visibly verify what is going on you have to trust that it is generating random numbers?
Ledger no, because it is closed source and actively malicious. Trezor maybe since it is open source, but there are a variety of reasons I don't trust Trezor as a company so I'm never going to buy one of their products. I would use an entirely open source hardware wallet like Passport, though, where I can see exactly how it is generating its random numbers.

legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
December 25, 2023, 10:12:38 AM
does anybody really trust casino dices?

In major casinos they are likely close to 1/6 per spot.

As a very astute player may detect a large bias and bet to their advantage.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 25, 2023, 02:32:21 AM
would you consider using a trezor or ledger or some hardware device that you can't really visibly verify what is going on you have to trust that it is generating random numbers? i have a hard time with that.
This is one of the reasons I'd never trust a hardware wallet with a lot. But the solution, at least for this part, is simple: create your own seed from flipping coins.
sr. member
Activity: 1190
Merit: 469
December 24, 2023, 11:52:23 PM


We have methods were are provable and verifiable. Why risk everything by coming up with your own ad hoc scheme?

would you consider using a trezor or ledger or some hardware device that you can't really visibly verify what is going on you have to trust that it is generating random numbers? i have a hard time with that. every time i ever thought about using some hardware wallet to do that, i thought maybe i should do one or two just to get it "warmed up" so that's how little i trust an electronic device.

legendary
Activity: 2268
Merit: 18711
December 23, 2023, 09:52:57 AM
Is this really necessary ?
I'll refer you to an answer I gave in another thread on this topic:

Maybe. Maybe not. The numbers given so far in this thread discuss the Shannon entropy, but have you calculated the min-entropy you would achieve from doing this? What randomness extractor algorithm are you planning to use to turn those dice rolls in to usable entropy? How are you converting those dice rolls to binary without introducing modulo bias? It's not as simple as just "roll the dice more" - it's a very complex topic which most people do not fully understand (and I do not profess to either), which is why whenever the topic of manually generating entropy comes up, I always suggest von Neumann's coin flips to simply, quickly, and most importantly verifiably generate 128 or 256 bits of provably unbiased entropy.

If the answer to generating true random numbers was as simple as "Take any old non-random and biased process and just repeat it a bunch of times", there would not be an entire field of research dedicated to it.

We have methods were are provable and verifiable. Why risk everything by coming up with your own ad hoc scheme?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
December 22, 2023, 11:22:22 AM
Do you like the ideia of adding a coin flip when i am at 10 numbers in order to get the number 11  or this is bad for entropy?
I like the idea of using von Neumann's method and not some sketchy method you just invented. Use what is tested and reviewed.
jr. member
Activity: 37
Merit: 21
December 22, 2023, 10:51:06 AM
Another simple way is to count bits according to this array:
Code:
1: 00
2: 01
3: 10
4: 11
5: 0
6: 1


I like this. Do you like the ideia of adding a coin flip when i am at 10 numbers in order to get the number 11  or this is bad for entropy?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
December 22, 2023, 10:40:58 AM
how do you convert the 1 to 6 in a dice to 0 and 1 to get a seed word?
There are lots of ways. One simple way is to hash the dice result record, e.g. sha256("262351..."); this one might decrease the entropy by a little (here's why). Another simple way is to count bits according to this array:
Code:
1: 00
2: 01
3: 10
4: 11
5: 0
6: 1

That's faster than counting {1, 2, 3} as 0 and {4, 5, 6} as 1, because it adds 1.66 bits on every dice roll, on average.
jr. member
Activity: 37
Merit: 21
December 22, 2023, 10:23:38 AM
The BIP 39 list of words are seemingly random words, in alphabetical order, numbered 0 to 2047. Each word represents an 11 bit number (eleven 0’s and 1’s).

how do you convert the 1 to 6 in a dice to 0 and 1 to get a seed word?
i assume you have to do 1 to 3 is a 0 and 3 to 6 is a 1. This makes like a coinflip.

Pages:
Jump to: