Pages:
Author

Topic: Are dices for generating seed words fair? - page 11. (Read 3469 times)

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 14, 2022, 08:35:48 AM
#47
why does it matter which way you do it, treating it as a string vs a number though?
SHA256 takes bytes as input. Each character from a dice rolls string takes 8 bits, whereas in a dice rolled number (integer with base 6), each character takes about 1.66 bits on average (1, 2, 3, 4 give 2 bits, while 5, 6 give 1 bit). Therefore, hashing a string would give you a false sense of security. For example, string "123456" is 6 bytes, but (123456)6 is 6*1.66 = ~9.96 bits. which is about 1 byte.

To think it more simply, in a string, each character takes up to 2^8 = 256 different values (00000000, 00000001 [...], 11111110, 11111111), but a dice roll can only give up to 6 different values. Therefore, a 128-bit random number doesn't have the same security as a 128-bit string that is consisted of 16 dice rolled characters.
legendary
Activity: 2268
Merit: 18771
October 14, 2022, 02:01:12 AM
#46
kind of like you.
Well, I appreciate the vote of confidence, but I still wouldn't recommend using dice rolls to generate a seed phrase. Even ignoring everything we have discussed above about randomness extraction and hash functions, dice are more likely to be biased than coins, are more likely to be thrown in a non-random way, it would be harder and take longer to detect that bias, and the statistical methods and tests required are more complicated. To test your dice are actually fair before using them would take longer than just using coin flips in the first place, and there are many more ways you could mess up your dice rolls than a simple heads = 0 and tails = 1 with a coin.

a byte is only 8 bits not 256 bits.
8 bits can have 28 = 256 different values.
sr. member
Activity: 1190
Merit: 469
October 13, 2022, 11:23:57 PM
#45


When you convert the result of a dice roll which is from 1 to 6 to a byte which is 256 bit (0 to 256) you are padding each value with unnecessary bits. I don't think there is any "security" issue with this method but it is just a strange way of doing things.
a byte is only 8 bits not 256 bits.
legendary
Activity: 3472
Merit: 10611
October 13, 2022, 10:58:29 PM
#44
That's a weird code! It basically generates the random bits but uses it as a string instead of binary! The computed hash is the hash of that string not exactly the same as using the bits directly. The developed possibly had no idea how to convert bits to bytes and compute that hash Wink
why does it matter which way you do it, treating it as a string vs a number though? i never seen anyone address that issue, why treating it as a number is better for some unknown reason. sha256 is sha256 whether you do it on a string or a number doesn't really matter.
When you convert the result of a dice roll which is from ~3 bits (1 to 6) to a byte which is 8 bit (0 to 256) you are padding each value with unnecessary bits. I don't think there is any "security" issue with this method but it is just a strange way of doing things.
sr. member
Activity: 1190
Merit: 469
October 13, 2022, 06:50:02 PM
#43
That's a weird code! It basically generates the random bits but uses it as a string instead of binary! The computed hash is the hash of that string not exactly the same as using the bits directly. The developed possibly had no idea how to convert bits to bytes and compute that hash Wink
why does it matter which way you do it, treating it as a string vs a number though? i never seen anyone address that issue, why treating it as a number is better for some unknown reason. sha256 is sha256 whether you do it on a string or a number doesn't really matter.

Quote from: o_e_l_e_o
Working in the medical field, I have become acutely familiar over the last 3 years with people who have no medical training, and indeed do not even comprehend just how little they understand, making wild, entirely unsubstantiated, and often downright impossible claims. I have seen it enough, and the dangerous outcomes such a self righteous Dunning-Kruger bias produces, to be alert to recognizing it in myself. I have no formal training or education in cryptography. I don't even have any formal training or education in any of the fields which underpin cryptography, computer science, mathematics, cybersecurity, programming, etc. I know a bit about these things, sure, but I am entirely self taught and I am under no illusion that what I do know barely scratches the surface of these fields. I know enough to know that I don't know nearly enough to start making up my own ad hoc entropy generation schemes.
honestly there is incompetence in every field. no matter what field it is. a paper degree is fine but it doesn't mean someone is 100% competent and should be trusted. that's all I need to say about that. but consider satoshi. maybe he just did bitcoin as a side project and wasn't a "professional cryptographer". still i'd trust him more than someone that all they had is some paper degree with that title that had done nothing in the real world. it seems like the people that get things done in this world are not people that have some little tiny area of expertise but people that know a little bit about alot of things and learn what they need to do get what they need to done. kind of like you.

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 13, 2022, 10:26:10 AM
#42
That's a weird code! It basically generates the random bits but uses it as a string instead of binary!
From what I can see, it takes the dice rolls as a string (e.g., "1642566[...]3231454"), converts the string into bytes, and performs SHA256 to that (as it can't do otherwise, you can only feed bytes to SHA256). In this code, encode() is used to convert the string into bytes.

Maybe not something better but maybe you're putting "full time cryptographers" on a bit of a pedastal. Exactly what is one of those? Do they work in some college and get paid to publish research papers?
Does it matter if they get paid to do research? Some do, some don't. It's pretty much of a fact that a cryptographer knows more than ordinary people know about cryptography.

[...]
Maybe a more secure approach for SeedSigner would be to generate the seed phrase in another way (e.g., Electrum), and have it imported later in SeedSigner. However, Electrum's standard for mnemonic isn't the one SeedSigner follows, that is the BIP39, and I'm not sure if just importing an Electrum seed phrase as a BIP39 would be equivalently secure.

At this point, I shouldn't be using SeedSigner, because it isn't as reviewed as Electrum is. That, alone, is enough in terms of security, but it's so confident and portable device, oppositely to a laptop. (And more secure as an idea, because information is transited in an airgapped way, with no external devices such as USBs)
legendary
Activity: 2268
Merit: 18771
October 13, 2022, 05:09:04 AM
#41
Maybe not something better but maybe you're putting "full time cryptographers" on a bit of a pedastal.
Working in the medical field, I have become acutely familiar over the last 3 years with people who have no medical training, and indeed do not even comprehend just how little they understand, making wild, entirely unsubstantiated, and often downright impossible claims. I have seen it enough, and the dangerous outcomes such a self righteous Dunning-Kruger bias produces, to be alert to recognizing it in myself. I have no formal training or education in cryptography. I don't even have any formal training or education in any of the fields which underpin cryptography, computer science, mathematics, cybersecurity, programming, etc. I know a bit about these things, sure, but I am entirely self taught and I am under no illusion that what I do know barely scratches the surface of these fields. I know enough to know that I don't know nearly enough to start making up my own ad hoc entropy generation schemes.

I just don't buy the story that you need a 10 year degree to be able to do something as simple as rolling dice...
Which is why I have advocated that if you want to generate your own entropy from a physical process, then to simply flip a fair coin 128/256 times (or more, using a von Neumann debiasing approach, if you can't be sure the coin is fair or you will flip it fairly), and turn that in to a seed phrase directly. Don't try to perform randomness extraction on a series of dice rolls when you've likely never even heard of that term before.
legendary
Activity: 3472
Merit: 10611
October 13, 2022, 12:58:34 AM
#40
there is one implementation of the function that takes the dice rolls as an input, and uses the SHA256 of that as a seed. SeedSigner.
That's a weird code! It basically generates the random bits but uses it as a string instead of binary! The computed hash is the hash of that string not exactly the same as using the bits directly. The developed possibly had no idea how to convert bits to bytes and compute that hash Wink

P.S. Using HMACSHA would be useful to combine entropies. For example if you don't want to rely fully on computer generated random or fully on user (dice) generated random you could generate both and  then compute HMACSHA256 of them using one as the key and the other as the message. I haven't seen anybody do this either though.
sr. member
Activity: 1190
Merit: 469
October 12, 2022, 05:29:16 PM
#39


A lot of full time cryptographers have spent a lot of time working on methods to securely generate entropy. I'm not crazy enough to think that I, with no formal cryptography training, will be able to come up with something better.


Maybe not something better but maybe you're putting "full time cryptographers" on a bit of a pedastal. Exactly what is one of those? Do they work in some college and get paid to publish research papers? If they dont publish they get fired, you know? So they're not exactly a neutral 3rd party when it comes to whatever topic they're writing about as for some of them they are doing it because if they didn't, they would get fired. Maybe some of them are doing it because they really have something to offer but I'm skeptical of any statement that says a normal person can't do as well. I just don't buy the story that you need a 10 year degree to be able to do something as simple as rolling dice...
legendary
Activity: 2268
Merit: 18771
October 12, 2022, 02:51:01 PM
#38
Computers won't ever generate that number in a range of [1, 2^256], even if it's random, because it doesn't look random.
There is exactly the same chance of it generating 827 as there is of it generating any other number.

Would you feel more confident if you had the dice rolls hashed by HMAC-SHA?
But HMAC requires a key and a message, which you don't have with a simple series of dice rolls. And no, I'm not suggesting we should use HMAC instead - I'm simply pointing out that there are gaps in your (and my) knowledge. When we often talk about not using closed source wallets because we can't know what they are doing, and we often talk about not coming up with your own encryption scheme for your back ups because you will almost certainly come up with something inferior or lock yourself out of your own wallets, then it doesn't make sense to advocate coming up with our own entropy generation schemes when we don't really understand the intricacies of what we are suggesting.

A lot of full time cryptographers have spent a lot of time working on methods to securely generate entropy. I'm not crazy enough to think that I, with no formal cryptography training, will be able to come up with something better.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 12, 2022, 09:47:28 AM
#37
827 is a random number.
To be precise, I meant a pseudo-random number. Computers won't ever generate that number in a range of [1, 2^256], even if it's random, because it doesn't look random.

My point is not that all SHA256 outputs are insecure, but rather you might very well generate one which is not nearly as secure as you think it is.
Okay, I now think I understand what you're saying. Yes. There's a chance it returns me a number that doesn't look random.

Correct me if I'm wrong, but I've never seen an expert say to feed some dice rolls to SHA256 and use the output to generate a wallet.
Depends on the expert. Is it a cryptography expert? If that's so, I don't know any such person who's designing software. If it's a software engineering expert, there is one implementation of the function that takes the dice rolls as an input, and uses the SHA256 of that as a seed. SeedSigner.

Both using HMAC-SHA(x), which is different from SHA(x).
Both of which, though, are hash functions. Would you feel more confident if you had the dice rolls hashed by HMAC-SHA?
legendary
Activity: 2268
Merit: 18771
October 12, 2022, 09:32:55 AM
#36
I refuse to accept that a random number once used as input in SHA256 gives non-cryptographically-secure result
827 is a random number. Its SHA256 output is not secure enough to use as a private key.

My point is not that all SHA256 outputs are insecure, but rather you might very well generate one which is not nearly as secure as you think it is.

but because experts say it.
Correct me if I'm wrong, but I've never seen an expert say to feed some dice rolls to SHA256 and use the output to generate a wallet.

Instead, it's a hash of the private key and the message.
Besides ECDSA signatures, the second half part of HD wallets is deterministic
Both using HMAC-SHA(x), which is different from SHA(x).

Is this in a manner of speaking? Who's Jim?  Tongue
https://www.youtube.com/watch?v=MULMbqQ9LJ8
sr. member
Activity: 1190
Merit: 469
October 11, 2022, 07:10:21 PM
#35
I refuse to accept that a random number once used as input in SHA256 gives non-cryptographically-secure result, not because I put myself above experts, but because experts say it. Take an ECDSA signature. In most Bitcoin wallets, value k is no longer generated using an RNG. Instead, it's a hash of the private key and the message.
if sha256 got broken, they could figure out your private key i guess. but if you used a k generated randomly that risk wouldn't exist.

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 11, 2022, 08:41:26 AM
#34
Then that alone should be enough to convince you that there is more to consider here than just inputting a string in to SHA256 and being happy that whatever it outputs is secure enough to use as your entropy source.
I refuse to accept that a random number once used as input in SHA256 gives non-cryptographically-secure result, not because I put myself above experts, but because experts say it. Take an ECDSA signature. In most Bitcoin wallets, value k is no longer generated using an RNG. Instead, it's a hash of the private key and the message.

Quoting the important part from RFC 6979 (which is the standard most such software follow):
But damn it Jim!
Is this in a manner of speaking? Who's Jim?  Tongue
legendary
Activity: 2268
Merit: 18771
October 11, 2022, 08:22:08 AM
#33
I don't understand much from the texts you've quoted
Then that alone should be enough to convince you that there is more to consider here than just inputting a string in to SHA256 and being happy that whatever it outputs is secure enough to use as your entropy source.

Numbers derived from a random number are considered pseudo-random, but they're treated as equivalently cryptographically secure.
What you are talking about here is randomness extraction. This is a whole field of study on its own, and is much more complex than simply "Use SHA256".

Whether you represent the seed with base 2, base 6, base 10, base 16 etc., it doesn't have a difference
Except that you've now introduced a modulo bias.

But damn it Jim! I'm a doctor, not a cryptographer! As I say, I do not know enough about this topic to give you a full technical explanation, and that alone is enough for me to know that I shouldn't be using such methods as my own ad hoc entropy derivation scheme. Maybe someone more knowledgeable can come along and explain that just taking a SHA256 of some dice rolls is actually perfectly safe, but I doubt it, and until then I'm not willing to gamble the security of my wallets and my coins on an untested method I know I don't fully understand.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 11, 2022, 06:23:10 AM
#32
[...]
I don't understand much from the texts you've quoted, but I know this: Hash functions can provide pseudo-randomness, and are used frequently in cryptographic applications for this purpose. Numbers derived from a random number are considered pseudo-random, but they're treated as equivalently cryptographically secure.

A long series of 6-sided dice results with values [1, 6] can provide the same randomness of a 36-sided dice, taken that they're tested properly. Whether you represent the seed with base 2, base 6, base 10, base 16 etc., it doesn't have a difference (and I don't think you're arguing against of that). Using the hash of the entropy as a seed should also make no difference, because as I said it's treated equally secure. You have to hash seeds and signature values either way in HD wallets.
legendary
Activity: 2268
Merit: 18771
October 11, 2022, 05:53:45 AM
#31
An alternative way to generate entropy, is to not use the sum of the outputs as the seed, but write down the dice results (1, 2..., 6) and SHA256 the output. That way, you can have a fixed number of dice rolls.
I wouldn't do this. I am by no means knowledgeable in this field, but I know enough to know that by using SHA256 as a randomness extractor like this you will almost certainly end up with much less entropy than you think you are achieving.

Here are a few relevant quotes from the original HKDF paper:
We end by observing that most of today’s standardized KDFs (e.g., [4, 5, 57, 40]) do not differentiate between the extract and expand phases but rather combine the two in ad-hoc ways under a single cryptographic hash function (refer to Section 8 for a description and discussion of these KDF schemes). This results in ad-hoc designs that are hard to justify with formal analysis and which tend to “abuse” the hash function, requiring it to behave in an “ideally random” way even when this is not strictly necessary in most KDF applications (these deficiencies are present even in the simple case where the source of keying material is fully random)]
Efficient constructions of generic (hence randomized) statistical extractors exist such as those built on the basis of universal hash functions [15]. However, in spite of their simplicity, combinatorial and algebraic constructions present significant limitations for their practical use in generic KDF applications. For example, statistical extractors require a significant difference (called the gap) between the min-entropy m of the source and the required number m′ of extracted bits (in particular, no statistical extractor can achieve a statistical distance, on arbitrary sources, better than 2-((m-m′)/2) [60, 63]). That is, one can use statistical extractors (with its provable properties) only when the min-entropy of the source is significantly higher than the length of output. These conditions are met by some applications, e.g., when sampling a physical random number generator or when gathering entropy from sources such as system events or human typing (where higher min-entropy can be achieved by repeated sampling). In other cases, very notably when extracting randomness from computational schemes such as the Diffie-Hellman key exchange, the available gap may not be sufficient (for example, when extracting 160 bits from a DH over a 192-bit group). In addition, depending on the implementation, statistical extractors may require from several hundred bits of randomness (or salt) to as many bits of salt as the number of input bits.
However, there is little hope that one could prove anything like this for regular cryptographic hash functions such as SHA; so even if the assumption is well defined for a specific hash function and a specific group (or collection of groups), validating the assumption for standard hash functions is quite hopeless. This is even worse when requiring that a family of hash functions behaves as a generic extractor (i.e., suitable for arbitrary sources) as needed in a multi-purpose KDFs.

There is a lot more to securely generating entropy than just feeding what you think is a long enough, random enough string in to a SHA256 function and being happy with the output. I would stick to either /dev/urandom, or a physical process which can generate your entropy directly, such as flipping a coin. Anything beyond that introduces too many possibilities for error, many of which the average user is completely oblivious to the very existence of.

As I said previously in this thread, just rolling some dice and using the output without even thinking about your min-entropy among other things (if you've even heard of these terms at all) is a recipe for disaster.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 11, 2022, 03:07:37 AM
#30
an 8-sided or 4-sided dice would convert better into a binary number than a 6 sided one since they are power of 2.
In which way, other than speed, is it going to better to use an 8-sided dice over a 6-sided one? Yes, 8 is 23, and can return all binary values between 000 and 111. In 6-sided dice, you have [0, 1, 00, 01, 10, 11]. An alternative way to generate entropy, is to not use the sum of the outputs as the seed, but write down the dice results (1, 2..., 6) and SHA256 the output. That way, you can have a fixed number of dice rolls.
sr. member
Activity: 1190
Merit: 469
October 10, 2022, 08:09:30 PM
#29
Interestingly, you can use a simple mobile phone camera pointed at an LED to create a true random number generator using this process: https://physicsworld.com/a/how-to-make-a-quantum-random-number-generator-from-a-mobile-phone/.


Who is "you" though? Someone in a research lab with access to exotic hardware and custom made software? No one on this forum is going to be able to duplicate that. the article doesnt explain how to do it yourself. so it is really of no use. got any do it yourself options?

Quote from: death_wish
2. 6-sided dice rolls output results from a uniform random distribution.  If your dice are physically perfect, you do not need any fancy-pants entropy extractor.  Assuming unbiased dice, you can use a simple algorithm to transform your base-6 dice rolls into uniformly distributed binary numbers, without modulo bias.
an 8-sided or 4-sided dice would convert better into a binary number than a 6 sided one since they are power of 2.  with a 6-sided dice you have to do some type of reduction like let even numbers be 1 and odd numbers be 0.  might as well just be flipping a coin. you can't just use the numbers as displayed. and convert them to their binary form. 
member
Activity: 70
Merit: 320
Take profit in BTC. Account PnL in BTC. BTC=money.
There is an analog method of using 2 or 3 dice rolls to "unbias" any biased dice rolls. Then you can use that as your RNG. Of course, for 256 bit equivalent, instead of rolling 100 times, you would roll 200 or 300 times. Or more. Not sure of the math.

Footgun alert!

Here is a complementary idea: mix the result

Extending the proposal: Use the hash function thousands of times. Not only you ensure that a dice bias isn't enough to betray you, but you also make it much harder for an attacker to find your entropy.

...

Recommendations:

3. Read the HKDF paper, to better understand the “extract and expand” model.  Not that it’s the canonical source of all wisdom:  I simply find it a good guide to start learning about this subject matter.  Then, review the literature about entropy extractors.  You are seeking an entropy extractor, without knowing what you seek.

2. 6-sided dice rolls output results from a uniform random distribution.  If your dice are physically perfect, you do not need any fancy-pants entropy extractor.  Assuming unbiased dice, you can use a simple algorithm to transform your base-6 dice rolls into uniformly distributed binary numbers, without modulo bias.  At this point, you will probably mess it up and utterly annihilate your own security; so...

1. Leave cryptography to the cryptographers.  Seriously.  Please.  For your safety and the safety of others.

Generating your own random numbers is low-level crypto.  >99% of programmers should never, ever touch low-level crypto directly.  This is not to insult your intelligence:  The smartest programmers in this space all either study up on their cryptography, or leave cryptography to the cryptographers.  Studying cryptography takes lots of smarts; knowing the limits of your own knowledge also takes lots of smarts.

(I am not a cryptographer.  You will see security wonks who are not cryptographers say this often:  I am not a Real Cryptographer(TM).  But at least, I am aware of entropy extraction, probability distributions, etc.; and I know enough cryptography to know that “a little knowledge is a dangerous thing”!)


I don't agree with the premise that dice will be "random enough" without testing that. If you don't trust the randomness of your OS, which has been designed, built, and tested by experts in the field of cryptography, and want to do things manually, then just picking up a bunch of random dice and shrugging your shoulders is irresponsible. If you don't test your dice, how can guarantee your min-entropy is sufficient? How can you guarantee your Shannon entropy is sufficient? How can you be sure whatever randomness extraction algorithm you choose won't amplify your weak entropy?

Keywords that I have rendered in bold indicate that this is someone who will not be blowing his own security away with a random footgun.

But I doubt that the quality of randomness from physical dice is the problem here.  The problem is that people who don’t even know the difference between min-entropy and Shannon entropy tend to destroy their own security by fetishizing “true randomness” or “physical randomness”.  A belief that randomness from physical dice is somehow better than CSPRNG output is itself a warning sign that someone should not mess with random number generation.

Random number generation is subtle and counterintuitive.  Get it just a little bit wrong, and you don’t even know that you just wrecked your security:  Everything still works, and everything still looks just fine to you.  Please, people, use a CSPRNG designed and implemented by cryptographers!
Pages:
Jump to: