Pages:
Author

Topic: Are dices for generating seed words fair? - page 12. (Read 3467 times)

legendary
Activity: 2268
Merit: 18771
You might be interested in reading this: https://en.wikipedia.org/wiki/Bell%27s_theorem

Essentially, Bell's theorem proves that quantum mechanics is not influenced by "local hidden variables". That is to say, there are not things happening which we are either unaware of or cannot measure which are influencing the outcome of quantum events. As such, certain quantum mechanical events can be said to be truly random.

The most common example of this is radioactive decay: https://en.wikipedia.org/wiki/Nuclear_decay
Another example is shot noise: https://en.wikipedia.org/wiki/Shot_noise. Interestingly, you can use a simple mobile phone camera pointed at an LED to create a true random number generator using this process: https://physicsworld.com/a/how-to-make-a-quantum-random-number-generator-from-a-mobile-phone/.

Also interestingly, like bitcoin mining, these processes follow a Poisson distribution.
legendary
Activity: 2212
Merit: 7064
Nor RNG, nor TRNG really exist and will never exist, maybe I'm wrong but I have a different opinion, let me make it clear.
Not maybe, you are certainly wrong with your statement and I have to say that this is not philosophy class or new age mambo jumbo, it's just math.

Let's drop a coin from the top of one world trade center and who guesses the coin toss is the winner. Let's say you win and you'll probably say that you are lucky but wait, what about if I say that I did it so?
Let's say if your drop that coin from same world trade center but you do it 100 or 200 times, this is what we are talking about, not just one time flip of a coin.

That's why I think that randomness exists only subjectively within the minds of individuals and we call it randomness when something happens and we completely ignore the correlation, not even trying to truly find it.
Everything exists within the mind of individuals and you can't function in the world without mins, but I will repeat again, this is MATH and if result can be repeated that means it's not truly random.
That is why we saw fake Trezor devices showing up recently that create fake random seed word generation, that can be repeated and exploited my malicious actors.
I think that you don't really understand anything about this subject, and I am not saying that I am expert in any way.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Absolutely everything that happens is the result of absolutely everything that happens during the existence of the world, i.e. everything that happens is the result of the infinite past events.
That doesn't matter since you can't know the exact past events.
But the term still matters, we can't call it "True Random" but Random, yes, you are right until we understand it.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Absolutely everything that happens is the result of absolutely everything that happens during the existence of the world, i.e. everything that happens is the result of the infinite past events.
That doesn't matter since you can't know the exact past events.
Off the top of my head I'm thinking of:
In quantum mechanics, the uncertainty principle (also known as Heisenberg's uncertainty principle) is any of a variety of mathematical inequalities[1] asserting a fundamental limit to the accuracy with which the values for certain pairs of physical quantities of a particle, such as position, x, and momentum, p, can be predicted from initial conditions.
The butterfly effect, an underlying principle of chaos, describes how a small change in one state of a deterministic nonlinear system can result in large differences in a later state (meaning that there is sensitive dependence on initial conditions).
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
But unless you're talking about bad RNG or specific device environment, you can't simply reproduce it. For example, /dev/random and /dev/urandom use both hardware, user input and other source as entropy.
You can reproduce it, but if you are fine with that risk, go for it and use it.
RNG is not truly random, period, otherwise people won't waste all that time, money and research to create and use TRNG.
Nor RNG, nor TRNG really exist and will never exist, maybe I'm wrong but I have a different opinion, let me make it clear.
Absolutely everything that happens is the result of absolutely everything that happens during the existence of the world, i.e. everything that happens is the result of the infinite past events.
Let's drop a coin from the top of one world trade center and who guesses the coin toss is the winner. Let's say you win and you'll probably say that you are lucky but wait, what about if I say that I did it so? The size of coin, the weight of coin, the height, the resistance, the gravity, me and my hand's movement, all of this in cooperation made the final result? If we would change the weight of the coin by one mg, wouldn't it affect that result? If we would change the size of coin, wouldn't it affect that result? If I move my hand one mm higher, wouldn't it affect the result? Sure it would, so how can we call it a truly random result?
True randomness doesn't exist, even if I go outside and big block falls on me, this happened because: Every past action of me, you and everyone led me to come to this moment, my mind that was matured from past events and the language I speak in my head and the very last moment and movement of my legs made me to go outside for that second moment and the obsolescence of concrete in that block was becoming severe and severe and when the last chain of atoms got separated, it felt down. At the same time, if someone wouldn't invent concrete block, this event wouldn't happen but also wouldn't happen other past events and probably I wouldn't exist. If the builder would use a little bit more cement, maybe this wouldn't happen. If the builder would put that concrete 1 minutes later, maybe this wouldn't happen. Do you understand what I mean?

That's why I think that randomness exists only subjectively within the minds of individuals and we call it randomness when something happens and we completely ignore the correlation, not even trying to truly find it.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
go to walmart or amazon or even your local board game store / big mall. Look for dice sets. Roll them a thousand times each. That's basically your test. It's not perfect, it does not guarantee anything, but you have an idea if the dice are biased or not.

Make sure to roll them for more than 2 seconds and it hits or bounces off something. If you have a shoe box or shaker cup, shake it for 2 seconds. Casinos that play dice games where you are not allowed to touch the dice have some mechanism to bounce the dice 3 times and you can just look at it from behind the glass.
legendary
Activity: 2212
Merit: 7064
But unless you're talking about bad RNG or specific device environment, you can't simply reproduce it. For example, /dev/random and /dev/urandom use both hardware, user input and other source as entropy.
You can reproduce it, but if you are fine with that risk, go for it and use it.
RNG is not truly random, period, otherwise people won't waste all that time, money and research to create and use TRNG.

While it's far cheaper than 10 years ago, it's still not cheap on many parts of the world.
I don't know if someone is living as homeless gipsy, but even they can afford to buy 3d printer today for $100 or even cheaper if it's used.
They can later offer services to 3d print stuff for other people, earn all money back and even make profit.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Except I do most of the above.
That's the spirit. I'm just pointing out how falsely it is to use this phrase. For example, I rarely look into Bitcoin Core and there's no way I'll ever look into Linux Mint, which means I take the devs' word for it. I've verified ThomasV's signature, I'm running my own node, I'm using an open-source OS, there's no way I trust my savings to a reckless system.

I can say it out loud to not trust, but to verify; but to an extent.
legendary
Activity: 2268
Merit: 18771
Sure, don't trust; verify!, but you're nuts if you do all of the above.
Except I do most of the above. And if I'm spending hours and hours on verifying software, running a node, examining code, running airgapped set ups, running live OSs, creating secure back ups, and all the other things I do maximize my security, then it is unforgiveable that I wouldn't spend 10 minutes to check a die is fair before using it to generate a wallet.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Relative thread: How can you verify the randomness that's coming from a hardware?

Don't trust; verify.
There are different levels of trust, though.

You don't like trusting banks? Use bitcoin. Less trust? Run your own full node to verify that what you're viewing is true. Less trust? Verify the authenticity of your wallet software, to avoid being a hacker's victim. Less trust? Learn the programming language(s) the wallet software is written to and check every single line of the source code, to verify that the developers aren't dishonest. Less trust? Use an open-source OS. Less trust? Do the same procedure for the source code of it. Less trust? Be your own RNG.

Sure, don't trust; verify!, but you're nuts if you do all of the above. And you still have to trust your coding skills.  Tongue
legendary
Activity: 2268
Merit: 18771
The main difference is that I can easily verify a dice is (more or less) random
Yes, but only if you actually verify it. Just trusting that "Well, this die is probably good enough" is, well, not good enough. That approach is fine for a game of Dungeons and Dragons or Monopoly, but not for generating a bitcoin wallet.

Don't trust; verify.
legendary
Activity: 2212
Merit: 7064
Personally, while it might be something to consider, I don't think checking if your dice are weighted perfectly is something that's totally necessary. If you are going to be generating a seed with dice, then just make sure you're throwing at a different angle, and intensity every time.
This is not enough, and why would you use anything that is not fair and verified from beginning in the first place.
For truly random results you need random tools that is not dependent on your arm angle or intensity you throw them.

You want to make sure that the final key/seed you produce is not affected by any kind of bias then generate your entropy using the dice then generate another entropy using another source (easiest is using a computer RNG) and then mix the two results.
It could be a simple computation of HMACSHA256 to derive a 256 key (used as a private key or a seed to BIP39/32) where one entropy is your key and another is your message.
That is something like Trezor hardware wallet is doing, I don't like it and I think it's not good enough.
Computer RNG is not truly random, so I don't see any point in mixing random stuff with non-random, you are probably just reducing randomness.

Cool idea. But since since most people don't have 3D printer, i'll just stick to OS RNG and optionally my mouse movement.
fyi OS RNG is not generating true random result and it can be reporduced.
3d printers are very cheap today, and you can print anything locally even if you don't own one.

I'm all for paranoid security, but isn't this too much unnecessary? Even if your dice isn't perfect, and even if it throws a 6 for 20% of the time, there's no way someone is going to reproduce your results to get your private key.
I think we all saw movies and documentaries with weighted dices used for cheating, and testing if you dices are balanced is trivial job.
It's not like you have to put aluminum thin foil and fo complex math equasion to do it.

Just go buy casino dice. They are clear so you can see inside and through, and the ones that actually are used or come out of casinos have been "tested".
I wanted to order those clear dices and I found one cheap online, but than I found more information about this dice caliper.
There are some big shipping delay now from China, so I am not sure I could wait for them to arrive, but I would like to see if they are actually balanced or not.
I don't want to wait for hours waiting for computer that just can't generate true randomness that can't be reproduced.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
If you don't trust the randomness of your OS, which has been designed, built, and tested by experts in the field of cryptography, and want to do things manually, then just picking up a bunch of random dice and shrugging your shoulders is irresponsible. If you don't test your dice, how can guarantee your min-entropy is sufficient?
The main difference is that I can easily verify a dice is (more or less) random, but it's very difficult to verify any wallet doesn't produce a pre-recorded seed. The wallet is a black box, while the dice has a very obvious "user interface".
legendary
Activity: 2268
Merit: 18771
I don't agree with the premise that dice will be "random enough" without testing that. If you don't trust the randomness of your OS, which has been designed, built, and tested by experts in the field of cryptography, and want to do things manually, then just picking up a bunch of random dice and shrugging your shoulders is irresponsible. If you don't test your dice, how can guarantee your min-entropy is sufficient? How can you guarantee your Shannon entropy is sufficient? How can you be sure whatever randomness extraction algorithm you choose won't amplify your weak entropy?

I see this as similar to people who don't double check addresses and fall victim to clipboard malware. If you are planning to use dice to generate a super secure offline wallet, then you can spend 10 minutes to ensure those dice are fair. If you don't want to do that, then you should use something like a von Neumann debiasing approach, but given its inherent inefficiency, you'll probably end up rolling more dice than if you just tested whether your dice are fair to start with.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
As an interesting project or experiment, go do a thousand dice rolls (which is good for 10 seeds) and track the results. I mean, write down how many got 1 and how many got 6, and everything in between.

You should be able to see a pattern, or if there is no bias then you should be able to see that each number is about 1/6 of a thousand. Basically 166 for each number, more or less. Since it is random, you might get 200, you might get 100, but the more rolls you do, the more each number will approach the 1/6 of xxxx.

If you have more than one dice, you'll have to do it for each one, or you do it as a whole for all of them. Since I have a hundred actual physical dice of different colors, I wouldn't even bother to check if each one is "fair" or square. I'd go measure the whole thing (in this case, roll them all at once, 10 times.)

That should be a fun afternoon... "Papa, why are you rolling dice but not playing any game?"
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
But how are you going to known your dice is "safe enough" unless you test it?
I must admit it was based on an assumption, but given my own personal experience, I think I can affirm this statement:
Most dice, even low quality ones, are random enough

In your example of a dice which rolls a six 20% of the time, then you reduce the min-entropy of each dice roll from 2.585 bits to 2.322 bits. That's 0.263 bits per roll. Might not seem like much, but over 50 rolls, that becomes significant.
My point was that 20% is a huge deviation, much larger than any real flaw in a simple standard dice. So I personally wouldn't worry about someone brute-forcing my 100 dice throws.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
Just go buy casino dice. They are clear so you can see inside and through, and the ones that actually are used or come out of casinos have been "tested".

Most dice, even low quality ones, are random enough, particularly if you are going to roll them a hundred times to generate a private key or a seed or something. Besides, you'll only do this once (or very few times.)

There are coin flips, shuffled decks of cards, and dice. Dice are a cheap method, if rather inconvenient.

If you plan to generate a whole bunch of random numbers, you might want to go with hardware RNGs; there are some you can plug into USB ports and are basically the equivalent of rolling dice continuously.

If you are going to make a seed phrase or use something like Electrum on an offline / airgapped machine, the OS takes care of all that for you, just leave the device running for a few hours, maybe a day or two, so it can collect entropy before generating the cold wallet.
legendary
Activity: 2268
Merit: 18771
Even if your dice isn't perfect, and even if it throws a 6 for 20% of the time, there's no way someone is going to reproduce your results to get your private key.
But how are you going to known your dice is "safe enough" unless you test it? Perhaps it throws a six 40% of the time instead. If you ended up with a string with more sixes than you expect, how do you know if it is just random chance or if your dice is flawed?

In your example of a dice which rolls a six 20% of the time, then you reduce the min-entropy of each dice roll from 2.585 bits to 2.322 bits. That's 0.263 bits per roll. Might not seem like much, but over 50 rolls, that becomes significant.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I'm all for paranoid security, but isn't this too much unnecessary? Even if your dice isn't perfect, and even if it throws a 6 for 20% of the time, there's no way someone is going to reproduce your results to get your private key.
legendary
Activity: 2268
Merit: 18771
Now i wonder how many throw deemed enough for comparison between 2 dices. I wouldn't bother throw 100 times for each dice.
You wouldn't need to roll both dice - you assume the fair die would produce a perfect spread of results given enough rolls, so 1/6th one, 1/6th two, and so on.

To test a die against this ideal, then you would want to use a Chi Squared test. Very simply, the steps would be:
  • Roll the die x number of times
  • Record how many times each number (from 1 to 6) shows up
  • For each number, calculate the difference between how many times it actually showed up and how many times you would expect it to show up (which would be x/6)
  • Square this number
  • Divide the result by the number of times you would expect it to show up (x/6)
  • Add up the 6 results to find your Chi Squared value
  • Look up your result in a Chi Squared look up table (with 5 degrees of freedom for a 6 sided die), such as this one: https://people.richland.edu/james/lecture/m170/tbl-chi.html

The closer your Chi Squared result is to zero, the better. So, for example, at 5 degrees of freedom and a critical value of 0.10, that means that a fair die would produce a Chi Squared value of higher than 9.236 on only 10% of trials.

Now, this requires a minimum of 5 expected observations per possibility, so 30 rolls for a 6 sided die. But there fewer rolls you use, then the less certainty you have and the less likely you are to detect any bias, particularly small bias. I would be rolling at least 100 times to have a reasonable amount of certainty.
Pages:
Jump to: