Are dices for generating seed words fair? - page 2.

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: testingelcrypto on December 22, 2023, 10:47:52 AM

So this is always a 50% 50% making that dice like a coinflip. Am i thinking right?

Well.. no. That's the case only if the dice is completely unbiased (which is never the case). If, say, {1, 2, 3} have 20% each, then {4, 5, 6} have 13.3% each. This will produce the same result as a coin that is 60% heads and 40% tails.

It doesn't make sense to roll a dice as if you're tossing a coin; toss the coin in the first place using von Neumann's method. It will eliminate any bias and produce theoretically complete randomness.

testingelcrypto

jr. member

Activity: 31

Merit: 14

Quote from: BlackHatCoiner on December 22, 2023, 10:41:17 AM

As I have showed in here, a dice that produces near 1 bit of entropy is understandably insecure from the human eye. You can check out how frequent '1's I have got with 75% frequency, it makes a splash. And that's 1.29, with 1 bit it's even more clear that you shouldn't use that dice.

a perfect dice doesnt show 1 bit. what i mean is :

a word in the bitcoin seed is something like this : 00011111101

By using a dice i assume people have to say: if dice comes 1 to 3 i will choose number 0 if dice come to 4 to 6 choose number 1

So this is always a 50% 50% making that dice like a coinflip. Am i thinking right?

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: ?? on ??

does anybody really trust casino dices?

It is said that casino dice is the most fair piece of dice.

Quote from: testingelcrypto on December 22, 2023, 10:22:30 AM

is the entropy for a die really over 1 bit? if the seed its all zeros and one even if the die has 6 faces its always 50% 50% because we will have to do something like from 1 to 3 choose ZERO from 4 to 6 choose ONE.

As I have showed in here, a dice that produces near 1 bit of entropy is understandably insecure from the human eye. You can check out how frequent '1's I have got with 75% frequency, it makes a splash. And that's 1.29, with 1 bit it's even more clear that you shouldn't use that dice.

testingelcrypto

jr. member

Activity: 31

Merit: 14

is the entropy for a die really over 1 bit? if the seed its all zeros and one even if the die has 6 faces its always 50% 50% because we will have to do something like from 1 to 3 choose ZERO from 4 to 6 choose ONE.

testingelcrypto

jr. member

Activity: 31

Merit: 14

Quote from: o_e_l_e_o on October 15, 2022, 03:15:28 AM

Depends how certain you want to be that your coin is fair. You can never be 100% sure your coin is fair, but you can asymptotically approach 100% with increasing confidence of ruling out ever smaller biases. For example, to exclude a 55/45 bias with 99% confidence, you would need to flip the coin 664 times. However, to exclude a 51/49 bias with 99% confidence, you would need to flip the coin 16,589 times.

A more practical approach would be to simply use the von Neumann approach I alluded to above. Take any coin and flip it in twice. If the first flip is heads and the second flip is tails, write down 0. If the first flip is tails and the second flip is heads, write down 1. If the two flips are both heads or both tails, don't write down anything. Repeat until you have 128 zeros or ones written down. This method completely eliminates any bias in the coin and produces a uniformly distributed output. It will require a lot less flips than any method to test whether or not your coin is actually fair.

Is this really necessary ? A coin that flips 0.75 heads and 0.25 tails still has 0.81 entropy. just flip it 156 times to be sure you have a good seed phrase. And if you are paranoid go for 200 flips and you are good to go. You only get cracked if the coin is really a bad coin where it goes tails only less than 15% of the time.

Do you agree?

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: testingelcrypto on December 21, 2023, 10:54:16 PM

after reading more about the subject i come to the conclusion that dice rolling is better even if i dont use fair dice.

It is faster, and most likely sufficient if rolled enough.

Quote from: testingelcrypto on December 21, 2023, 10:54:16 PM

Am i thinking correct?

Yes, if you roll it 100 times, then even if it seems completely biased towards 1, it will generate enough entropy. That's the Shannon equation for measuring uncertainty.

I have demonstrated it in here. The probability of a number being 50%, and the rest 5 being 10% each, still gives 2.16 bits of entropy on each roll, which is 0.42 less than in a completely unbiased dice, but enough nevertheless if you simply roll it a few times more.

It simply takes time to verify that the dice won't fare worse than that. In contrast, coin flipping using von Neumann's method necessitates no precautionary measures.

testingelcrypto

jr. member

Activity: 31

Merit: 14

after reading more about the subject i come to the conclusion that dice rolling is better even if i dont use fair dice.

i used this calculator https://planetcalc.com/2476/ and i found that a die that comes 50% number 1 and the rest of numbers just 10% if i roll it 100 times i still get 216 bits of entrupy.

Am i thinking correct?

testingelcrypto

jr. member

Activity: 31

Merit: 14

i couldnt read all the answers and from what i read i cant still say if rolling dices is safe.

Seedsigner has that feature do you think someone who uses that for a 24 word seed with 5 dices and 1 coin like this protocol says : https://bitbox.swiss/blog/roll-the-dice-generate-your-own-seed/ gets a seed impossible to crack?

albert0bsd

hero member

Activity: 828

Merit: 657

Quote from: BlackHatCoiner on November 02, 2023, 03:28:11 PM

This particular command can generate uppercase and lowercase hexadecimal characters. You wouldn't want to do that. You should replace "[:xdigit:]" with "0-9a-f".

Thank you, yes it seems a little weird, i already edited that post to add two varians "a-f0-9" lowercase and "A-F0-9" personally I preffer uppercase.

Quote from: LoyceV on November 03, 2023, 05:18:01 AM

Bookmarked (and edited to 40 characters in my quote).

Yep 40 characters is my personal choice too, i never did the calculation before this post, but 40 characers are more than 256 bits, actually it is 262 bits

Code:

>>> 94**40
8416163114342587184481256383580844806830463920246539841882654902287234106392576
>>> 2**256
115792089237316195423570985008687907853269984665640564039457584007913129639936
>>> 94**40 > (2**262)
True
>>> 94**40 > (2**263)
False

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: albert0bsd on November 02, 2023, 02:55:23 PM

A password

Code:

< /dev/urandom tr -cd "[:graph:]" | head -c 40 ; echo

Bookmarked (and edited to 40 characters in my quote). This is faster than my password manager, although I'd still need that to store it. I like shell commands

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: albert0bsd on November 02, 2023, 02:55:23 PM

A privatekey

Code:

< /dev/urandom tr -cd "[:xdigit:]" | head -c 64 ; echo

Two things to be noted in here, for educational purposes.

The maximum value for a Bitcoin private key is a little less than 2^256-1, which is the maximum number this Unix command can return. Generating a private key using a regular Unix command isn't advisable.
This particular command can generate uppercase and lowercase hexadecimal characters. You wouldn't want to do that. You should replace "[:xdigit:]" with "0-9a-f".

albert0bsd

hero member

Activity: 828

Merit: 657

Wow, nice to know thank you they look more clean i am going to start to using them.

In any case it need the extra echo command to add a carriage return

A password

Code:

< /dev/urandom tr -cd "[:graph:]" | head -c 20 ; echo

A privatekey (hex upppercase)

Code:

< /dev/urandom tr -cd "A-F0-9" | head -c 64 ; echo

A privatekey (hex lowercase)

Code:

< /dev/urandom tr -cd "a-f0-9" | head -c 64 ; echo

About the amount of entropy you are right 20 characters are enough for more than 128 bits, Check:

Code:

>>> 94**20
2901062411314618233730627546741369470976
>>> 2**128
340282366920938463463374607431768211456
>>> 94**20 > 8* 2**128
True
>>> 94**20 > 9* 2**128
False

Actully it is 8 times more than 128 bits

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: albert0bsd on November 02, 2023, 10:17:52 AM

And here is my password generator snippet for bash

Nice. That's almost the exact same command that I use: https://bitcointalksearch.org/topic/m.63006181

Instead of listing all the characters, you can just use [:print:] for the set of 95 printable ASCII characters, or [:graph:] to exclude space. And with a character set of either 95 or 94, then a length of 20 characters still provides more than 128 bits of entropy.

albert0bsd

hero member

Activity: 828

Merit: 657

Quote from: ?? on ??

Linux kernel is open source, people with sufficient skill and time can verify /dev/urandom.

I did it for the FreeBSD kernel and I can tell you guys that the urandom device on that system is very secure, unless you can broke any AES256 cypher text

I post something about that on twitter: https://twitter.com/albertobsd/status/918201595921403904

I haven't done that for the Linux Urandom for i think that it is very similar.

About the Linux urandom you should read this link: https://www.2uo.de/myths-about-urandom/

And here is my password generator snippet for bash

Code:

?@[\]^_`{|}~' | head -c 40 ; echo

Here is a privatekey generator:

Code:

Example:

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: LoyceV on November 02, 2023, 05:34:19 AM

You can have both: just add two random numbers (and wrap around the maximum).

You have to be very careful with such an approach not to introduce a modulo bias. And given most people probably don't even know what this is, I wouldn't recommend this method. A better approach would be to take two bit strings the same length as your entropy and XOR them.

But again, this is all adding needless complexity which simply increases the risk of the user doing something wrong and ending up with an insecure wallet. Just use dev/urandom. If you can't verify it and don't trust it, then flip a coin with von Neumann's. Done.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: ?? on ??

Linux kernel is open source, people with sufficient skill and time can verify /dev/urandom.

Let's be realistic: how many people actually do that? And even if you do, there's far too much software to be able to check everything.

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: ?? on ??

Linux kernel is open source, people with sufficient skill and time can verify /dev/urandom. Although if you mean directly check or inspect how specific data is generated while knowing exact input was used, AFAIK it's very difficult task.

I meant that you cannot be 100% certain you don't use malicious / backdoored hardware. And even if you do, it's much more difficult task than tossing a coin.

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: LoyceV on November 02, 2023, 05:34:19 AM

You can have both: just add two random numbers (and wrap around the maximum).

You can do a host variety of things if you're creative, but it'd be an overdose. Just toss the coin, simple and tested.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: BlackHatCoiner on November 02, 2023, 05:25:16 AM

It might be more than enough in terms of entropy, but it is horrible in terms of verifiability.

You can have both: just add two random numbers (and wrap around the maximum). That way you have both: one part that's more than good enough on a cryptographic level, and one part that you can verify and do whatever you want with.

Example: I want a random number from 1 to 256. I use random.org to generate 159. I flip a coin 8 times: 10111001. That's 185. Add them, and subtract 256: I get 88. As long as at least one of my 2 inputs is random, my end result is random too.

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: dkbit98 on November 01, 2023, 06:51:26 PM

Video is less than 10 minutes long:
https://www.youtube.com/watch?v=oj_W3xOlt6U

Good watch. Coldcard shouldn't allow anyone to create a wallet with just a dice roll. Or, if they really felt they want to give the option for the user to test dangerous stuff, then maybe create a security option defaulted to true. Or maybe just show a proper warning -- "Your funds aren't safe with x dice rolls, are you sure you want to continue?". Anything below 50 is insecure, because even for a completely unbiased dice, 49 rolls give less than 128 bits.

Quote from: ABCbits on October 31, 2023, 07:00:05 AM

But on serious side, /dev/urandom is more than enough.

It might be more than enough in terms of entropy, but it is horrible in terms of verifiability.

Topic: Are dices for generating seed words fair? - page 2. (Read 3342 times)