Topic: Are dices for generating seed words fair? - page 6. (Read 3342 times)

there's a movie where they microprinted some information into the eyeball of some person on a postage stamp. there was like 4 or 5 stamps on the envelope but only one of the eyeballs had the microprinting in it.  

yeah, that would be very dumb indeed.

Me crossing off all of those ways since they are now public knowledge... The first place someone is going to be looking now that you've mentioned it not only here but probably elsewhere.


Well and here's the thing. Those are all fine and dandy ways of hiding somethhing IF

#1) you don't end up forgetting about what things you have hidden and where. if you end up forgetting where you hid it, then you are pretty much never going to want to move out of your house! so what you'll have to do is record where you hid it. and then keep that record safe as you would your own private key which kind of defeats the entire purpose of the entire thing in the first place since just record your private key instead of its location.
#2) say you move out of the house and forget to bring it with you and maybe someone is doing some home maintenance then they find what you hid. your private key has now been revealed. there's a much greater chance of that than someone brute forcing it using a computer.

This is an interesting idea, but very few people have the equipment or expertise needed to do this. And of course you should never even considering asking a professional or other third party service to do it for you.

There are plenty of ways to hide a seed phrase in your house which would make it near impossible to be found. A favorite of mine that I've talked about before is to hide it in the house itself. Unscrew an electrical socket or a light fitting and hide it in your wall or ceiling. Pull up a carpet and a floorboard and hide it under there. Take a door off its hinges, cut a little hole out of the bottom of the door (the thin side against the ground) and hide it in there. Or if you want it on metal, then use a flat plate and screw that plate on to some wooden beams or similar so it blends in with your foundations, roof truss, or similar. All of these are incredibly easy to do with the most basic of tools. A thief is never going to find these unless they have a week to systemically take apart your entire house, and if that's happening, then you've probably got bigger things to worry about.

which is why that method is not useful. which is why steganography really isn't useful. unless you're willing to zip up your image files which introduces the possibility of corruption...and then can't use image storage services.

what about printing your seed phrase in a microscopic size so that it could only be viewed under high magnification? that seems like a cool method but kind of technically challenging. you could then have it lying around anywhere and the worst thing that could happen is it gets lost.

Again, agree to disagree. If you want to use a kids' toy to generate private keys then no one can stop you, but it is not a method you should be recommending to anyone else.

Except you can never have a physical back up, only a digital one. And what if your OS automatically resizes the picture? Or what if your cloud storage compresses it? Or chooses a different color encoding scheme? Or converts the format? Or even so much as changes the metadata. Any of these things, most of which you probably wouldn't even notice happening, will result in your back up being useless and impossible to recover.

If you don't like a seed phrase lying around, then either hide it better, encrypt it, or use it as part of a multi-sig or passphrased set up so it is useless on its own.

The only reason I can think of to create your own solution, is so you can hide it in plain sight. I've never felt completely secure with seed phrases laying around, but I can think of many different ways to come up with my own entropy source.
Example: I take a picture. That's 12 million pixels, each with 16 million color options. Even though none of it is very random, I'm pretty sure it contains much, much more entropy than 2²⁵⁶. I could even use only the last 100,000 bytes of the JPG as input to produce a hash, and store the picture with all my other pictures (including backups, of course) without ever worrying about it.
Disclaimer: I haven't tried this, and most people probably shouldn't attempt it.

absolutely not true. you can measure the sizes and weights of the balls and any other characteristics you deem important if you like to see if they are within a close enough specification of each other. that eliminates the need to actually go through "millions" of trial runs. if you're paranoid you can do all of that. i'm not that paranoid. i realize that for the intents and purposes of creating bitcoin private keys the setup i have is more than random enough. it's just common sense. now if everyone in the whole world was using MY machine to generate their seed phrase well maybe then a bit more formal testing, as I have alluded to, would be more preferable. but even then it would perform that function just fine. generating millions if not billions of seed phrases and there would be no security issue whatsoever. that's just how it is. i know you disagree. but that is the truth.

No, it isn't worth it. As I calculated earlier in this thread, you are looking at over 16k flips to be relatively sure of excluding a bias from a coin flip, which has 2 possible outcomes. The number of runs to exclude bias from a bingo ball machine with 75 balls would number in the millions. Absolutely not worth it.

People coming up with their own methods of generating keys, backing up their seed phrases, creating difficult to access wallets, etc., is a leading cause of people losing their coins. Just because someone hasn't done something before, does not mean it is worth doing it nor that it is a good idea.

No, I don't. You are attempting to create a solution for a problem which doesn't exist. We already have easy, simple, quick, and provably secure ways to generate private keys. We do not need to reinvent the wheel.

If you want to treat it as a challenge for a bit of fun, then I can't stop you. But I would never recommend using it to generate private keys or wallets you will use to actually store funds.

we measure the bias every time we do another trial run and compare the output to previous ones. is it a long and arduous, tedious process? yes. is it worth it? sure. it's always worth it to do something no one else has ever done. you make some valid points but you're very pessimistic about my method. don't you think that it is not unreasonable to want to be able to extract entropy from a set of identical objects (aka, bingo balls or cards in a card deck) when they are ordered in a randomized fashion without having to resort to a function like sha-256 which is not known to be 1-1? please answer yes. but i know you won't.

I don't want to do things other people have already done necessarily. I mean not that I haven't done them, because I have. But I wanted to do something more than that. Something no one ever did. So I treated it like a challenge. Something to overcome if I ran into any obstacles. I embrace those kinds of challanges though. For example, a bingo ball cage is 75 balls. 75! is way bigger than the number of bitcoin private keys. How do we deal with that issue? How do we ensure when dealing with that issue that we aren't introducing any significant bias? You don't think I've considered these questions? Well let me tell you, I have. I'm not just some idiot that doesn't think things through and trusts what other people say. I trust what I can prove.

i didn't invent the technology but i applied it to a bingo ball machine. 

Topic asides, but answer me this question of mine: why do you want to mess with unreliable, untested, and hard to test methods for generating entropy, when there are already tested, reviewed and comparably faster methods to do it already? I mean, let me emphasize: this number you're generating isn't going to keep some conversation with your friends, or perhaps even some nude photos secret. We're talking about property here. Real, hard money. Why do you want to play with the security of your property?

It's like making up your own door with your own lock, because you think you've thought of something that lock experts (which have spent about decades of studying more than you), haven't thought before. And it's even worse, because we all know that stuff such as math, cryptography etc. are more abstract, and require more dedication than a lock design.

I would say that using dice to generate seed words can be considered fair, as long as the dice are rolled properly and the numbers are generated randomly. However, it is important to note that the quality of the randomness of the seed words will ultimately depend on the quality of the random number generator that is used. Therefore, I always recommend at least using a high-quality random number generator in order to ensure the security of your seed words.

Yeah, I think we are going to have to simply agree to disagree on this one. You will never convince me that any process which requires human selection or ordering will generate truly random entropy (because humans cannot be truly random), and I will never advocate using a system like bingo balls which has an unmeasured bias and requires unnecessary transformation of the final result. If you want to use a physical method to generate a seed phrase or private key, flip a coin. If you don't, use /dev/urandom. Making it more complicated than this is just introducing errors and biases which don't need to be there.

ok well i know i can do it wearing a blindfold. the grid might not be 5x10 it might be some other size to make it easier to do but i know i don't need to look at them.
 
for my process, it happens very fast. the entire procedure is only about maybe 15 seconds so there's really no way to be examining each individual number on each die. maybe i see 3 or 4 of them and put them into place manually but that's about it.

i think it's a waste of time but i'm willing to do it anyway once just so i can see if it makes any difference but i know it won't. because i'm already close to being at that point anyway.

i told you some good news though. you don't need to understand how a one-to-one function works to have a security guarantee from it. that's good news right?  

you think my mileage varies in that regard? that's disappointing to me. because i'm really particular about what kind of tool i would trust. hint: it needs to be something i created or programmed or whatnot. not just gonna go and generate a private key on my android phone and throw some bitcoin in it.


yes you do have a perfect one-to-one functon there. the problem is it can't work with the type of things mine does. like bingo balls or card decks or anything where you have a set of objects which you are permuting. mine on the other hand is transferrable over to being able to map flips of a coin 256 times into bitcoin private keys. (not that i would be particularly interested in using it for that but i could!) actually i'm not sure about that last statement. i'll have to think about how i would go about that process...

the point being though that permuting a group of objects is fast while flipping coins is slow. the tech to convert each process's raw entropy into a private key is different. i would say the former is more powerful. but indeed as you have mentioned if you want to guarantee no bias then yours is the gold standard. maybe we can leave it at that.

Maybe if you were to wear a blindfold when arranging the dice in the grid you could convince me you have not introduced a bias, but otherwise you have. You may think you haven't, you may think you aren't paying attention to the numbers on the dice, you may think you are being totally random, but you aren't, because humans can't be. And we both know that many people if told to wear a blindfold to arrange the dice would just skip that step, thinking it was a waste of time because they are sure they are being random (just as you are), when they aren't.

And I would counter that there is no way I personally will be using a process I know nothing about to generate my private keys. But YMMV.

I already have a perfect one - flipping a coin. The outcomes of 256 fair flips are perfectly and provably matched one-to-one with the set of 256 bit numbers.

I'm not looking at each individual die either while I'm arranging them into the grid.

i don't inspect the results. i only inspect them after they are already in the grid. and i don't make any changes. no matter what.

not how it works.  

it is a solved problem. and easily understandable. it's way simpler than converting a bitcoin private key into a public key. just for comparison's sake.


it's not rocket science. it's pretty much just basic math. anyone can understand it who wants to. for the purposes of analyzing the "security" as you seem to be so worried about, I would submit that one does not  even need to know anything about how the one-to-one function works (i.e., its internals). So if you don't like my particular one-to-one function that I'm using you can invent your own. And yours will be just as strong as mine. Same security guarantee. It is secure simply by that fact that it is one-to-one on a large enough set aka 52! or even higher if you like. A set which cannot be brute forced through. And that's the end of that story.

It is of course possible to shuffle a deck of cards by hand, but the difference here is that you aren't looking at the cards as you do it. Once you've already rolled the dice and can see the results, then ordering them manually can introduce bias. Maybe you don't arrange four 5s in a row because that isn't random enough.

That's the point I'm making though - turning an arrangement of a deck of cards in to a binary string is not something that is trivial. It is very possible that your method of randomness extraction does not result in a completely secure result.

i would think the arrangement of them is similar to shuffling a card deck but if you don't think its possible to shuffle a card deck by hand then I don't guess I could convince you it is possible with dice either. but i've done it and it seemed pretty random to me.  me personally i'm not concerned that there is some large bias that would cause an issue in that process, having done it quite a large number of times in fact in the past. but i know that doesn't convince you of anything...

right. the number of possible strings like that is mind boggling.

we don't have to worry about that answer if we avoid using SHA-256 to extract the entropy from some permuation of objects such as a card deck. SHA-256 is a really complicated way of doing something simple in that instance...

But as you correctly predicted, I'll point out that it requires you to manually arrange them, which will not be a random process, regardless of how random you think you are being. Anything which introduces a human choice introduces a subconscious bias.

Just to be pedantic, but the domain isn't quite unlimited - it is any string up to length 2⁶⁴ - 1 bits, which is any string up to 2 million terabytes in length.

And impossible to answer without cycling through the entire set of possible inputs, which is similarly impossible.

well if you take 50 die, and arrange them in a 5x10 rectangle, you don't have to visually look at them to do that necessarily. but i know you're still going to argue that there is bias and some dies might go into a certain position more often than they go into other positions. you got me in a unwinning situation there. 

that's why i wouldn't want to use sha-256 to get the entropy out of a deck of cards. if sha-256 is a one-to-one function then i would say it is probably a suitable thing to use for entropy extraction of a deck of cards. if it's not a one-to-one function then it probably is not ideal and i would prefer instead to use something that is one-to-one. when we talk about one-to-one, obviously it is not one-to-one for an unlimited domain size but if we restrict to say a set of size 52! = 80658175170943878571660636856403766975289505440883277824000000000000 then it is an open question. so maybe not the best way of extracting or transforming entropy. and for that matter as i think you may have pointed out in the past, 52! is rather small in comparison to the entire universe of possible bitcoin private keys so there's that too, but that can be overcome i believe. 

Or the order you read them and record the result. Same result - you introduce a bias.

I'm sure there are people out there who do, but I am not one of them. And I'm afraid I'm not willing to risk the security of my coins on a hope and a prayer.

I have methods which I know are secure. Why on Earth would I use something I hope is secure instead?

I'll answer the 2nd question for you. to save time.