Pages:
Author

Topic: Are dices for generating seed words fair? - page 7. (Read 3465 times)

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
December 09, 2022, 10:49:16 AM
Can it be made quicker? Sure. Get 256 coins and flip them all at the same time.
How can you flip 256 coins at the same time? And why?

Only geeks and nerds probably ever did that.
The topic of this discussion isn't to whom these methods address to. It's to which are the tradeoffs. For the average Joe who wants self-custody and has no technical competence of the field, maybe his best course is to just buy a hardware wallet.
sr. member
Activity: 1190
Merit: 469
December 09, 2022, 12:00:01 AM
Can it be made quicker? Sure. Get 256 coins and flip them all at the same time.
That doesn't work, it makes the order in which you pick the coins up a factor that can be biased.
who said anything about picking them up?

I've not change my stanced and I've been pretty explicit since the first page of this thread on this topic:
How can you be sure whatever randomness extraction algorithm you choose won't amplify your weak entropy?
ok fair enough, i went back and saw you were talking about that before we got into talking about the bingo machine method.

And as I've also said before in this thread[/url], there is a whole field of study on randomness extraction, on which I am by no means an expert, but I know enough to know that someone who does not understand it will almost certainly mess up in a way they don't even comprehend. Therefore, it is a bad choice.
For me, if I understand the mathematics behind how something works, I don't feel that I need a rubber stamp of approval from some so-called expert in the field. They aren't going to understand anymore about it than I do, most likely. Since if I took the time to study it and program it and understand how it works from the bottom up, they haven't even taken the time to do that, why would I need to listen to someone like that? I'm very capable of forming my own conclusions about the security of the particular transformation.

Now, I don't mess with things I don't fully understand though. Thus why I shy away from using something such as SHA256 to extract entropy. There is something better. I don't make conclusions about things I don't understand.

 
legendary
Activity: 2268
Merit: 18771
December 08, 2022, 03:32:36 AM
you've updated your boilerplate statement to indict some of the other forms of generating a seed phrase mechanically. you do that when you throw in the term "requiring no transformation or randomness extraction".
I've not change my stanced and I've been pretty explicit since the first page of this thread on this topic:
How can you be sure whatever randomness extraction algorithm you choose won't amplify your weak entropy?
Taking a non-binary output (such as dice rolls or the order of a deck of cards) and transforming it in to a binary string to use as a private key is not a benign process. And as I've also said before in this thread, there is a whole field of study on randomness extraction, on which I am by no means an expert, but I know enough to know that someone who does not understand it will almost certainly mess up in a way they don't even comprehend. Therefore, it is a bad choice.

The problem is, it is not quick.
Can be done in half an hour. That's pretty quick in the grand scheme of things. How many hours have we spent discussing it? Tongue

But I know you would never agree to doing it this way. not ever.
Correct. Because it is biased.

Also, i'm sure you're going to say there are bip39 wordlists that convert binary 11-bit numbers into words.
Correct. Cheesy https://github.com/hatgit/BIP39-wordlist-printable-en. Bonus with this one is that it includes decimal as well. So you can convert your binary to decimal, look up the decimal word, and then check the binary decoding against your original binary to ensure you have not made any mistakes.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 08, 2022, 02:53:12 AM
Can it be made quicker? Sure. Get 256 coins and flip them all at the same time.
That doesn't work, it makes the order in which you pick the coins up a factor that can be biased.
Also: who has 256 coins nowadays?
sr. member
Activity: 1190
Merit: 469
December 08, 2022, 12:20:34 AM
you're never going to budge off the coin flipping method.
Because flipping a coin and using von Neumann's debiasing approach is the only physical method I can convince myself is both provably random and free from bias, as well as requiring no transformation or randomness extraction on the final result which could introduce new weaknesses.
you've updated your boilerplate statement to indict some of the other forms of generating a seed phrase mechanically. you do that when you throw in the term "requiring no transformation or randomness extraction". using sha256 to extract randomness from a card deck is one thing but when you have something more pure than that then that's another.

define "shuffling well" for seedsticks
Quote
Exactly. Difficult to do, and therefore difficult to ensure is not biased.
but don't you think that method has merits? for people that can't use a computer it's the only way.



Quote
It's a simple look up table from number to word.
From decimal number to word. somehow you have to convert your 11-bit numbers into decimal though. that seems like a potential source for errors to happen.
Quote
The complicated bit is calculating the checksum, but that is the same for any physical method, seedsticks included.
yeah but it's simpler than trying to convert 11-bit binary numbers into decimal so you can then look them up on the word list.

Also, i'm sure you're going to say there are bip39 wordlists that convert binary 11-bit numbers into words. maybe there are but even that is fraught with potential errors since you have to compare 11 bits very carefully. chances of error are high when you go to try and match things up. thus seedsticks.  Grin

now if you can come up with a mechanical way to get the final checksum word then you are good to go.


legendary
Activity: 2268
Merit: 18771
December 07, 2022, 07:14:39 AM
you're never going to budge off the coin flipping method.
Because flipping a coin and using von Neumann's debiasing approach is the only physical method I can convince myself is both provably random and free from bias, as well as requiring no transformation or randomness extraction on the final result which could introduce new weaknesses. It is also simple and quick.

define "shuffling well" for seedsticks
Exactly. Difficult to do, and therefore difficult to ensure is not biased.

yeah but that requires more technical expertise i would think. they have to know how to convert their entropy into a seed phrase.
It's a simple look up table from number to word. The complicated bit is calculating the checksum, but that is the same for any physical method, seedsticks included.
sr. member
Activity: 1190
Merit: 469
December 06, 2022, 11:04:47 PM
Of all the physical methods other than flipping a coin, I actually dislike this one the least.
you're never going to budge off the coin flipping method. i'm surprised you even conceded this much to the seed stick method which i never heard of before but it does look quite simple.

Quote
The biggest problems here will be human error and bias, rather than any failure of the system itself. Not shuffling well between drawing words, not returning used words to the bag, or more likely, discarding words and trying again to get something "more" random.
define "shuffling well" for seedsticks

Quote
If someone draws the same word twice in the same seed phrase, they might decide that's not random and choose a different word. Or if they draw "boss" followed by "box", again, they might decide that's not random enough. To be completely sure there is no bias you would need to weigh every single individual tile on scales accurate enough to detect milligrams (which most people don't have).
that's probably going to be a problem then as most digital scales for weighing food and things might have a resolution of a single gram. but defintelyl not 1/1000th of a gram. that would probably cost you alot more than the seedsticks.  Shocked

Quote
And finally the cost is another issue, and $120 for something you can do for free with a coin seems unnecessary.
in theory you could make your own seedsticks. all they are is small pieces of plastic. with words on them.

Quote
So not the worst solution out there, but I would still stick to flipping a coin.
yeah but that requires more technical expertise i would think. they have to know how to convert their entropy into a seed phrase. seed sticks do that for you. it's like the difference between getting fast food and going to the store and shopping for ingredients to prepare a meal.  Grin i guess to each their own.

legendary
Activity: 2268
Merit: 18771
December 06, 2022, 06:46:02 AM
Of all the physical methods other than flipping a coin, I actually dislike this one the least. It's still not perfect, but there is far less that can go wrong with blindly picking individual words from the full list of 2048 when compared to rolling dice or shuffling cards and trying to apply conversions and entropy extraction algorithms on your output to generate secure entropy.

The biggest problems here will be human error and bias, rather than any failure of the system itself. Not shuffling well between drawing words, not returning used words to the bag, or more likely, discarding words and trying again to get something "more" random. If someone draws the same word twice in the same seed phrase, they might decide that's not random and choose a different word. Or if they draw "boss" followed by "box", again, they might decide that's not random enough. To be completely sure there is no bias you would need to weigh every single individual tile on scales accurate enough to detect milligrams (which most people don't have). And finally the cost is another issue, and $120 for something you can do for free with a coin seems unnecessary.

So not the worst solution out there, but I would still stick to flipping a coin.

I hear you on the bias but isn't there a bias with how I roll dice? Is there a Von Neumann's trick for rolling dice?
Yes, but it is significantly more complicated than when applied to a coin (and adds a significant length of time to your generation process). I've outlined it in a previous post here: https://bitcointalksearch.org/topic/m.61126349. But having said that, I think dice are a poor choice anyway (exactly because it is difficult to detect any bias), so I wouldn't recommend using this over simply flipping a coin.
member
Activity: 253
Merit: 93
Humble Bitcoin Stacktivist
December 06, 2022, 06:44:04 AM
I don't think I can find a faster way to securely generate a seed phrase.
I disagree. Rolling a fair dice is a tested, and peer-reviewed way of generating entropy securely. To spend less time on fairness, toss a coin, preferably using Von Neumann's trick.

Von Neumann's trick is interesting. I'll have to experiment with that. What would be required for SeedSticks to be tested and peer-reviewed?

Quote
On the other hand, SeedSticks is not tested nor reputable, requires you to spend an extra $120, wait for it to arrive, verify that the words you've received are the same as in BIP39 wordlist, and in the end, it introduces bias parameters such as the manner you'll pick words from the bag.

What makes something tested and reputable? I checked all of the words I received against the BIP 39 seed list and it's a perfect match.

I hear you on the bias but isn't there a bias with how I roll dice? Is there a Von Neumann's trick for rolling dice?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
December 06, 2022, 06:27:04 AM
I don't think I can find a faster way to securely generate a seed phrase.
I disagree. Rolling a fair dice is a tested, and peer-reviewed way of generating entropy securely. To spend less time on fairness, toss a coin, preferably using Von Neumann's trick.

On the other hand, SeedSticks is not tested nor reputable, requires you to spend an extra $120, wait for it to arrive, verify that the words you've received are the same as in BIP39 wordlist, and in the end, it introduces bias parameters such as the manner you'll pick words from the bag.
member
Activity: 253
Merit: 93
Humble Bitcoin Stacktivist
December 06, 2022, 06:14:17 AM
I recently saw an interesting discussion about casino dice that are being used for generating seed words for Bitcoin, and someone asked a question can you really trust dice?

I had this exact same thought and until recently, I didn't really understand how dice rolls translate into a private key. After doing some research, I think I understand.

I was using both ColdCard and SeedSigner with 99 dice rolls to generate seed phrases but it just take so long to roll dice 99 times, write them all down, and enter them into both devices to verify that I get the same exact seed phrase on both devices and then write down the seed phrase.

Recently, I came across SeedSticks (https://seedsticks.org/) and that seemed like the best solution for me to be able to generate truly random seed phrases in a lot less time.

Dice are cheap and readily available and so are playing cards but I like how simple it is to just randomly pick 23 words out of a bag, calculate the final checksum word with my SeedSigner, and then have a 24-word seed phrase with all 256 bits of entropy.

I don't think I can find a faster way to securely generate a seed phrase.
legendary
Activity: 2268
Merit: 18771
November 05, 2022, 04:37:09 AM
of course you could get lots of h+h or t+t maybe it takes about 96 tosses per word.
You don't do it per word - you do it per bit. 2 tosses per bit, and assuming a close to 50% rejection rate for a minimally biased coin, then you need on average 512 flips for a 128 bit number encoding a 12 word seed phrase.

Quicker, simpler, more secure, and provably unbiased, when compared to the bingo machine suggestion (or any other physical entropy suggestion, for that matter).
sr. member
Activity: 1190
Merit: 469
November 03, 2022, 11:31:40 PM

since I wont have 1000000 usd in btc anytime soon I wont worry. 
i would be more worried if i generated entropy using a computer and put that much money into the wallet then if i did it with a bingo machine...that's just me though. i'm sure your bingo machine method is solid enough to handle that type of cash. Cool
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
November 03, 2022, 10:06:08 PM
No one can perfectly determine the bias on a bingo machine.
So why use it at all, when you can use a von Neumann approach to flipping a coin to have a system which provably has zero bias? Not to mention simpler and quicker as well.

First weigh every ball
Second do dozens of diameter and circumference measurements.
Obviously almost no one would actually do this, which means all your assumptions which follow of the bias being too small to make a difference are flawed. It you don't test what your bias is, then you have no idea if it is too small to make a difference.

so reading Neumann method for an unknown coin bias.

to get a bit of 0 or 1 means a minimum of 2 tosses of a coin

so to randomly pick from 1 to 2048 means many coin tosses . x 24

lets see if you were perfectly or magically lucky and did 2 tosses per bit

the fastest you could get a word is

24 coin flips

as

100000000000 is 2048

so it is a 12 bit number and you need at least 2 tosses to get a bit

of course you could get lots of h+h or t+t maybe it takes about 96 tosses per word.

or close to 2400 tosses but technically it would give you 1/2048 to the 24th power.

I am thinking that rolling my bingo machines a and b takes 48 minutes.

fairly easy to chart. and yeah it wont likely be 1/2048 to the 24th power but it is easier to do and while I won’t  be  as sure as tossing the unknown  coin 600 to 2400 tosses it is likely good enough.

more fun to do. and easier.

since I wont have 1000000 usd in btc anytime soon I wont worry.  and if I ever do get that much maybe i will do both just for fun.
legendary
Activity: 2268
Merit: 18771
November 03, 2022, 03:55:23 PM
No one can perfectly determine the bias on a bingo machine.
So why use it at all, when you can use a von Neumann approach to flipping a coin to have a system which provably has zero bias? Not to mention simpler and quicker as well.

First weigh every ball
Second do dozens of diameter and circumference measurements.
Obviously almost no one would actually do this, which means all your assumptions which follow of the bias being too small to make a difference are flawed. It you don't test what your bias is, then you have no idea if it is too small to make a difference.
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
November 03, 2022, 12:38:08 PM
i think we can say that if lotteries use variants of the bingo cage system (they blow air into the balls and let one ball come through a tube at a time) if it's good enough for handing out 500 million dollars to someone that can pick the winning balls then i think it's good enough to secure my bitcoin or whatever crypto i'm trying to store.
And do you have a high grade, thoroughly tested, independently audited, state or national level lottery machine in your house? Or do you have some kids toy you bought for 20 bucks? They are not comparable.

like radioactive decay being random. can you prove that? do you demand proof of it before you would accept it? probably not. in fact, you can't prove it. all you can do is say based on observations so far it seems to....
That's pretty much how all of science works. We have mountains of data from hundreds of years of global study that says that radioactive decay is random. How much data do you have on your little bingo machine at home?

This is again my point. I don't want entropy I think is random. I want entropy which has been proven to be random.

I would think the mechanical bingo method is good enough if you do a 24 word key.
There we go again. "I would think". What you are proposing may well be safe enough, but we don't know that. And the amount of time and complexity required to exclude bias from a bingo machine is out of reach of the average Joe.

No one can perfectly determine the bias on a bingo machine.

First weigh every ball
Second do dozens of diameter and circumference measurements.

If you do this put the balls in and rotate machine for a minute the very act of rotation will alter the balls at they hit each other and even if they were not bias at the beginning of the roll they will be be the end of the roll.

What you are missing is that the bias created by rotating the machine and bouncing the balls would be random.

What you are missing is 2 machines 32 balls in machine one always change their bias with each and every roll

What you are missing is second machine with 64 balls changes the bias a tiny bit with every section.

compound an unknown bias which changes with every roll by 24 + 24 rolls it is random actually more random then is measurable by any mechanical means.  

It is perfectly random" No it is randomly random. Nuff said

as I won't be able to convince you that buying a pair of 100 usd dollar bingo machines is pretty much mechanical perfection

with 2 givens just weigh the balls and measure the circumference of them.

If the balls are within 0.001 grams and 0.001mm my guess is it is far better than any other method.

Obviously if a ball is too big it may never be picked very easy to see if the balls are far too big or too small. Simply have a few precise holes

say
1 and 1/64 inch
1 inch
63/64 inch
31/32 inch

see at what point the ball fits if they are within 1/64 of an inch the bias won't do much.

if they should weigh 10 grams allow 9.99 to 10.01 grams

those would not greatly alter the bias.

who cares if it is not random but has an unknown bias to:

 pick  abandon  1001 out of 2,048,000 picks
 pick  zoo           999 out of 2,048,000 picks

the reality is no one will spin the machines enough to get a true number and the next spin can alter the math as the balls get worn.

so math would say it is not provable that it is random.  which is what you are doing.

I agree it it not provable.  In fact it is unlikely to be truly random, but it is not predictable via measuring techniques that we have.

so first word you got was a 1/2047 as predicted be a being with magical skill
second word you got was a 1/2048
third word you got was a 1/2049
fourth word you got was a 1/2047

so 24 words all picked and all very likely to be in the range of 1/2000 to 1/2100

vs a perfect 1/2048 pretty much is good enough in this world as it is cheap and easy to do.

vs dice which are easy to load
vs coins which are easy to load

vs random generators which are very hard to program truly random.

just saying if I need to make a list of 24 words for storing 1 million bucks.

 I would prefer that I used the 2 bingo machines to pick the 24 words.
sr. member
Activity: 1190
Merit: 469
November 02, 2022, 07:13:49 PM

And do you have a high grade, thoroughly tested, independently audited, state or national level lottery machine in your house? Or do you have some kids toy you bought for 20 bucks? They are not comparable.

Just a kids toy. That's why it was made anyway.


Quote
That's pretty much how all of science works. We have mountains of data from hundreds of years of global study that says that radioactive decay is random. How much data do you have on your little bingo machine at home?

I have about 7 full test runs completed. Where i drew out all the balls one by one in each test run and recorded the order in which they came out. I was careful to not store the sequences of numbers online. As I'm not wasting all that time for nothing. Except for one of them I did store it online as a test vector for further processing purposes later on. (conversion to a mnemonic phrase).

Quote
This is again my point. I don't want entropy I think is random. I want entropy which has been proven to be random.
I doubt you will find any research papers of people trying to assess the entropy quality of bingo machines. There doesn't seem to be much interest in the topic. Although there surely is with dice.
legendary
Activity: 2268
Merit: 18771
November 02, 2022, 04:09:53 AM
i think we can say that if lotteries use variants of the bingo cage system (they blow air into the balls and let one ball come through a tube at a time) if it's good enough for handing out 500 million dollars to someone that can pick the winning balls then i think it's good enough to secure my bitcoin or whatever crypto i'm trying to store.
And do you have a high grade, thoroughly tested, independently audited, state or national level lottery machine in your house? Or do you have some kids toy you bought for 20 bucks? They are not comparable.

like radioactive decay being random. can you prove that? do you demand proof of it before you would accept it? probably not. in fact, you can't prove it. all you can do is say based on observations so far it seems to....
That's pretty much how all of science works. We have mountains of data from hundreds of years of global study that says that radioactive decay is random. How much data do you have on your little bingo machine at home?

This is again my point. I don't want entropy I think is random. I want entropy which has been proven to be random.

I would think the mechanical bingo method is good enough if you do a 24 word key.
There we go again. "I would think". What you are proposing may well be safe enough, but we don't know that. And the amount of time and complexity required to exclude bias from a bingo machine is out of reach of the average Joe.
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
November 01, 2022, 10:00:31 PM
this bingo cage method seems pretty solid to me
I felt like it was producing some high quality randomness
the physical way though just feels like it's more secure
Forgive me for butchering your quote and adding emphasis, but this seems to be where we fundamentally disagree. Something feeling secure and something being secure are not the same thing. We have seen countless examples on this forum of people who have come up with their own methods for generating private keys or backing up wallets which they think are safe and secure, and the end up with all their coins being stolen or their wallets being irretrievably lost. People think they are good at being random and picking passwords, for example, when we know that human generated passwords are usually the weakest there are.

I'm not interested in how secure something feels. I'm interested in hard data which proves it is secure. And the fact is that to prove to a reasonable certainty that there is no bias in this kind of bingo system takes complex math and hundreds of thousands of trial runs, which no one will ever do. Therefore you shouldn't use this system.

I beg to differ for a lot of reasons,but I do agree that the 1/2048 for every word is more likely to be in a range of 1/2000 to 1/2100 for each word on the list.

than it is to be a perfect 1/2048


but no one will have tested and found out which is 1/2000 or 1/2100.  since testing this is actually not possible.

reason being wear and tear on the equipment will shift the odds.

So the ability to know what the true likely of the 2048 combos is makes it another kind of randomness.

Lets say I am a magical person or lets say in an imaginary situation the range is from 1/2000 to 1/2100

only the magical person would know which combo is bias to 1/2000 and even if the magical person perfectly  
determines the true bias of each and every number  1/2000 to the 24th power is almost as big as 1/2048 to the 24th power in terms of the likely hood of cracking the bingo code.

I would think the mechanical bingo method is good enough if you do a 24 word key.


oh make it more fun spin the bingo blind folded and use a 60 second timer

get your  1 to 32

walk to next machine spin it blind folded with a 60 second timer bell . when it rings get your number

granted if you do 24 words it is two spins a word. so at least 48 minutes but it is pretty fucking random.


just not exactly 1/2048 to the 24 power random.

I kind of like the non exact randomness on a conceptual level.

sr. member
Activity: 1190
Merit: 469
November 01, 2022, 07:11:22 PM
this bingo cage method seems pretty solid to me
I felt like it was producing some high quality randomness
the physical way though just feels like it's more secure
Forgive me for butchering your quote and adding emphasis, but this seems to be where we fundamentally disagree. Something feeling secure and something being secure are not the same thing.

I'm not interested in how secure something feels. I'm interested in hard data which proves it is secure. And the fact is that to prove to a reasonable certainty that there is no bias in this kind of bingo system takes complex math and hundreds of thousands of trial runs, which no one will ever do. Therefore you shouldn't use this system.

i think we can say that if lotteries use variants of the bingo cage system (they blow air into the balls and let one ball come through a tube at a time) if it's good enough for handing out 500 million dollars to someone that can pick the winning balls then i think it's good enough to secure my bitcoin or whatever crypto i'm trying to store. now is that what makes me think my bingo cage is producing high quality entropy otherwise i wouldn't really feel confident? of course not. some things are just obvious. like radioactive decay being random. can you prove that? do you demand proof of it before you would accept it? probably not. in fact, you can't prove it. all you can do is say based on observations so far it seems to....

Quote
We have seen countless examples on this forum of people who have come up with their own methods for generating private keys or backing up wallets which they think are safe and secure, and the end up with all their coins being stolen or their wallets being irretrievably lost.
yeah, well I don't know what examples you're talking about but i doubt they have anything to do with with this bingo cage method. if they would have used it instead they probably wouldn't have lost their coins. and when I say used it i mean used it responsibly and correctly. which means you get your entropy and then seed and then backup the seed in a correct way.

trying to be clever by backing things up in a non-standard way though is an ideal way to lose your bitcoin, i would agree  Cheesy

Quote
People think they are good at being random and picking passwords, for example, when we know that human generated passwords are usually the weakest there are.
who said anything about trying to pick passwords out of my head? i'm not trying to do that at all Huh
Pages:
Jump to: