Pages:
Author

Topic: Are dices for generating seed words fair? - page 9. (Read 3465 times)

legendary
Activity: 2268
Merit: 18771
October 27, 2022, 04:48:43 AM
#87
Check out Aaron Toponce's implementation called Deckware.
Now this seems interesting. The underlying method of Lehmer code certainly looks preferable to Ian Coleman's implementation, although it requires using a third party's code. Although the code is simple, the whole point of using a physical method of entropy generation is to avoid doing this, and if someone doesn't trust /dev/urandom to securely generate entropy, then relying on code written by one person and (as far as I can tell from a web search) not reviewed or even discussed by anyone else ever is a bad idea. I suppose it would be possible to calculate your code manually using an airgapped computer and a simple calculator package, but the chances of making a mistake with this process are very high.

And as I said earlier in the thread, given that I have no formal training in cryptography, I cannot rule out that there is some glaring vulnerability of which I am unaware. I am not willing to risk the safety of my coins by using something which I cannot verify. I'll stick to my simple, secure, quick, and easy coin flips. Wink

Wouldn't a "brain wallet" be a trivial solution?
Maybe. But the whole point of the argument I'm making here is that I'm not a cryptographer, so I can't say for sure. And neither is anyone else in this thread, by the looks of things.

People without extensive medical knowledge don't tend to attempt surgery (unless they are very stupid), and so we shouldn't be attempting to create our own ad hoc cryptography, especially when there already exists better tried, tested, and verified methods.

Also, a slight niggle: You do lose a small amount of entropy (<1 bit) when you hash a string for a brain wallet.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
October 27, 2022, 02:31:22 AM
#86
More importantly, though, is how do you convert your series of cards to a usable string of bits without losing entropy or introducing bias? It is not a trivial problem.
Wouldn't a "brain wallet" be a trivial solution?
Just type: "diamonds 8, spades Queen, diamonds Jack, clubs 3, ..............", you see my point. Type it all, no entropy gets lost, and you have a private key.

Quote
once a card has been drawn it can never be drawn again
This shouldn't be a problem, as long as you use enough cards. A full deck of cards is more than enough: 52! >> 2160.
sr. member
Activity: 1190
Merit: 469
October 26, 2022, 08:21:46 PM
#85
The fact that we don't have a good method makes it a problem.
Well that's that I thought too but maybe we were wrong.

Quote
The only implementation of cards to seed phrase I am aware of is Ian Coleman's, which as we have already discussed here is not great.
Check out Aaron Toponce's implementation called Deckware.

https://pthree.org/2021/02/18/introducing-deckware-a-224-bit-entropy-extractor/

Plus he put it on github and it's as easy as downloading a single html file.
https://github.com/atoponce/deckware
 
Props to that dude for his hard work.

Quote
I am not aware of any other implementation, and I'm certainly not going to propose one. They obviously can't be used "as is" since a seed phrase or a private key needs to be presented in bits, and a string of cards is not in bits nor directly convertible to bits without applying some kind of transformation.
The key to extracting entropy for card decks is the ability to form a bijective map from the set of permutations of the symmetric group on n objects to the set of integers from 1 to n!. It's very simple in fact. Just maybe not easy to come up with on your own but once you see how it works, it makes sense.  

I think Aaron has a pretty good tool there, wouldn't hesitate to use it but first I would need to duplicate his results for some trial runs to make sure it works as expected. But it couldn't be made any simpler than his drag and drop idiot proof interface  Cheesy


Quote
This gets us back to the original discussion regarding converting a string of dice rolls in to a string of bits, which as I argued before, should not just be a case of applying a hash function and assuming you now have a cryptographically secure random number and you are perfectly safe.

So again, I would say that if you don't trust /dev/urandom for some reason, then stick to flipping a coin to produce a string of bits directly. Anything else is more complicated, more time consuming, and potentially less secure.

Well yes, nothing is more simple than flipping a coin and getting your 256 bits that way. But it's nice to know that someone actually put in the hard work to extract the entropy from a deck of cards. Now I can just use their tool rather than trying to invent my own. With all of that said, I'm sure you'll have hesitations about this card deck entropy extracting method but it's better than anything else I've seen for card decks. Plus he bumped up the entropy level to 237 bits if you notice. since he includes the 2 jokers. problem is if you don't have the 2 jokers, you need to find some since his tool won't work without them.
legendary
Activity: 2268
Merit: 18771
October 26, 2022, 09:52:23 AM
#84
What do you think makes this a non-trivial problem exactly? A deck of cards has 225 real bits of entropy. No more no less. They should be able to be used directly as is. Now you ask me about my method. I don't have a method yet.
The fact that we don't have a good method makes it a problem. The only implementation of cards to seed phrase I am aware of is Ian Coleman's, which as we have already discussed here is not great. I am not aware of any other implementation, and I'm certainly not going to propose one. They obviously can't be used "as is" since a seed phrase or a private key needs to be presented in bits, and a string of cards is not in bits nor directly convertible to bits without applying some kind of transformation.

This gets us back to the original discussion regarding converting a string of dice rolls in to a string of bits, which as I argued before, should not just be a case of applying a hash function and assuming you now have a cryptographically secure random number and you are perfectly safe.

So again, I would say that if you don't trust /dev/urandom for some reason, then stick to flipping a coin to produce a string of bits directly. Anything else is more complicated, more time consuming, and potentially less secure.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 26, 2022, 09:01:11 AM
#83
I am sure there must be a way of doing that but it has to be lossless encoding. Unlike Coleman's scheme.
The only way you can avoid entropy loss with a deck is to shuffle it, choose one card, put it back, shuffle again, and then repeat it for X times. Shuffling, and letting the entropy be equal with the series of cards reduces entropy, as said above.

Taking the Sha256 hash of the cards as a string is kind of like pushing the problem into the hash function.
If x is not a cryptographically secure pseudo-random number, then SHA256(x) is not either.

There are 2^96 more bitcoin private keys than addresses.
This is not true. Addresses can have various types. There's legacy, segwit native, segwit nested, taproot. Native SegWit multi-sig addresses are 256 bits, for example. Secondly, messing up with private keys is prone to introduce problems. I know no expert who suggests that 225 bits, in a 256-bit elliptic curve, are cryptographically secure enough.
sr. member
Activity: 1190
Merit: 469
October 25, 2022, 08:51:23 PM
#82

And yet Ian Coleman's method generates a string of 32*5 + 16*4 + 4*2 = 232 bits if you draw the entire deck once, which is above this upper limit of entropy.

it may pump out a 232 bit string but that doesn't mean 232 bits of entropy. and therein lies the problem with his little scheme. i call it a scheme because i don't take it seriously.

The better way is to develop a true mapping of the 225 bits of entropy 1-1 into bitcoin private keys. simple as that.
Rounding errors aside, there are 231 more private keys than card orders, so by doing this you are excluding 99.99999995% of all possible private keys.

There are 2^96 more bitcoin private keys than addresses. That never bothered anyone... I mean I see your point and mathematically you are correct but I'm not sure if it's a real issue. Otherwise, no one would ever have suggested using card decks for entropy right?
legendary
Activity: 2268
Merit: 18771
October 25, 2022, 03:48:18 AM
#81
Well there are 52! ways different possible orderings of a full deck of cards. that's about 225 bits. bitcoin private keys only have 128 bits of security. a little entropy loss is probably not a big deal. but it would need to be quantifiable as to how much.
And yet Ian Coleman's method generates a string of 32*5 + 16*4 + 4*2 = 232 bits if you draw the entire deck once, which is above this upper limit of entropy.

But still, how are you going to convert a string of cards to bits? Are you going to use Ian Coleman's method, which as discussed I don't like. Or do you just write your cards out as a string of 7h9sKdAc and so on and hash it? Some other method? How has your method been analyzed and tested? As I said, it is not a trivial problem.

Well I wouldn't necessarily call them "more secure" just because they contribute more bits. those bits are fixed in a particular order so they are just like a single "object" they can't be rearranged.
I don't think they are actually any more secure, hence why I put "more secure" in quotation marks. But if I can draw 4 cards and up with 8 bits of "entropy" or 20 bits of "entropy" depending on the cards, then that's a problem. If I shuffle a deck randomly, then the top card has a set amount of entropy. That amount of entropy doesn't change when I turn the card over and see what it is.

The better way is to develop a true mapping of the 225 bits of entropy 1-1 into bitcoin private keys. simple as that.
Rounding errors aside, there are 231 more private keys than card orders, so by doing this you are excluding 99.99999995% of all possible private keys.
sr. member
Activity: 1190
Merit: 469
October 24, 2022, 08:35:47 PM
#80
but i dont see how shuffling a card deck could be biased as long as you shuffle it enough times.
also it's alot faster than flipping coins.
More importantly, though, is how do you convert your series of cards to a usable string of bits without losing entropy or introducing bias? It is not a trivial problem.

Well there are 52! ways different possible orderings of a full deck of cards. that's about 225 bits. bitcoin private keys only have 128 bits of security. a little entropy loss is probably not a big deal. but it would need to be quantifiable as to how much.

Quote
The only real implementation of cards to seed phrase I am aware is that on https://iancoleman.io/bip39/. I am not a fan of how it works, though.
Ian's encoding scheme seems somewhat problematic in some sense.  For example, a Ten of spades "ts": "00", followed by jack of spades "js": "01" cannot be distinguished from a single 8 of hearts "8h": "0001". what that does is reduces entropy since different arrangements can lead to the same raw entropy string overall. the question is "how much of a factor does this entropy loss play overall in his encoding scheme?" the issue is not just present with 2-bit/4-bit strings but also 4-bit/5-bit strings. and then other combos like 2+4=6 and so chunks of size 30 bits cannot be resolved as 6 cards each 5 bits or some other combination. the entropy loss seems like it could be significant.

I'm not sure Ian really analyzed all of that before jumping in and coding this thing. Unfortunately. Because I guess now he can't change it.


  "6h": "11111",
        "7h": "0000",
        "8h": "0001",
        "9h": "0010",
        "th": "0011",
        "jh": "0100",
        "qh": "0101",
        "kh": "0110",
        "as": "0111",
        "2s": "1000",
        "3s": "1001",
        "4s": "1010",
        "5s": "1011",
        "6s": "1100",
        "7s": "1101",
        "8s": "1110",
        "9s": "1111",
       "ts": "00",
        "js": "01",
        "qs": "10",
        "ks": "11",



Quote
It assigns different bit values to each card. 32 cards are assigned a 5 bit string, 16 cards are assigned a 4 bit string, and 4 cards are assigned a 2 bit string. 32+16+4 = 52. There are two main issues with this. First of all, it makes some cards 8 times "more secure" than other cards, by way of them contributing 5 bits instead of 2.
Well I wouldn't necessarily call them "more secure" just because they contribute more bits. those bits are fixed in a particular order so they are just like a single "object" they can't be rearranged. no matter how many bits a particular card uses, it doesn't matter. the real issue with his encoding has to do with the entropy loss I referred to previously. And it is unfortunate. I don't think it has to be that way but you can't just go cowboy and do something without thinking it all the way through.

Quote
This simply doesn't make sense. Secondly, it encourages someone to shuffle a deck of cards and then draw them one by one, meaning that once a card has been drawn it can never be drawn again. This reduces entropy, since that particular string of bits will never occur again.
that's not how his tool is supposed to work though. you shuffle the deck and the order of the cards is the raw entropy but the problem is his encoding scheme is somewhat strange and I don't know if he really knew what he was doing when he made it up. that's just being honest. Grin

Quote
A better way of doing it would be to assign each of the four suits a 2 bit value - spades 00, clubs 01, diamonds 10, hearts 11 - for example. Then draw a single card, write down your two bits, shuffle that card back in to the deck thoroughly, and repeat. This would take much longer than simply flipping a coin though, and still does not eliminate any unknown bias in your shuffles.
I would definitely say that is a terrible use of 225 bits of entropy. And a waste of time too. As you pointed out. The better way is to develop a true mapping of the 225 bits of entropy 1-1 into bitcoin private keys. simple as that. without using a hash function. But ian didn't take that route. In fact, I think he takes that sha256 of the raw entropy unless you're doing the 3 words with 1 bit checksum option.

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 24, 2022, 05:48:53 AM
#79
Cake Wallet allows you to safely store, exchange, and spend your Monero, Bitcoin, Litecoin, and Haven. Cake Wallet is focused on an excellent transaction experience.
Besides shilling a shitcoin, that is Haven, I wouldn't trust a developer who chooses to work on creating a closed-source Bitcoin, Monero and Litecoin wallet, not only for his intentions, but for the fact that he's likely to mess things up, and he did apparently. Open source projects that focus on just one cryptocurrency, and that are reviewed by literally hundreds of developers (such as Electrum) do have some issues presented every now and then. Let alone a brand new, closed-source, multi-crypto environment.

honestly, i would personally want to avoid any entropy scheme that relied on a hashing function. shouldn't be necessary.
Honestly, I don't understand why they're passing the entropy through a hash function, and I wouldn't want it either. But, does it harm? Very little according to StackExchange. Essentially zero.
legendary
Activity: 2268
Merit: 18771
October 24, 2022, 02:45:11 AM
#78
but i dont see how shuffling a card deck could be biased as long as you shuffle it enough times.
also it's alot faster than flipping coins.
There are hundreds of ways to end up with a not entirely random arrangement of cards after a shuffle, most commonly as lots of people simply aren't very good at properly shuffling cards. You could reduce this bias by repeated shuffles and washes, but this adds a lot more time and is still not a guarantee. More importantly, though, is how do you convert your series of cards to a usable string of bits without losing entropy or introducing bias? It is not a trivial problem.

The only real implementation of cards to seed phrase I am aware is that on https://iancoleman.io/bip39/. I am not a fan of how it works, though. It assigns different bit values to each card. 32 cards are assigned a 5 bit string, 16 cards are assigned a 4 bit string, and 4 cards are assigned a 2 bit string. 32+16+4 = 52. There are two main issues with this. First of all, it makes some cards 8 times "more secure" than other cards, by way of them contributing 5 bits instead of 2. This simply doesn't make sense. Secondly, it encourages someone to shuffle a deck of cards and then draw them one by one, meaning that once a card has been drawn it can never be drawn again. This reduces entropy, since that particular string of bits will never occur again.

A better way of doing it would be to assign each of the four suits a 2 bit value - spades 00, clubs 01, diamonds 10, hearts 11 - for example. Then draw a single card, write down your two bits, shuffle that card back in to the deck thoroughly, and repeat. This would take much longer than simply flipping a coin though, and still does not eliminate any unknown bias in your shuffles.

I mean they got a pretty large user base from what it looks like. 100k+ downloads off google play is not such small potatoes.
I pay zero attention to such metrics. It is easy to fake these numbers with bots, and indeed many malicious wallets do just that to make their app seem more legitimate.
sr. member
Activity: 1190
Merit: 469
October 23, 2022, 09:27:36 PM
#77
It turns out, that they'd made this discussion before: https://github.com/iancoleman/bip39/issues/435#issuecomment-1145503821

As far as I can tell, Coldcard does also use the SHA256 hash of the input, which is likely the dice rolls: https://github.com/Coldcard/firmware/blob/master/docs/rolls.py#L15.
Interested discussion to this StackExchange question as well: https://crypto.stackexchange.com/questions/10402/how-much-entropy-is-lost-via-hashing-when-you-add-known-or-low-entropy-data

honestly, i would personally want to avoid any entropy scheme that relied on a hashing function. shouldn't be necessary.
sr. member
Activity: 1190
Merit: 469
October 23, 2022, 08:18:01 PM
#76
but then we get into other questions such as "what is an acceptable level of bias in an experiment where you perform it some number of times, be that 1000, or more?"
When considering generating private keys for bitcoin, then my answer is zero. I don't see why you would settle for anything less. This is why I advocate for using coin flips with von Neumann's algorithm, since by doing this you can be certain you have eliminated any bias in your coin, as well as not introduced any new bias by performing randomness extraction or other processes you don't fully understand on your data.
yeah now that you put it that way, i guess it does make sense. why settle for less? i looked into shuffling a card deck to generate entropy once but i'm not sure if that is as safe as this von neumann method. but i dont see how shuffling a card deck could be biased as long as you shuffle it enough times.
also it's alot faster than flipping coins.

Quote
Any method of testing for bias can never rule out bias 100%, only make it less and less likely but after an exponential number of test flips/rolls.
that's why it's hard to test something and people forego that, at their own peril of course  Cheesy


Quote
People involved in bitcoin who have the ability to read and analyze code, as well as the time and motivation to do so for free, generally aren't using random low quality wallets like Cake which they stumble across on the app store, which might explain why nobody picked it up sooner.

I mean they got a pretty large user base from what it looks like. 100k+ downloads off google play is not such small potatoes. Not every random low quality bitcoin wallet has XMR/BTC/LTC swapping going on either. Surely alot of people that used Monero used it for that exact reason...

Cake Wallet allows you to safely store, exchange, and spend your Monero, Bitcoin, Litecoin, and Haven. Cake Wallet is focused on an excellent transaction experience.

Cake Wallet
Cake Labs
3.7
star
965 reviews
100K+
Downloads

Content rating
Everyone
info

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 23, 2022, 04:50:35 AM
#75
It turns out, that they'd made this discussion before: https://github.com/iancoleman/bip39/issues/435#issuecomment-1145503821

As far as I can tell, Coldcard does also use the SHA256 hash of the input, which is likely the dice rolls: https://github.com/Coldcard/firmware/blob/master/docs/rolls.py#L15.
Interested discussion to this StackExchange question as well: https://crypto.stackexchange.com/questions/10402/how-much-entropy-is-lost-via-hashing-when-you-add-known-or-low-entropy-data
legendary
Activity: 2268
Merit: 18771
October 23, 2022, 02:48:04 AM
#74
but then we get into other questions such as "what is an acceptable level of bias in an experiment where you perform it some number of times, be that 1000, or more?"
When considering generating private keys for bitcoin, then my answer is zero. I don't see why you would settle for anything less. This is why I advocate for using coin flips with von Neumann's algorithm, since by doing this you can be certain you have eliminated any bias in your coin, as well as not introduced any new bias by performing randomness extraction or other processes you don't fully understand on your data.

Any method of testing for bias can never rule out bias 100%, only make it less and less likely but after an exponential number of test flips/rolls.

what's even more horrendous is how no one ever called them out on it until people started losing money. Huh it's not like they were hiding the insecure code. apparently it was sitting there right on github for all to see. but no one did.
People involved in bitcoin who have the ability to read and analyze code, as well as the time and motivation to do so for free, generally aren't using random low quality wallets like Cake which they stumble across on the app store, which might explain why nobody picked it up sooner.
sr. member
Activity: 1190
Merit: 469
October 22, 2022, 07:16:15 PM
#73
They are bouncing off each other in the bag. If a dice is weighted to roll a 6 more frequently than it should otherwise, it doesn't matter if you are bouncing it off the floor, a table, the inside of a cup, other dice in a bag, dropping it down some stairs, or launching it in a trebuchet - it will still be more likely to roll a 6.
ultimately it is something that must be tested statistically. by doing alot of trials. i see what you're saying but i'm still not sure that other factors might play a greater role such as the randomness by which fingers would go into the bag and how they would grip a particular die. but i'm not willing to dismiss the entire thing as yet. for example, i had read somewhere that flipping a biased coin and catching it produces unbiased results. as long as you catch it and dont let it land. that was unexpected but someone was making that claim.

but then we get into other questions such as "what is an acceptable level of bias in an experiment where you perform it some number of times, be that 1000, or more?" I don't think anyone has a good answer for that. and i don't also think that anyone has a really good way to measure randomness. you can do a histogram of how many times each number is landed on but that doesn't mean they happened in a random order. for example: 111122223333444455556666.


Quote
Neither their Android nor their Apple apps are reproducible from their published code:
https://walletscrutiny.com/android/com.cakewallet.cake_wallet/
https://walletscrutiny.com/iphone/com.fotolockr.cakewallet/
Cool I was looking for that website, I had seen it once and then forgot its name  Cheesy

Quote
Still, that error is horrendous. They are falling back on a function which the documentation specifically says is not suitable for cryptographic purposes, which apparently also defaults to a 64 bit number: https://devoncarew.github.io/papyrus.dart/dart.math.html#Random

Completely amateur mistake. Yet another reason that people should stop using all these random wallets which keep popping up and just stick to the tried and tested ones.

what's even more horrendous is how no one ever called them out on it until people started losing money. Huh it's not like they were hiding the insecure code. apparently it was sitting there right on github for all to see. but no one did.
legendary
Activity: 2268
Merit: 18771
October 22, 2022, 02:23:04 AM
#72
i wouldn't be bouncing them off any surface. they are taken one by one out of the bag and placed carefully onto a surface not bounced.
They are bouncing off each other in the bag. If a dice is weighted to roll a 6 more frequently than it should otherwise, it doesn't matter if you are bouncing it off the floor, a table, the inside of a cup, other dice in a bag, dropping it down some stairs, or launching it in a trebuchet - it will still be more likely to roll a 6.

they claim to be open source on the website. but they dont seem to go out of their way to publish the github link for people to check it out but here it is: https://github.com/cake-tech/cake_wallet
Neither their Android nor their Apple apps are reproducible from their published code:
https://walletscrutiny.com/android/com.cakewallet.cake_wallet/
https://walletscrutiny.com/iphone/com.fotolockr.cakewallet/

Still, that error is horrendous. They are falling back on a function which the documentation specifically says is not suitable for cryptographic purposes, which apparently also defaults to a 64 bit number: https://devoncarew.github.io/papyrus.dart/dart.math.html#Random

Completely amateur mistake. Yet another reason that people should stop using all these random wallets which keep popping up and just stick to the tried and tested ones.
sr. member
Activity: 1190
Merit: 469
October 21, 2022, 11:12:15 PM
#71
but no dice are being rolled
You are shaking the dice around (whether in your hand or in a bag) and then bouncing them off a surface (either a table or the other dice in the bag) to come to rest in a particular orientation. Any bias in the dice is still relevant.
i wouldn't be bouncing them off any surface. they are taken one by one out of the bag and placed carefully onto a surface not bounced.

just my opinion.
This is exactly what I'm arguing against. There is an awful lot of complete conjecture in this thread, this is what I think, this is my opinion, and so on. This is not good cryptography. The security of your private keys should be based on tried and tested methods, which are provably unbiased and are provably secure. It should not be based on guesswork and people saying "Well, I think this is probably safe enough".

i understand that and i appreciate that.

Quote from: BlackHatCoiner
It's not a matter of human hand bias (even though you do pick non-randomly from the bag). It's a matter of dice bias. As I said, if there's 50% chance to give 6, then it'll mostly give sixes, whether you use a bag in which you scramble them a hundred times, or not.
I'm not sure about that.

Quote
I don't know what's cakewallet, if it's open-source, if it's peer reviewed, if it's a Bitcoin wallet etc. Would you mind sharing a link that describes the CSPRNG failure in that software? As far as open-source, reputable Bitcoin wallet software are concerned, such as Electrum, there has never been such case.

https://cakewallet.com/

they claim to be open source on the website. but they dont seem to go out of their way to publish the github link for people to check it out but here it is: https://github.com/cake-tech/cake_wallet

https://github.com/cake-tech/cake_wallet/blob/main/cw_bitcoin/lib/bitcoin_mnemonic.dart is where i think they had the issue that generated insecure seeds

here's how it used to be:
https://github.com/cake-tech/cake_wallet/blob/b67bb0664f7268c31c24bd9fb9cbd438c691f5e3/lib/bitcoin/bitcoin_mnemonic.dart#L11-L22

explanation:
https://np.reddit.com/r/Monero/comments/n9yypd/urgent_action_needed_for_bitcoin_wallets_cake/gxqyscl/


legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 21, 2022, 03:56:27 AM
#70
The human hand is not sensitive enough to detect which side of a particular die is heaviest. Otherwise we wouldn't need other ways of testing dice.
It's not a matter of human hand bias (even though you do pick non-randomly from the bag). It's a matter of dice bias. As I said, if there's 50% chance to give 6, then it'll mostly give sixes, whether you use a bag in which you scramble them a hundred times, or not.

cakewallet had a csprng in the code the problem was it also had a fallback which kicked in if the csprng failed to return a seed.
I don't know what's cakewallet, if it's open-source, if it's peer reviewed, if it's a Bitcoin wallet etc. Would you mind sharing a link that describes the CSPRNG failure in that software? As far as open-source, reputable Bitcoin wallet software are concerned, such as Electrum, there has never been such case.
legendary
Activity: 2268
Merit: 18771
October 21, 2022, 03:23:49 AM
#69
but no dice are being rolled
You are shaking the dice around (whether in your hand or in a bag) and then bouncing them off a surface (either a table or the other dice in the bag) to come to rest in a particular orientation. Any bias in the dice is still relevant.

just my opinion.
This is exactly what I'm arguing against. There is an awful lot of complete conjecture in this thread, this is what I think, this is my opinion, and so on. This is not good cryptography. The security of your private keys should be based on tried and tested methods, which are provably unbiased and are provably secure. It should not be based on guesswork and people saying "Well, I think this is probably safe enough".
sr. member
Activity: 1190
Merit: 469
October 20, 2022, 06:31:02 PM
#68
what if you filled a bag with dice and blindly pick one die at a time and put it on the table and then look at the number on top. that eliminates any bias that is in the dice.
That doesn't eliminate bias. You still need to use your hand, and pick... randomly! But since you're a human, you can't do that properly. Also, if the dices aren't fair, say the number 6 has a 50% chance to come up, then the bag is likely to give you mostly sixes.

The human hand is not sensitive enough to detect which side of a particular die is heaviest. Otherwise we wouldn't need other ways of testing dice.

but again, i challenge anyone to show me a story where someone used dice to generate their bitcoin private key and then later said they got hacked. if they got hacked it's because of something else rather than a bad private key.
Unfortunately, this is not how security works. Just because somebody hasn't fell for it, it doesn't mean you can't be the first. Figuring out a very complicated way to generate a Bitcoin wallet, might have a smaller attacking point, but it doesn't make it more secure. As I said before, I don't know a case of a person who used an airgapped machine to generate a Bitcoin wallet using the CSPRNG, and got ripped off, and that's the commonly known secure way, backed by experts.

cakewallet had a csprng in the code the problem was it also had a fallback which kicked in if the csprng failed to return a seed. the fallback was using the system "current time" as the seed. the issue of whether someone could have generated their mnemonic seed with the cakewallet app while
"airgapped" is really irrelevant (although I would expect that they could) as is the argument that you require a "machine" to generate the seed. By machine I'm assuming you mean a desktop computer but a smartphone is also a machine. Which many people use.

The problem that these cakewallet users had is a common one which is if you haven't read through the source code yourself and understand how it works then you are at risk...if they had used dice to generate their seeds they wouldn't none of them would have lost money due to having an insecure seed. guaranteed.



well of course it's a stupid brainwallet. it's the empty string!
I mean it may well have been generated by someone deliberately hashing an empty string, just as all brainwallets are created by the user deliberately choosing a particular string to hash, as opposed to some flawed software hashing an empty string while the user believed it was doing much more than that.
bitaddress doesn't seem to allow a user to create a brainwallet using too short passphrases of which the empty string certainly meets that criterion but maybe some other software doesn't have that check. and the person thought they were generating a secure bitcoin address and not a brainwallet. it could happen. clearly they learned their lesson though as no new 0.9 btc deposits have been made since then.  Grin

Quote
It doesn't eliminate any bias at all. It simply mixes the bias of each individual die among the bias of all the dice, and you hope that doing so is enough to maintain the security of your resulting entropy.
but no dice are being rolled. they're just sitting in a big bag and you jumble them around, reach in and grab one on whatever side you happen to. i dont think the bias of a particular die has any role in that procedure since die will not be able to necessarily achieve a particular position they might achieve if they were not in contact with other die.

Quote
And if you go out and buy a set of 100 dice to do this with, how do you know that every single dice in that set hasn't been subjected to the exact same manufacturing defect and therefore has the exact same bias as every other dice?
well they likely will all have the same bias in that case but i dont think that is going to be a problem with the particular procedure we're talking about here. just my opinion.
Quote
In addition to BlackHatCoiner's response, it is often impossible to pinpoint exactly how a seed phrase or private key was compromised, so asking for such an example is meaningless.
well in the cakewallet situation they know exactly how it happened. it was generating insecure seeds. so yes it is possible sometimes to know how or why something happened.

but i have yet to hear of anyone ever saying they are skeptical of dice because they once created a bitcoin private key by rolling dice and then someone stoled their funds from that address and they strongly suspected (even if they couldn't prove, of course they can't prove it) that it was because the dice rolled an insecure private key.


Pages:
Jump to: