Pages:
Author

Topic: DIY high quality entropy with low cost (Read 1911 times)

legendary
Activity: 1792
Merit: 1111
July 27, 2014, 09:45:29 AM
#21

It is not possible, at least not easy, to verify its credibility

Its been tested with RNG testing software such as Die Harder. (and others)

But non-technical people are unable to independently verify the randomness of a particularly device

sr. member
Activity: 337
Merit: 250
July 27, 2014, 09:18:40 AM
#20

It is not possible, at least not easy, to verify its credibility

Its been tested with RNG testing software such as Die Harder. (and others)
legendary
Activity: 1792
Merit: 1111
July 27, 2014, 09:10:22 AM
#19

It is not possible, at least not easy, to verify its credibility
sr. member
Activity: 337
Merit: 250
legendary
Activity: 1792
Merit: 1111
July 24, 2014, 09:26:32 AM
#17
If we could standardize the procedure, any moderately educated person could generate a rock solid offline wallet. This is my real goal.

If you think a standard will be built around users making a custom deck instead of using a standard deck of playing cards available just about anywhere in the world in order to save a few cards well it is going to be an empty room.  Still I think your mind is made up so I will leave you to it.

You are possibly right, but the problem of playing cards is the lack of universally recognized name and order of the cards. Arabic number is a truly universal language. You may, of course, write 1-54 on each card, but then why don't you buy a deck of white card as I suggest?

By the way, the most efficient way to use playing cards to generate 160 bit entropy is to pick 31 out of 52. That will give you 160 bit (52P31). It still takes 31 cards with the 2 Jokers are used.
donator
Activity: 1218
Merit: 1079
Gerald Davis
July 24, 2014, 09:01:51 AM
#16
If we could standardize the procedure, any moderately educated person could generate a rock solid offline wallet. This is my real goal.

If you think a standard will be built around users making a custom deck instead of using a standard deck of playing cards available just about anywhere in the world in order to save a few seconds well it is going to be an empty room.  

I mean your stated goals were:
1. DIY: A 10-year old child should be able to do it
2. High quality: true 256bit randomness
3. Human verifiable: using CCD noise or radioactive decay is not acceptable because it is difficult to verify the randomness
4. Low cost: cheap, not too time-consuming to generate a random number

A deck of playing cards is well understood, easily accessible, hackproof, meets all your criteria, and is the simplest solution to the problem.   Still I think your mind is made up.   I can safely say though that no wallet is going to adopt a system based on custom cards over the simpler more accessible solution.
legendary
Activity: 1792
Merit: 1111
July 24, 2014, 08:23:18 AM
#15
[content snipped]

That's such a costly and time-intensive method of generating verifiable randomness. You could achieve the same level of entropy by flipping through the cable channels and hashing the first ten TV shows and/or commercials that you see. I would even prefer just hashing two random pages from a random ebook than going through the trouble afforded by your method. I'm not saying that your method is bad, just that it's unnecessarily cumbersome.

No snake oil cryptography, thanks
sr. member
Activity: 399
Merit: 257
July 24, 2014, 06:24:16 AM
#14
[content snipped]

That's such a costly and time-intensive method of generating verifiable randomness. You could achieve the same level of entropy by flipping through the cable channels and hashing the first ten TV shows and/or commercials that you see. I would even prefer just hashing two random pages from a random ebook than going through the trouble afforded by your method. I'm not saying that your method is bad, just that it's unnecessarily cumbersome.
legendary
Activity: 1792
Merit: 1111
July 24, 2014, 03:58:57 AM
#13
Bitcoin addresses don't have more than 160 bits of strength (only 128 bits if the PubKey is known) no matter how much entropy is used to create them.

For 160bits, you need 41 poker cards, or 29 rectangular cards as described in OP, or 26 square cards, or 23 octagonal cards

The less card you use, the easier to shuffle and thus better randomness.

Quote
If you have one good random number you have multiple.  An HD wallet is an example of that.

In some cases you want many independent random numbers.

Let say I am the boss of a company. I want to establish a long term bitcoin saving wallet. I don't want to trust my computer security officer or some black-box hardware wallet with my money. However, I have limited knowledge in computer. What I could do is to generate 10 random sequences by card shuffling, and use a specialized hardware wallet to turn them into 10 HD wallets. I will randomly choose 1 of the 10 wallets and lock it in a vault. I will also lock the hardware wallet in the vault.

I will hire several independent security experts to examine the remaining 9 random sequences and HD wallets. They will make sure the HD wallets are truly derived from the random sequences. Therefore, a malicious hardware wallet would have only 10% of chance to success.

(For more sophisticated users, they may verify the wallets by themselves using several different computers and clients)

Now my wallet is as safe as the vault. I may use multi-sig to further strengthen the security.

If we could standardize the procedure, any moderately educated person could generate a rock solid offline wallet. This is my real goal.
legendary
Activity: 1792
Merit: 1111
July 24, 2014, 03:04:11 AM
#12
Why don't you just flip a coin 256 times?

You could but it's extremely inefficient
sr. member
Activity: 374
Merit: 250
July 24, 2014, 01:34:20 AM
#11
Why don't you just flip a coin 256 times?
+1
or dice ODD vs EVEN => 0 vs 1  Smiley
or create random photo and calculate hash of this file... easy
 Wink
full member
Activity: 151
Merit: 100
July 23, 2014, 10:51:48 PM
#10
Why don't you just flip a coin 256 times?
donator
Activity: 1218
Merit: 1079
Gerald Davis
July 23, 2014, 10:06:03 PM
#9
There is no conceivable scenario where 256 bits is needed and 225 bits is insufficient.  128 bits is beyond brute force.  One may want to hedge than some to compensate for possible biases but even 160 bits is fine.   If a standard deck was smaller that would be fine as well but since the extra bits don't hurt you might as well use them.  Most of the time comes from the explanation, getting the deck, and shuffling it just doesn't make sense to use less cards.  KISS.   Still if you came across a deck which was missing some cards it would still be good enough.   Even 41 cards (11 missing) gives 160 bits of entropy.

Bitcoin addresses don't have more than 160 bits of strength (only 128 bits if the PubKey is known) no matter how much entropy is used to create them.

Quote
If you need many good random numbers that would make a difference.

If you have one good random number you have multiple.  An HD wallet is an example of that.
legendary
Activity: 1792
Merit: 1111
July 23, 2014, 09:54:44 PM
#8
I'd like to minimize the number of cards. It could make a difference if more than a few high quality keys is needed.
A deck of cards has 52 cards, so you are saving... 9 cards. Is all that hassle worth it to make the deck a few mm thinner and a few grams lighter?

This comparison is not fair as permutation of 52 cards just gives you 225 bits. You need 58 cards to make it just over 256. So 15 cards, or 25% is saved. It also means 25% of time is saved in recording of results. If you need many good random numbers that would make a difference
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
July 23, 2014, 04:00:06 PM
#7
Less efficient, but set membership is a bit harder to screw up:

Take N distinct cards, permute them at random (shake in a bag if you like), separate into two groups— you now have N bits (which set they ended up in).

This has a nice property that you can use it for ultra-fast key agreement: take a $2 drugstore pack of playing cards, shuffle well.. give the other person the other half. Nearly instant, computer free, minimal preparation, 52-bit shared secret.

They should use that in a movie somewhere.
staff
Activity: 4284
Merit: 8808
July 23, 2014, 02:47:36 PM
#6
Less efficient, but set membership is a bit harder to screw up:

Take N distinct cards, permute them at random (shake in a bag if you like), separate into two groups— you now have N bits (which set they ended up in).

This has a nice property that you can use it for ultra-fast key agreement: take a $2 drugstore pack of playing cards, shuffle well.. give the other person the other half. Nearly instant, computer free, minimal preparation, 52-bit shared secret.
sr. member
Activity: 462
Merit: 250
Lux e tenebris
July 23, 2014, 02:18:42 PM
#5
It's a brilliant educational tool, though, in the family or the classroom.
legendary
Activity: 2058
Merit: 1452
July 23, 2014, 01:49:46 PM
#4
I'd like to minimize the number of cards. It could make a difference if more than a few high quality keys is needed.
A deck of cards has 52 cards, so you are saving... 9 cards. Is all that hassle worth it to make the deck a few mm thinner and a few grams lighter?
legendary
Activity: 1792
Merit: 1111
July 23, 2014, 11:28:58 AM
#3
Aren't you over thinking it. 

Deck of card ~226 bits of entropy.  You can buy one in just about any store.
Make your own four sided deck ~262 bits of entropy.   

Both are (way) beyond brute force.  The first is simple and straightforward.  The later requires constructing your own deck and a two dimensional shuffle.



I'd like to minimize the number of cards. It could make a difference if more than a few high quality keys is needed.

donator
Activity: 1218
Merit: 1079
Gerald Davis
July 23, 2014, 10:07:53 AM
#2
Aren't you over thinking it. 

Deck of card ~226 bits of entropy.  You can buy one in just about any store.
Make your own four sided deck ~262 bits of entropy.   

Both are (way) beyond brute force.  The first is simple and straightforward.  The later requires constructing your own deck and a two dimensional shuffle.

Pages:
Jump to: