Pages:
Author

Topic: How can you verify the randomness that's coming from a hardware? (Read 1657 times)

sr. member
Activity: 1190
Merit: 469
I'm not going to get in to this argument again, but I cannot fathom why you are so hell bent on using untested, biased, and insecure methods of generating entropy when everyone is repeatedly telling you it is a bad idea.
i'm not trying to get you into an argument again. but it is not untested since i've tested it. it may or may not have bias but it has significantly more entropy than 256 bits in the first place. so a little bias probably won't do any harm. it is not insecure. remember, i am doing it. you're not doing it. so you don't understand it. you just think you do. your philosophy is somewhat understandable but it does tend to seem to stand in the way of doing something that maybe no one has ever done before. i'd rather do something like that then try and invent a wheel that already existed. i didn't invent everything but i'm putting the pieces of the puzzle together. and that's pretty cool. now i have to get back to my python program that seems to have a bug in it since my generated private key seems a bit too large.  Shocked


Any string you generate by manually picking 0s and 1s. It might be safe enough that your coins aren't stolen, but it will not have 256 bits of entropy and it will definitely be less safe than a properly generated string.
ok cool.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Quote
If you've never heard of Foundation Devices, you may be interested in my review of their first device; review for the latest generation is going to be posted very very soon, as well in the Hardware Wallet section.
you did an AMAZING job with the review but $299 is way outside of what I consider reasonable no matter how many features it has. it would have to be able to mine bitcoin at a profit to make me even consider it. Angry
I found it too expensive, as well - it was just an example of a fully open-source hardware device.
And nobody even cloned it yet, even though it costs $299 and should be relatively cheap to reproduce! Wink

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring Cheesy
But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system. Wink
When in doubt, you could of course apply the system where BW means B, WB means W, and BB or WW means ignore, but that means you'll have to eat at least 3 times more candy.
Manchester encoding?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring Cheesy
But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system. Wink
When in doubt, you could of course apply the system where BW means B, WB means W, and BB or WW means ignore, but that means you'll have to eat at least 3 times more candy.

You should also put the candies back into the bag
Absolutely Barbaric
legendary
Activity: 2268
Merit: 18771
Well that's why I don't rely on that method but anyhow, I got my bingo machine thing working. That, along with maybe dice and flipping a coin is all i ever need.
I'm not going to get in to this argument again, but I cannot fathom why you are so hell bent on using untested, biased, and insecure methods of generating entropy when everyone is repeatedly telling you it is a bad idea.

can you give me an example of such a string that would not be safe that no one has ever generated before?
Any string you generate by manually picking 0s and 1s. It might be safe enough that your coins aren't stolen, but it will not have 256 bits of entropy and it will definitely be less safe than a properly generated string.
sr. member
Activity: 1190
Merit: 469
Quote
That's why I'd prefer to buy a device with open-source hardware.
then why not get the onerng. https://onerng.info/ you got something against it? seem like it checks off all your boxes. i doubt anything else comes close.
That looks very good, indeed! I wasn't aware of it; might even pick one up (even though I don't need a secure RNG right now).
I'd seen it before but i didn't appreciate all that it has to offer at the time. Now i can appreciate it more fully since there's not alot of comparable devices out there. plus the price seems very reasonable. even though i wish it was easier to get as in a domestic shipper inside the usa. apparently it would come from china so overseas shipping. not sure how much that is or how long it takes. but from my experience on ebay, things from china can come pretty fast. for small stuff. maybe you can do a review for us on this thing once you get it.  Grin

Quote
If you've never heard of Foundation Devices, you may be interested in my review of their first device; review for the latest generation is going to be posted very very soon, as well in the Hardware Wallet section.
you did an AMAZING job with the review but $299 is way outside of what I consider reasonable no matter how many features it has. it would have to be able to mine bitcoin at a profit to make me even consider it. Angry

Quote
I'd like to also mention https://betrusted.io/; they built the fully open-source Precursor so far.
Completely open-source to the very last detail.

 a handheld device that costs almost $600. i guess it has its use cases but not for any average crypto user it doesnt.

Quote
Your brain won't select those 0s and 1s fully at random. It will unknowingly introduce patterns that decrease the entropy, i.e. how random your randomness really is.

Well that's why I don't rely on that method but anyhow, I got my bingo machine thing working. That, along with maybe dice and flipping a coin is all i ever need.

Quote from: o_e_l_e_o
Another analogy. I'm simply saying that although you might generate a unique string that no one has generated before, it doesn't mean that string is safe or secure.
can you give me an example of such a string that would not be safe that no one has ever generated before? you might be suprised that it's not as easy as you think. but give it a try. i'll be the judge.  Grin
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Quote
That's why I'd prefer to buy a device with open-source hardware.
then why not get the onerng. https://onerng.info/ you got something against it? seem like it checks off all your boxes. i doubt anything else comes close.
That looks very good, indeed! I wasn't aware of it; might even pick one up (even though I don't need a secure RNG right now).

Quote
Trezor and Foundation Devices have shown that open-source hardware is possible without your business going down due to the bad bad DIY scene.
never heard of foundation devices before you mentioned them. but i'd say these are the exception rather than the rule. then you have to ask yourself, why.
It might be easier to make money off a closed source product in the current market, where most things are closed, too.

Fortunately, open source licenses have this clause that usually requires derivatives to be open, as well. This means if you want to use Trezor's tried and tested, ancient Bitcoin crypto library, your product (firmware at least) must be open-source too, allowing Trezor and anyone else to profit from your additions and innovations, to then further innovate themselves.

If you've never heard of Foundation Devices, you may be interested in my review of their first device; review for the latest generation is going to be posted very very soon, as well in the Hardware Wallet section.

I'd like to also mention https://betrusted.io/; they built the fully open-source Precursor so far.
Completely open-source to the very last detail.

why would it be "extremely difficult"? give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.
Your brain won't select those 0s and 1s fully at random. It will unknowingly introduce patterns that decrease the entropy, i.e. how random your randomness really is.

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring Cheesy
But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system. Wink
You can significantly improve Loyce's system by counting and verifying an equal number of both colors (adjusting if necessary). You should also put the candies back into the bag after randomly drawing them and writing down B / W.
legendary
Activity: 1820
Merit: 2700
Crypto Swap Exchange
Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring Cheesy
But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system. Wink

Yeah. From the looks of it, whites appear to outnumber blacks significantly - so it wouldn't be an effective entropy source at all.  Cheesy
I do agree with the "less boring" part, though.
legendary
Activity: 2268
Merit: 18771
They're going to think a bit about it before just blurting out "777777777777777777777777777777".
I am making analogies, not literal comparisons, which you seem to be misunderstanding.

The point of these analogies is that human behavior is not random. You might think you are being random, but you aren't. Not truly. This has been studied and proven.

So think about that. 000 and 111 will happen alot.
So obviously one needs to understand a little about what is the norm. Then go from there.
Which makes thing even less random. Now you are thinking "I know that statistically I "should" have a run of 5 of the same at some point. I've not done that yet, so lets put that in now. Ok. Now we'll do a few much shorter runs of just 1 or 2 the same, because you probably wouldn't have 5 the same immediately followed by another 5 the same. Ok. What next?" And so on and so forth. This is not random. Not even close to it.

But there's a difference. your unique string has been published so that anyone in the world can get a copy of it. mine wouldn't have since I just generated it out of my head.
Another analogy. I'm simply saying that although you might generate a unique string that no one has generated before, it doesn't mean that string is safe or secure.

If humans did not behave randomly (and unpredictably) then the stock market would be a science. Even with bitcoin, no one knows what the price is going to do. Why is that? because we don't know what people are going to do. their behavior is random. completely random. some of them buy, some sell. the overall result of that is anyone's guess.
The final collective result of the behavior of a group of distinct and disconnected individuals is in no way comparable to a single person picking 0s and 1s.

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring Cheesy
But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system. Wink
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
For example, if the bits make up the ASCII sequence "this is random" it definitely is not random.
If you generate enough random 14-character sequences, you'll find it eventually Wink

If you say to pick a number between 1 and 10, 7 is by far the most common.
These sources says 3 or 7. The interesting part is they're both prime numbers. Reddit shows 7 as a clear winner (28%).

While eating Zwartwitjes with the kids, I thought of a way to create random numbers:
Image loading...
Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring Cheesy
sr. member
Activity: 1190
Merit: 469
give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.
Maybe not, but that doesn't mean the string you produce will be random.
it's not like a book where you just take out some sentence from it and hash it. just waiting to be discovered.

Quote
Studies have consistently and repeatedly shown that humans are bad at both generating and perceiving randomness. If you say to pick a number between 1 and 10, 7 is by far the most common.

Asking someone to pick a random number between 1 and 115792089237316195423570985008687907852837564279074904382605163141518161494337 is different than telling them to pick a number in that range that no one else would ever guess. Or be able to find. And if they did, they would lose all their money. They're going to think a bit about it before just blurting out "777777777777777777777777777777".

Quote
If you say to write down a random series of coin flips (which is the same as writing down a binary number), we consistently avoid runs of the same result (HHH/TTT/111/000) since these are perceived as being "less likely".
They are certainly less likely than HH or TT but the thing is, in some random bitcoin private key you're going to see 00000 and 11111 you might even see larger length repeats. So think about that. 000 and 111 will happen alot.

Example (I dont know how this bitcoin private key was generated but I'm sure it was probably done using software, as most of them are):

1011100000111010000010110010011011011000111110111100001001100011101000011110011010101000001111111110101101110100111100110011010101001000011010000110100001011011110101010010000100 1100000101100110000100100111000110100010010111110111011010111011010001001100

So obviously one needs to understand a little about what is the norm. Then go from there.

Quote
A unique string is not necessarily a random string, nor is a unique string necessarily a secure string. I could generate a brain wallet using the first line of text from a Shakespearean play which had never been used before. My brain wallet might be unique, but any coins I deposit on it would likely be stolen.
But there's a difference. your unique string has been published so that anyone in the world can get a copy of it. mine wouldn't have since I just generated it out of my head.


Quote from: BlackHatCoiner
Because, humans aren't random number generators. What is randomness? Complete lack of determinism. If something can be accurately predicted, it's not random. A cryptographically secure random number generator comes with more unknown variables to predict, in comparison with a human brain.
If humans did not behave randomly (and unpredictably) then the stock market would be a science. Even with bitcoin, no one knows what the price is going to do. Why is that? because we don't know what people are going to do. their behavior is random. completely random. some of them buy, some sell. the overall result of that is anyone's guess.

Quote
Begin writing. What's the first binary value, and why? You might think there isn't a reason you chose 0 (e.g.) but there is quite likely a reason you don't know.
Well I wouldn't be able to tell you "why". There is no justification of why. it is just what I wanted it to be. At the particular moment in time. Just like all the  remaining 255 bits. There doesn't have to be a reason why. There is no way to say why. With that said, I have actually done this procedure of writing down a private key but in hex not binary. I would be confident enough to use it. Enough said. Grin
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
why would it be "extremely difficult"?
Because, humans aren't random number generators. What is randomness? Complete lack of determinism. If something can be accurately predicted, it's not random. A cryptographically secure random number generator comes with more unknown variables to predict, in comparison with a human brain.

give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.
Begin writing. What's the first binary value, and why? You might think there isn't a reason you chose 0 (e.g.) but there is quite likely a reason you don't know.
legendary
Activity: 2268
Merit: 18771
give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.
Maybe not, but that doesn't mean the string you produce will be random. Studies have consistently and repeatedly shown that humans are bad at both generating and perceiving randomness. If you say to pick a number between 1 and 10, 7 is by far the most common. If you say to write down a random series of coin flips (which is the same as writing down a binary number), we consistently avoid runs of the same result (HHH/TTT/111/000) since these are perceived as being "less likely".

A unique string is not necessarily a random string, nor is a unique string necessarily a secure string. I could generate a brain wallet using the first line of text from a Shakespearean play which had never been used before. My brain wallet might be unique, but any coins I deposit on it would likely be stolen.
sr. member
Activity: 1190
Merit: 469
When ordering from Amazon, there is a lot of trash to be honest. It's possible that you get a device that just uses a rand() C function on a microcontroller or something.
Worst-case even just spitting out numbers deterministically and not uniformly random.

Well, to be fair, I was talking about legitimate usb devices. Unlike say the flash drive market where fakes are all over the place I don't think that's the case for this type of device and the reason is simple. The market is small.


Quote
That's why I'd prefer to buy a device with open-source hardware.

then why not get the onerng. https://onerng.info/ you got something against it? seem like it checks off all your boxes. i doubt anything else comes close.

Quote
Trezor and Foundation Devices have shown that open-source hardware is possible without your business going down due to the bad bad DIY scene.
never heard of foundation devices before you mentioned them. but i'd say these are the exception rather than the rule. then you have to ask yourself, why.


Quote from: bkelly13
So: As has been said, you must understand the hardware and software used to produce the number.  A difficult task.  Many have written words to the effect:  Don't try to generate a random number on your own.  It is extremely difficult.  When your number is not random, you won't know it until your coins are gone.
why would it be "extremely difficult"? give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.
member
Activity: 76
Merit: 35
Referring to the OP and writing from a smidgen of mathematics knowledge:
In here, talking about random, usually means a private key, 256 random bits.  Now think of them as a pattern.  a 256 bit long pattern.

Some, even many, patterns can be proven to not be random.  For example, if the bits make up the ASCII sequence "this is random" it definitely is not random.
But, it is almost impossible to prove randomness.  There may always be one more way to look at the number to find it not random.

So: As has been said, you must understand the hardware and software used to produce the number.  A difficult task.  Many have written words to the effect:  Don't try to generate a random number on your own.  It is extremely difficult.  When your number is not random, you won't know it until your coins are gone.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Quote
That just confirms that this is a good circuit. Tongue
I would imagine all such usb devices use that technology in some way. They're definitely not sampling radioactive decay or something right?
When ordering from Amazon, there is a lot of trash to be honest. It's possible that you get a device that just uses a rand() C function on a microcontroller or something.
Worst-case even just spitting out numbers deterministically and not uniformly random.

That's why I'd prefer to buy a device with open-source hardware.

Quote
I just wasn't aware that they're sold under the simple term 'TRNG', as I couldn't find anything when looking for 'avalanche noise circuit PCB'.
Because they want to be a bit cryptic about how exactly their device works. They don't want people to build one themself necessarily. Smiley
You'd pay for the convenience of not spending hours on a new project and probably having to debug it as well.
Trezor and Foundation Devices have shown that open-source hardware is possible without your business going down due to the bad bad DIY scene.

Quote
It would be good if these devices came with schematics and board files to verify the circuit more easily.
yeah there's no way that's happening with something like TrueRNG.

Quote
(1) Compare product to PCB files
(2) Compare PCB files to schematics
(3) Check schematics to understand what the circuit does and verify that it's what you want it to do
They don't want you doing that. No one want someone doing that to their product? The reason is simple. if you could do that, you could just build the thing yourself. and don't need to buy it from THEM.
See my comment above. Wink
member
Activity: 182
Merit: 30
Been running rng on my bitcoin hacking racks for +2 years now, works great

Increased my find of lost bitcoins 2x by using real random numbers and random seeds

https://github.com/room101-dev/Grand-Ultimate-BTC-Hacker

ONERNG I paid $40 usd ebay from czech, but two years ago, but like people here are showing you can roll your own, but unless your an electronic genius, I would spend the $40, and I'm an hw/sw scientist, so $40 is nothing



Couldn't one of all these hardware wallet companies implement something like that and steal millions of dollars worth of BTC, in just one moment? It would probably be the worst scandal of the crypto space.
Technically could, although there would be no way to prove this as far as I'm aware, so there isn't a way to verify it either. It would be a pretty sophisticated attack though, it reminds me how computer forensics would freeze computers in the past, specifically the ram in order to extract data. Also, I do believe that some programs in the past, which I can't recall right now would give you supposedly random data, i.e a password generation based on the temperature of the device, and various other things.

I'm not sure how plausible this kind of attack would be though.

In general I would always generate my own keys and NEVER use 3rd party sw, its just too easy on linux on one command line to generate a real good key that your certain that nobody on earth knows other than you.

But, HW random number generators have better uses than generating private keys for new wallets, the best use is as seed generators for finding ( hacking ) lost bitcoins

There are 300M used bitcoin addresses,  you put them into a 8gb bloom filter and on a GPU card you can do 1 billion cycles per second,, so that 8* 10**18 , so you want to make sure your seed is really random while on the hunt; now that is a use for hw random generators such as these devices

I'm fond of RNGONE from czech found on ebay and/or amazon back pre-CONVID

https://github.com/room101-dev/Grand-Ultimate-BTC-Hacker

[moderator's note: consecutive posts merged]
sr. member
Activity: 1190
Merit: 469
Well, the zener is the core component, but you need a driver and sampling circuit around it. Did you count the components or the pads? I count roundabout 20 components (~40 pads). The design by betrusted.io even manages to work with 14 components; look how tiny it is.
yeah that one is tiny but i'm sure if I tried to build something like that it's going to be way bigger. think breadboard size. because that's how you would have to get started is by breadboarding it up and seeing if what you constructed works and then once that passes muster, you can solder everything up. gonna be the size of 2.5 inch ssd most likely before you over and done with it. nothing wrong with that though i guess. bonus points if i dont have to actually understand how the thing works to build it... Grin




Quote
That just confirms that this is a good circuit. Tongue
I would imagine all such usb devices use that technology in some way. They're definitely not sampling radioactive decay or something right?

Quote
I just wasn't aware that they're sold under the simple term 'TRNG', as I couldn't find anything when looking for 'avalanche noise circuit PCB'.
Because they want to be a bit cryptic about how exactly their device works. They don't want people to build one themself necessarily. Smiley

Quote
It would be good if these devices came with schematics and board files to verify the circuit more easily.
yeah there's no way that's happening with something like TrueRNG.

Quote
(1) Compare product to PCB files
(2) Compare PCB files to schematics
(3) Check schematics to understand what the circuit does and verify that it's what you want it to do
They don't want you doing that. No one want someone doing that to their product? The reason is simple. if you could do that, you could just build the thing yourself. and don't need to buy it from THEM.

Plus, presumably they've put in some R and D on the thing with some tweaks to make it better than the old off the shelf github circuit to give their product a competitive advantage in the marketplace.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.
Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.

I don't know of any temperature sensor driver that exposes the temperature in fractions of a degree.

That is to say, one degree is usually the highest granularity you'll get with tools like lm-sensors and HWinfo/CPU-Z.
member
Activity: 351
Merit: 37
we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.
Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.

if $6 chip claims it has this resolution means there's one that really has.

I believe the biggest issue with temperature is that it typically increases / decreases gradually; the sequence of numbers coming from the sensor is going to have some inherent bias because of this.

this thing wraps back and forth like 8bit uint . it will do so with and without this gradually thing. it sould not have impact here but i can't say for sure without research
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!

Actually it's not complicated at all. Of course your average Joe won't build his own avalanche noise PCB, but someone with electrical engineering skills should be able to whip a circuit up and order a PCB within an afternoon. It's honestly a simple circuit.
I mean as far as general electronics circuits go, I guess it is simple if you compare it to something like a computer motherboard but that doesn't mean it is simple to understand how it works.
It's not that easy to understand from just a PCB picture, but combining it with the schematic, it gets a lot simpler. A true open-source-hardware device provides all of those files, just like here:
https://github.com/Foundation-Devices/passport-electronics/blob/master/Main%20Board/Documentation/Schematic%20Print/SCH_FD-JL-PCB-MB_E1.PDF

And why it needs so many components to work. I didnt count them all but it looks like around 50 discrete components. I don't understand why it needs that many. I thought just one single zener diode is all you need.
Well, the zener is the core component, but you need a driver and sampling circuit around it. Did you count the components or the pads? I count roundabout 20 components (~40 pads). The design by betrusted.io even manages to work with 14 components; look how tiny it is.

Quote
Trust me, it's not a pain. Foundation Devices have such circuits in their hardware wallets and the USB RNG you linked to, may have the exact same thing inside it, as well.
I think it does:
The TrueRNG Hardware Random Number Generator uses the avalanche effect in a semiconductor junction to generate true random numbers. The avalanche effect has long been used for generation of random number / noise and is a time-tested and proven random noise source.

The cost to buy theirs would probably be less than the cost to try and make one yourself. Not only monetary cost but time costs.
That just confirms that this is a good circuit. Tongue I just wasn't aware that they're sold under the simple term 'TRNG', as I couldn't find anything when looking for 'avalanche noise circuit PCB'.
It would be good if these devices came with schematics and board files to verify the circuit more easily.
(1) Compare product to PCB files
(2) Compare PCB files to schematics
(3) Check schematics to understand what the circuit does and verify that it's what you want it to do



we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.
Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.
I believe the biggest issue with temperature is that it typically increases / decreases gradually; the sequence of numbers coming from the sensor is going to have some inherent bias because of this.
Pages:
Jump to: