How to significantly decrease the randomness of your newly generated seed phrase - page 2.

witcher_sense

legendary

Activity: 2310

Merit: 4313

🔐BitcoinMessage.Tools🔑

Quote from: ranochigo on December 03, 2020, 09:02:06 AM

I think the sequence of picking the dices will have a significant effect on the entropy but there is a decent cushioning before you'll really endanger the user's funds. You can only truly achieve 256bits of entropy with 100 unbiased dice rolls. Picking all of them with bias would just be creating a brainwallet.

Theoretically, the biased sequence of picking the dices after a single roll could drastically decrease entropy and therefore lead to a loss of funds. Let us assume that a potential newcomer has no idea about how exactly a seed phrase is generated and why the degree of disorder is so important when calculating a given phrase. In my opinion, an average user doesn't necessarily need to know all this, otherwise, we will never see widely adopted bitcoin. Anyway, he or she just purchased their first ColdCard hardware wallet and also a set of dices, for whatever reason. Later, they found an interesting option in it, which is manual wallet generating via dice rolls. It sounds cool and familiar: it is like a game. They tossed their 100 dices at once, and then they need to insert these numbers into their wallet. The problem is they don't know at which sequence to count dices.

They asked ColdCard developers and got an answer:

The sequence doesn't matter, you must be paranoid if you ask this!

They counted their dices the way they saw fit and got a random number: 1111111111111222222222222222222333333333333333333333344444444444444444444444444 44555555555555555555555555......6666666666666666

They inserted that number and generated a seed phrase.

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: hugeblack on December 05, 2020, 08:30:59 AM

In general, does it enter into the calculation of the expected value^[1]? We have a specific iteration of an experiment that has a limited range of options (1 to 6).

If all the dice are rolled once, then repeating it several times may result in lower quality random private keys.

[1] How To Calculate Expected Value (Worked Examples)

What does expected value has to do with the generation of entropy though? Each of the dice has an equal chance of landing on each of the face. The expected value shouldn't matter since you're not calculating the average value of the dice nor anything similar.

Each of the unbiased dice roll will provide a certain and fixed amount of entropy because it is truly random. For example, if the 5th value is 6 in the first set of 100 and the 5th value is 5 in the second set, the resultant seed will be different. For someone to crack this, they'll have to land the dices at exactly the same value for 100 consecutive times, with the same permutation. This would be a pretty near impossible feat, giving the user a 256bit of entropy.

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: ranochigo on December 05, 2020, 08:25:14 AM

Quote from: ?? on ??

Sounds cool. but honestly i would rather use CSPRNG library or /dev/urandom from my terminal

Code:

cat /dev/urandom | xxd -l 16 -p

Actually, has there been a successful attempt to intentionally sabotage the RNG within an OS during a key generation?

I've seen few news about RNG sabotage on library or programming language (mainly javascript) level, but never on OS level.
After all, if you could sabotage the OS which require superuser/root, there are more practical ways to steal/intercept one's data.

But at least there are few vulnerability about RNG on linux kernel,
https://www.cvedetails.com/cve/CVE-2009-3238/
https://www.cvedetails.com/cve/CVE-2007-4311/
https://www.cvedetails.com/cve/CVE-2018-1108/

hugeblack

legendary

Activity: 2506

Merit: 3645

Buy/Sell crypto at BestChange

I think it is bad ( decrease the randomness) even if the dice are not biased, let alone throwing a single throw of the dice that may be biased.

In general, does it enter into the calculation of the expected value^[1]? We have a specific iteration of an experiment that has a limited range of options (1 to 6).

If all the dice are rolled once, then repeating it several times may result in lower quality random private keys.

[1] How To Calculate Expected Value (Worked Examples)

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: ?? on ??

Sounds cool. but honestly i would rather use CSPRNG library or /dev/urandom from my terminal

Code:

cat /dev/urandom | xxd -l 16 -p

Actually, has there been a successful attempt to intentionally sabotage the RNG within an OS during a key generation?

I think using dice rolls to generate entropy is not that bad of an idea. Especially when the point of it is to ensure that ColdCard isn't tampering with the seeds. Given that the key pad only has space for numerical characters, using dice rolls to generate entropy for a ColdCard wallet is probably the only way for the user to be sure that the RNG of the ColdCard isn't compromised.

ranochigo

legendary

Activity: 2954

Merit: 4158

It is.

To calculate entropy, we'll have to use log2 (6) - log base 2 of 6.

That gives us an entropy of approximately 2.58496250072 per dice roll. 128 bit entropy should be enough of an entropy which would result in at least 50 dice rolls to reach. When you have 100 dice, you can probably pick around 50 biased dice and still end up with 128bit of entropy.

The choice of word and the phrasing could be misleading and it'll help if they'll point this out in the packaging of the dice. I think the sequence of picking the dices will have a significant effect on the entropy but there is a decent cushioning before you'll really endanger the user's funds. You can only truly achieve 256bits of entropy with 100 unbiased dice rolls. Picking all of them with bias would just be creating a brainwallet.

witcher_sense

legendary

Activity: 2310

Merit: 4313

🔐BitcoinMessage.Tools🔑

Here is an interesting tweet from ColdCard I've come across recently:

https://twitter.com/COLDCARDwallet/status/1334210450947534850

It is an advertisement for the new product "Dice set," with which to generate a random 256-bit number to create a seed phrase for your Coldcard and which is now available in the Coinkite store. https://store.coinkite.com/store/dice-100

According to Coldcard's tweet, it is now easier to generate a seed with dice rolls because you don't have to toss dice 100 times if you can toss 100 dice once instead.

In my opinion, this information is misleading, and users may end up losing their funds because of weak entropy!

You won't get a truly random number when tossing 100 dice at once because of two reasons. Firstly, the sequence at which to count dice after a toss is unknown, meaning that it is up to you to decide. Human decisions lead to the decrease of entropy since humans are bad at randomness. Secondly, given that all dice are of the same color, the sequence cannot be determined beforehand. Both factors clearly tell us that buying 100 dice doesn't make sense and even harmful.

What do you think?

Topic: How to significantly decrease the randomness of your newly generated seed phrase - page 2. (Read 498 times)