Private Key by 256 coin flips | Bitcointalksearch.org

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: BrewMaster on October 25, 2019, 02:50:29 PM

first of all my point is that people should never use a method that they may not understand the risk of. for instance using a coin may sound

secondly when you say "less safe" you should know that it does not mean "not safe". for example there has been millions of bitcoin keys used so far, i bet 99% of them are produced by a computer and an RNG. we only have rare cases where a shitty tool like blockchain.info wallet, etc led to losses due to bad RNG. the decent tools such as bitcoin core, electrum, and lots of others have never had such problems!

I agree that millions of keys were produced by a simple computer's RNG, and these wallets are still alive. For example, where are a lot of stories people mined in 2009-2011 years but lost their private keys on old hard drives and computers. In 2009 there was only one tool - bitcoin application - which generated the address for less than a second based on computer RNG. The first users even did not understand what was the private key - they had only bitcoin addresses showed in the application, private keys were encoded within the wallet.dat file. "Not safe" computer RNG was used or private key generation. Why have that early addreses not hacked yet? The answer is that the numbers in bitcoin are so large that "not safe" randomness "and not perfect entropy" is still enough to safe funds for a long period of time.

BrewMaster

legendary

Activity: 2114

Merit: 1292

There is trouble abrewing

Quote from: Saint-loup on October 24, 2019, 01:06:13 PM

Quote from: BrewMaster on October 24, 2019, 10:28:08 AM

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

I'm not sure about that, it's well known that computer generated entropy is globally less safe than physical ones, where have you seen the opposite?

first of all my point is that people should never use a method that they may not understand the risk of. for instance using a coin may sound safe but what if the user who was using this method used a biased coin? or messed up entering the results and put more 1s than he should have? or what if he used a bad code that converted things wrong?....

secondly when you say "less safe" you should know that it does not mean "not safe". for example there has been millions of bitcoin keys used so far, i bet 99% of them are produced by a computer and an RNG. we only have rare cases where a shitty tool like blockchain.info wallet, etc led to losses due to bad RNG. the decent tools such as bitcoin core, electrum, and lots of others have never had such problems!

Balthazar

legendary

Activity: 3108

Merit: 1358

Quote from: Dabs on October 25, 2019, 08:32:58 AM

I'm not going out to buy any uranium. I mean, if you already have access to such material, then fine. Otherwise stick to a bunch of dice / coins / cards or any of hundreds of cryptographically secure PRNGs.

I like this one:
http://pwgen-win.sourceforge.net/

Used it awhile back to make random passwords that use Base58check (so they look like bitcoin addresses or private keys).

Uranium ore is available at eBay and the prices are quite reasonable. It's not illegal when people are selling some useless rocks to each other. These are just rocks, literally, and there is nothing dangerous in them. As long as you don't drop them on the people's heads from the balcony, of course.

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

I'm not going out to buy any uranium. I mean, if you already have access to such material, then fine. Otherwise stick to a bunch of dice / coins / cards or any of hundreds of cryptographically secure PRNGs.

I like this one:
http://pwgen-win.sourceforge.net/

Used it awhile back to make random passwords that use Base58check (so they look like bitcoin addresses or private keys).

Devawnm367

full member

Activity: 1022

Merit: 144

Penguin Party 🐟

I do agree that flipping a coin 256 times is very random. In all reality though the odds are only 50% each flip. I feel that with a computuer it would be really easy to come up with the exact outcome pretty easily. That is of course after several tries. As flipping a coin is one of the most random/Not random option there is. It is either going to be A or B. You just have to keep trying until A, and B, match up 250 times! I would rather just type a bunch of letters or wiggle my mouse a few times. I feel the odds of finding it that way would be much harder!

I do like the idea though. I do see how it could be beneficial!

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: Zionatin on October 24, 2019, 06:40:34 PM

-snip-
Alternatively, you can just count 11+ as On or true and 10 or less Off or false. It depends if you want a % ratio or just an on or off like binary code.
-snip-

Actually this way is the same as coin flip - chances are still 50%/50%. It does not matter if you roll d6 dice counting 4-5-6 as "1" and counting 1-2-3 as "0", or roll d20 dice counting 11-20 as "1" and 1-10 as "0" or flip the coin - te chances are still 50%/50%. But if you like a dice - no problem of course )

Quote from: Zionatin on October 24, 2019, 06:40:34 PM

-snip-
I would personally use dice then coins. More random. You could probably achieve the same as 256 coin flips with fewer dice rolls but that is some serious maths stuff and my head is too sore right now.

If I have made a mistake or something is not right just let me know. I'm not 100% sure if I am right about this.

Yes, it is possible to achieve the same with less dice rolls. But for integer calculation it is better to take the dice with the quantity of sides equal to the 2 power.
For example, for d16 dice you need only 64 rolls. The maths is easy: you need to receive 256bits, one d16 roll gives you 4 bits, so the total quantity of rolls is 256/4 = 64.
Why d16 roll gives 4 bits? - because 16 is 2^4, and the possible combinations of one d16 roll are from 0 to F (in HEX), or from 0 to 15 (in DEC), or from 0000 to 1111 (in BIN) - exactly 4 bits.

PS. One d20 roll gives Log2(20) = 4.32bits (not integer number). So, you need 59.233 rolls

Or, you can make 59 rolls by d20 dice to receive almost 255 bits (254.99), and add 1 coin flip ) But better to make 60 rolls and have more bits. Anyway, with d20 dice you need 60 operations. In general, the total quantity of operations with n-outcome physical source is 256/log2(n).

Zionatin

sr. member

Activity: 906

Merit: 262

Wouldn't rolling a d20 dice be even more effective? coins is 1/2 x 256 d20 is 1/20 x 256 you will get your average out of 20 in 5% increments instead of 50% ones with coin flips.
Alternatively, you can just count 11+ as On or true and 10 or less Off or false. It depends if you want a % ratio or just an on or off like binary code.

I would personally use dice then coins. More random. You could probably achieve the same as 256 coin flips with fewer dice rolls but that is some serious maths stuff and my head is too sore right now.

If I have made a mistake or something is not right just let me know. I'm not 100% sure if I am right about this.

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: odolvlobo on October 24, 2019, 04:23:23 PM

-snip-
Suppose, I have a hardware random number generator that tends to set some bits to 1 and some other bits to 0. If the attacker does not know which bits are biased and what their biases are, they have no information that will help them.

You can say that flipping a coin is not truly random, but it is effectively random to the attacker unless they know the exact conditions that were present when the coin was flipped.
-snip-

Agree with you.

Quote from: MrFreeDragon on October 13, 2019, 07:57:36 AM

-snip-
And I beleive that every human flipping a coin makes it in some pseudorandom way because of his habits, physical conditions, etc. And in fact, all these different singularities would add the additional entropy for the key generation process (like one man will make the flips with 51%/49% odds, another with 48%/52% odds, etc

In most cases the attacker will not know the biases. However in case he knows some bits are 52% instead of 50%, this information will not actually help in practice, because the total possible combinations still will tend to a very big number close to 2^256

Balthazar

legendary

Activity: 3108

Merit: 1358

Quote from: MrFreeDragon on October 12, 2019, 05:19:07 PM

Some weeks ago I made a visual tool to create a bitcoin private key. The most secure way for key generation is to flip a physical coin 256 times. I flipped a coin 256 times, and made a video how to create the bitcoin private key with my tool.

Here is the video instruction: https://youtu.be/WyBdYhwweaE

Such a techique is not equivalent of true random generator and all of the resulting keys shouldn't ever be trusted.

Quote from: Saint-loup on October 24, 2019, 08:44:33 AM

It's certainly not perfectly random but it's safer than relying on so called "True Random" Number Generators that can be bugged or having design weaknesses, and are actually just trustful blackboxes.

If you wish a guaranteed and independent entropy then you can buy any uranium mineral and use Geuger counter to make as many random bytes as you want.

I tried this and it worked very well.

https://www.youtube.com/watch?v=00h0_Tq8ThA
https://www.youtube.com/watch?v=vtk1o2Qc0u4
https://www.youtube.com/watch?v=pBdqaxtJFHQ
https://www.youtube.com/watch?v=bmK_MVnli7c

My source code is here:

https://github.com/CryptoManiac/rng

It works much faster than flipping the coins and provides a real, guaranteed and unconditioned security.

koinsever

hero member

Activity: 882

Merit: 524

For Rent

its a really good idea. and can be updated. for example you can use 2d20 or something else. it can be more attractive. this is a proof of how flexible bitcoin is i think.

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Quote from: odolvlobo on October 24, 2019, 04:23:23 PM

Quote from: Dabs on October 24, 2019, 01:48:18 PM

Casino grade dice are the only dice that should be used. ...

If feel like that is major overkill. Randomness is not the primary goal.

Well, you could always grab a cheap bucketfull of regular game dice, shake them for a few seconds in a container, then dump them on the floor, take a picture of the floor with the dice, grab the raw or jpeg file, and get it's SHA256, use that result as the private key (or as input to another generator).

Might be overkill, but it's fun. And you'll only need to do it once.

Personally, I'd just use the bip39 page and click on 24 words a few times, then save the extended private key somewhere; maybe make a few more. At least those can be loaded into most hardware wallets and Electrum.

odolvlobo

legendary

Activity: 4298

Merit: 3209

Quote from: Dabs on October 24, 2019, 01:48:18 PM

Casino grade dice are the only dice that should be used. ...

If feel like that is major overkill. Randomness is not the primary goal.

In a brute force attack, the attacker uses their knowledge of any biases to reduce the search space. A purely random number has no biases, so it is an effective tool. But, it is not a necessary condition since a lack of randomness does not necessarily give the attacker any information.

Suppose, I have a hardware random number generator that tends to set some bits to 1 and some other bits to 0. If the attacker does not know which bits are biased and what their biases are, they have no information that will help them.

You can say that flipping a coin is not truly random, but it is effectively random to the attacker unless they know the exact conditions that were present when the coin was flipped.

Suppose I take 256 coins and set a number of of them to heads and the rest to tails, and then I arrange them in a certain order. Assuming that the number of heads vs. tails and the order of the coins makes no difference to me (i.e., I have no obvious biases), the result is effectively random to the attacker even though it is not random at all.

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Casino grade dice are the only dice that should be used.

They are used by casinos for good reasons. They are transparent. They have sharp edges. They are accurate to 0.01 mm or have very small tolerance. They are perfect cubes. Each face has equal weight.

Then, as in the game craps, you should roll them across a surface and only count the result if it bounces back against the other side.

https://www.youtube.com/watch?v=W9zJ0b91SQ0
https://www.youtube.com/watch?v=7n8LNxGbZbs

Use dice rolling machines to roll dice a million times. Fun project.

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: BrewMaster on October 24, 2019, 10:28:08 AM

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

I'm not sure about that, it's well known that computer generated entropy is globally less safe than physical ones, where have you seen the opposite?

Quote

Applying this test to the output of various pseudorandom sequence generators is interesting. The low-order 8 bits returned by the standard Unix rand() function, for example, yields:
Chi square distribution for 500000 samples is 0.01, and randomly would exceed this value more than 99.99 percent of the times.
While an improved generator [Park & Miller] reports:
Chi square distribution for 500000 samples is 212.53, and randomly would exceed this value 97.53 percent of the times.
Thus, the standard Unix generator (or at least the low-order bytes it returns) is unacceptably non-random, while the improved generator is much better but still sufficiently non-random to cause concern for demanding applications.

https://www.fourmilab.ch/random/

Quote

Entropy values must be sourced from a strong source of randomness. This means flipping a fair coin, rolling a fair dice, noise measurements etc.

https://iancoleman.io/bip39/

Quote

An important part of creating a Bitcoin wallet is ensuring the random numbers used to create the wallet are truly random. Physical randomness is better than computer generated pseudo-randomness. The easiest way to generate physical randomness is with dice.

https://www.bitaddress.org

BrewMaster

legendary

Activity: 2114

Merit: 1292

There is trouble abrewing

Quote from: Saint-loup on October 24, 2019, 08:44:33 AM

+++

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: bitmover on October 23, 2019, 04:48:41 PM

I do not understand the limitations on AIS-31 compliant. Maybe someone who has more knowledge can help us better ( i would move this topic to technical discussion board for better inputs from community and less yobit spammers).

But there are limitations on randomness of flipping a coin over and over again.

1 - muscular memory - i don't know if that expression is correct, I am talking about you doing the exactly same movement 256 times is not totally random. Your movement may not be 50-50, but 30-70, as it is the same over and over again. Maybe if you asked to different 256 people flip the coin once, it would have a better randomness.

2 - coin may have not be completely balanced, which could also lead to biased results (not 50-50).

But anyway, as I said before, I think it is enough randomness for a priavate key generation. Don't know if it is better or not than AIS-31. But flipping a coin is not perfectly random imo.

It's certainly not perfectly random but it's safer than relying on so called "True Random" Number Generators that can be bugged or having design weaknesses, and are actually just trustful blackboxes. I think it's well known physical sources of entropy are safer than digital ones.

With the iancoleman page you can generate 24 words seeds by using 6 sided dices, 52 cards decks, binary sources(like coin flips), etc.

https://iancoleman.io/bip39/ (enable Show entropy details)

bitmover

legendary

Activity: 2212

Merit: 5622

Non-custodial BTC Wallet

Quote from: MrFreeDragon on October 23, 2019, 03:37:25 PM

In other words, why the AIS-31 compliant true random number generator (TRNG) generates a more random 256bit number rather than physical coin fliped 256 times?

I do not understand the limitations on AIS-31 compliant. Maybe someone who has more knowledge can help us better ( i would move this topic to technical discussion board for better inputs from community and less yobit spammers).

But there are limitations on randomness of flipping a coin over and over again.

1 - muscular memory - i don't know if that expression is correct, I am talking about you doing the exactly same movement 256 times is not totally random. Your movement may not be 50-50, but 30-70, as it is the same over and over again. Maybe if you asked to different 256 people flip the coin once, it would have a better randomness.

2 - coin may have not be completely balanced, which could also lead to biased results (not 50-50).

But anyway, as I said before, I think it is enough randomness for a priavate key generation. Don't know if it is better or not than AIS-31. But flipping a coin is not perfectly random imo.

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: bitmover on October 23, 2019, 02:49:35 PM

Quote from: MrFreeDragon on October 23, 2019, 02:15:49 PM

Can you explain the algorithm and the process of private key generation by a hardware wallet (ley's say by Ledger)?

Ledger nano does not generate private keys, but a BIP 39 24 word mnemonic seed. Different from what you are doing, because generating private keys directly (however, this allows you to create just one address)
-snip-

Quote

Here’s how a BIP 39 24-word mnemonic seed is generated:
The device generates a sequence of 256 random bits using the true random number generator (TRNG) built into the device’s Secure Element.
The first 8 bits of the SHA-256 hash of the initial 256 bits is appended to the end, giving us 264 bits.
All 264 bits are split into 24 groups of 11 bits.
Each group of 11 bits is interpreted as a number in the range 0 - 2047, which serves as an index to the BIP 39 wordlist, giving us 24 words.
https://ledger.readthedocs.io/en/latest/background/master_seed.html

Actually the same random number: 256bit number - they still generate a 256bit number (like 256 coin flips in my case). They just use this number in a different way: they append 8 first bits (actually repeat them) to receive 264bits in order to present it by 24 words. So, first of all they generate 256bit number, and later present this number by 24 words from 2,048 determined words list.

Hence, the common thing in "coin flip" and "hardware wallet" is a 256bit number generation. My visual tool makes it visually flipping a coin 256 times with 50%/50% chances for every bit, and I evaluated these 256 bits as absolutely random. Howeve you argued this and said that:

Quote from: bitmover on October 23, 2019, 01:04:11 PM

-snip-
I still think the most secure way of generating a private key is through a hardware wallet.
-snip-

Probably we compare the different things: randomness and security. If you mean the most secure way, i also beleive that the hardware wallet could be better (at least the user does not know the key and does not have some parts of it in memory). For security we should consider more things, not only randomness.

But I was talking about randomness saying that the coin flip method is absolutely random. If you still beleive that hardware wallet generates "more random" number rather than a physical coin flip, can you please describe why? In other words, why the AIS-31 compliant true random number generator (TRNG) generates a more random 256bit number rather than physical coin fliped 256 times?

bitmover

legendary

Activity: 2212

Merit: 5622

Non-custodial BTC Wallet

Quote from: MrFreeDragon on October 23, 2019, 02:15:49 PM

Can you explain the algorithm and the process of private key generation by a hardware wallet (ley's say by Ledger)?

Ledger nano does not generate private keys, but a BIP 39 24 word mnemonic seed. Different from what you are doing, because generating private keys directly (however, this allows you to create just one address)

I was able to find this information regarding randomness of the process (i think this is what you are looking for)

Quote

Here’s how a BIP 39 24-word mnemonic seed is generated:

The device generates a sequence of 256 random bits using the true random number generator (TRNG) built into the device’s Secure Element.
The first 8 bits of the SHA-256 hash of the initial 256 bits is appended to the end, giving us 264 bits.
All 264 bits are split into 24 groups of 11 bits.
Each group of 11 bits is interpreted as a number in the range 0 - 2047, which serves as an index to the BIP 39 wordlist, giving us 24 words.
https://ledger.readthedocs.io/en/latest/background/master_seed.html

Quote

Ledger devices also generate secrets securely with a large amount of entropy using an AIS-31 compliant true random number generator (TRNG). As such, it is more secure to use the device’s internally generated secrets rather than importing a secret from elsewhere which could have been compromised before being loaded onto the device.
https://ledger.readthedocs.io/en/latest/background/personal_security_devices.html#personal-security-devices

If you think their entropy is not good enough, you can also add a passphrase to your seed, it will add an additional entropy to your private keys generation.

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: bitmover on October 23, 2019, 01:04:11 PM

Quote from: MrFreeDragon on October 12, 2019, 09:43:32 PM

Quote from: Kyraishi on October 12, 2019, 09:08:20 PM

Not sure if it's the safest way to generate a private key, but it's definetly the most fun way to do something like that.

If you generate 256 bit of your private key flipping a coin, you can 100% be sure that all your 256 bits are absolutely random.
If you generate a private key with the help of some software/wallet/other service, you can not be sure in their random algorythm. In some cases they also could be pseudorandom, generating the predefined keys within the predefined range (even if you use them offline).

-snip-
I still think the most secure way of generating a private key is through a hardware wallet. However, for educational purposes, this flipping method is amazing.

Can you explain the algorithm and the process of private key generation by a hardware wallet (ley's say by Ledger)?

Topic: Private Key by 256 coin flips (Read 415 times)