Topic: Random Number Seed (Read 2603 times)

/dev/urandom is seeded from many different entropy sources including your CPU's hardware source, which might be bugged. But fortunately, this is not a problem for Linux because both /dev/random and /dev/urandom are blended with many other sources of pure entropy.

I do not know what kind of RNG is used in Windows, as it is proprietary software. But you should not be at risk using Windows unless you are being targeted by a state agency.

A little lower than 2^256, and yes.

Cryptographically secure pseudo-random number generators aren't really random, and that's why they will never return you number 100000 (e.g.) in such a large given range. The numbers they return look random.

You can put some trust in the experts around cryptography, using clean OS and vulnerability-free hardware, and make usage of the system's internal CSPRNG. Otherwise, you can roll a fair dice, and generate the entropy yourself, provably randomly.

I don't want to sound stupid but there's one thing that i need answer for
So a bitcoin private key is actually a random integer between 1 and 2^256 right and bitcoin wallet generate it randomly by using PRNG.
Ok so what's stopping PRNG from choosing say a random integer between 1 and 100000? Won't that make your private key insecure?
There's this website https://privatekeys.pw/keys/bitcoin/1
Here you can actually easily search private keys for any random integer value. So say if PRNG gives private key for value 9000000 then it's insecure right?
How to make sure the private key generated by bitcoin wallet is high quality?

idk


it doesn't depend on hardware. either windows, linux, android or OSx is fine. electrum uses a cryptographically secure random number generator on all OS.

When people say a bad OS can fuck up /dev/urandom what do they mean by that?
I think i am being ultra paranoid here.
So if i want to generate a strong random seed it doesn't depend on say hardware?
I mean if i have old PC will it generate less random seed compared to new gen PC?
If i use electrum on linux vs windows which is more better to generate random seed?

andrew chow's response there is the correct answer to that question. andrew is a bitcoin core contributor and knows what he's talking about:

https://bitcoin.stackexchange.com/a/62894/5273

also  this answer to the stackoverflow question is the correct one:

https://stackoverflow.com/a/5498100

/dev/urandom only needs to be seeded with a small amount of entropy. this happens at bootup. after that its pseudo random number generator can generator unlimited amount of random numbers.

It doesn't run out that's true.
But there's something weird definitely.
I tried it. I created seeds in electrum wizard. After 30,40 seeds the wallet closed. (may be randomness was weakening? ) . I again open and tried. Same happened again.
Also the post i quoted. Electrum developer also confirmed /dev/urandom can run out of entropy if it is called repeatedly.
Found similar concern here as well - https://bitcoin.stackexchange.com/questions/62871/does-my-electrum-wallet-become-less-secure-if-i-keep-generating-seeds-until-i-se

no it doesn't. /dev/urandom can generate unlimited cryptographically secure random numbers. it doesn't run out.

Sorry for bumping the old thread.
So does that mean say i repeatedly generate seeds say 100 seeds one after the other before finally deciding the choose the seed for my wallet. Does that make the seed less secure?

so rand seed pulls this from the heat/fan/ or something?

no, unless they use the same device

hang on though if 10000's of people us electrum are they not calling this repeatably or is my maths way off....though if they are all using the same call in python, then some one will luck out?


could dev put in a mouse over this area like true crypt uses?

I don't think so.
If the wallet is installed by people, then the system already has some entropy, just because of the way people interact with it.
I would be more concerned about really simple devices (such as the "trezor"), not something able to run a full debian OS, and about seeds generated during that device initialization.
I am not an expert, however; correct me if I'm wrong.

Hi Thomas, thank you for this wallet, I have really enjoyed it from an aesthetic perspective so far.

Given that a lot of people are likely to start creating wallets on a very simple device right after an OS install (debian netboot or similar), would it be wise to increase the system entropy somehow and collect randomness in a method similar to that used by GnuPG?

Thanks again for your work with the wallet!

If you have issues with not enough entropy with /dev/urandom (eg. you do a lot of generation in a short time on a web server or something) then you should look into the rng-tools package.

This has a daemon that collects entropy to feed /dev/urandom. I tried this out on my test server and it keeps the entropy pool very high always. It also logs entropy status info to syslog.

Please read http://stackoverflow.com/questions/5480131/will-python-systemrandom-os-urandom-always-have-enough-entropy-for-good-crypto

/dev/urandom can indeed run out of entropy if it is called repeatedly.
Here we call it only once, when the wallet is generated, so this cannot happen.

The only risk i see is if your wallet is created as part of the OS install on a very simple device. Correct me if I'm wrong.

Thank you for the answer!

I can't really speak to the issue, but I want to respond anyway in case you're not aware of this:

This link that you sent me implies that this is the call being made: os.urandom(16).encode('hex'), with a larger number, I assume.

This article speaks to this method. On a Linux system, this method queries '/dev/urandom' which is set by the operating system.

"os.urandom(n)
Return a string of n random bytes suitable for cryptographic use.

http://docs.python.org/2/library/os.html#os.urandom

"This function returns random bytes from an OS-specific randomness source. The returned data should be unpredictable enough for cryptographic applications, though its exact quality depends on the OS implementation. On a UNIX-like system this will query /dev/urandom, and on Windows it will use CryptGenRandom. If a randomness source is not found, NotImplementedError will be raised."

However, specifically on Ubuntu, this advice is given against using this method for a cryptographic use:

"      A  read  from  the  /dev/urandom device will not block waiting for more
       entropy.  As a result, if  there  is  not  sufficient  entropy  in  the
       entropy  pool,  the  returned  values are theoretically vulnerable to a
       cryptographic attack on the algorithms used by the  driver.   Knowledge
       of  how  to  do  this  is  not  available in the current non-classified
       literature, but it is theoretically possible that such  an  attack  may
       exist.   If  this  is  a  concern  in your application, use /dev/random
       instead."

Basically, it's saying that a read from /dev/urandom will not wait for a large amount of entropy to be collected, if it's lacking, but will return immediately with some result; whereas a read from /dev/random will wait for the entropy necessary for strong cryptographic purposes.

http://manpages.ubuntu.com/manpages/jaunty/man4/random.4.html

Electrum does not use Python's random number generator, which is known to have the problem you mention.
Instead it uses the operating system's random number generator.
more details here:

http://stackoverflow.com/questions/10341112/whats-more-random-hashlib-or-urandom

This may have been asked before, but here is a question that's been bothering me:

How do you seed the random number generator that's used to select the 12 words from the 1625 word dictionary, for the wallet seed? Does it use time? Does it use some other type of random event? Then how are the random events combined, and what degree of entropy does this seed have for the random number generator?

The reason I ask is because, while it's true that 12 words selected from a 1625 word dictionary yield approximately 3 x 10^38 combinations, the combinations are also constrained by the number of possible numbers which could be used to seed the random number generator. How many possible numbers are there for this seed?