Topic: Seed Generation in Hardware Wallets - page 2. (Read 903 times)

Thank you for contributing.
I added seed generation procedure for Specter device based on github link you posted.

I won't add anything for SeedSigner until I can find clear confirmation or source link.
If I remember correctly they have some kind of dice method of seed phrase generation but I couldn't find any information about that on their website.
I would appreciate if you could help with this @JL0

I follow Specter DIY project since the time it was created. Regarding SEED entropy, device uses the mix from a few internal  sources :

Sure, but I don't remember exact process of generating seed phrase for this DIY devices you mentioned.
You can write how this is done for both devices with one sentence and source link, than I will add separate section for DIY devices, Krux will probably be there also.

PS
For some reason I am currently not able to open SeedSigner website, and I see it's online for other people.

@dkbit98
could you add Specter DIY and SeedSigner please?

I think they will have to implement this option in their new upcoming hardware wallet, and this issue is still Open on github.
Trezor One is senior device and oldest hardware wallet in the world, and I think it would be waste of time trying to put everything inside, as much as I would like.

Thanks, this is good article and I think I saw it before when I was checking out Specter wallet.

First thing that comes on my mind is Raspberry Pi Zero 1.3, but maybe even Raspberry Pi Pico can do this, if you know how to program them.
Other option are TTGO T-Display or M5Stack devices (similar like jade wallet) that are written in micro python I think.

The code required to simply hash an input and spit out an output is incredibly simple and very easy to write yourself, so you can be certain that the software is not doing anything malicious. You can then manually combine the checksum with your entropy and manually convert it all in to words.

Once you have arrived at your final seed phrase, you are still going to be importing it on to an airgapped device to create an airgapped wallet from which you can sign unsigned transactions generated elsewhere. If you are going to be using this device to store your wallet, then you are at minimal additional risk using the same airgapped device to generate the checksum from your manual entropy.

Jimmy Song proposed something similar for Trezor two years ago: https://github.com/trezor/trezor-firmware/issues/1293 They never implemented it.

If you are interested in the topic of how to generate mnemonic words manually in general, and with coin flips in particular, I would recommend you another detailed instruction which caught my attention recently: https://estudiobitcoin.com/do-you-trust-your-seed-dont-generate-it-yourself/

The main problem with all "offline" instructions, as always, is how to calculate a checksum for a specific entropy without having to rely on devices that may have been tampered with or infected with malicious software. I have been thinking about a small-sized open-source hardware device that has only one function, which is to give a SHA256 output for a given input. Is there such a device?

It appears his site does in fact assume cards are replaced (and presumably shuffled) each time a card is picked.

I would agree with you that this is not a good setup as I believe it will cause you to miscalculate the actual amount of entropy you are "getting" when generating your seed.

https://iancoleman.io/bip39/
Check the box titled "Show entropy details" near the top.
Select "Card" from the radio buttons on the right hand side (or skip this step, once you start entering your cards it should automatically detect the entropy type).
Start entering your cards in the format VALUE SUIT. For example, AH for ace of hearts, 5S for 5 of spades, TD for ten of diamonds (Jack/Queen/King are J/Q/K respectively).

A private key (or a seed) is just a very large number. If you do some task with a random output, all you have to do is assign each outcome a value, and do some calculation with the output of that value.

For example, if you wanted to roll dice (6 sided), you might use the following procedure:
start out with an arbitrary number, perhaps 0, called "num"
each time you roll your dice, add the value of the dice to "num" then multiple "num" times the value of the dice. If your dice are not numbered but have a unique color on each side, you could assign a value to each color and follow the same procedure. The resulting value for "num" is your private key, although you will likely need to apply additional function(s) on the number in order for most wallet software to be able to do anything with your private key.

If you were to use a deck of cards you could assign each card a value and follow the above procedure.

If you wanted to generate a seed you can write down, you could use the following procedure:
Assign each of the 2048 words in the BIP39 word list a value.
Your first word will be the output of "num" modulo 2047.
Use integer division on "num" to divide "num" by 2047 to get your new "num" value
Repeat until you have an appropriate number of seed words.

I am not able to find where on his site you can use cards to generate a seed.

If you pick the top card from a 52 card deck of cards, any given card will have a 1-in-52 chance of being chosen. If you pick two cards, the particular order that you pick those two cards is one out of 2652 possibilities, which is just over 11 bits of entropy. If you pick 31 cards, I calculate that particular order of cards will work out to approximately 160 bits of entropy. If you pick all 52 cards (without ever reshuffling), the specific order you picked the cards will give you approximately 225 bits of entropy according to my calculations.

So as long as you can shuffle the cards well one time, you will be able to generate a "strong" private key.

I won't, because I think using cards is inferior to simply flipping a coin.

There are all the disadvantages I discussed above, but also there is the issue with shuffling a deck of cards. Every time you flip a coin you are pretty much guaranteed a random result, even if you are "bad" at flipping a coin. Whatever happened on the last several flips has no bearing on what happens on future flips.

Now consider a deck of cards. Perhaps I am bad at shuffling, and so whatever card I drew from the top last has a higher than average chance of staying near the top, meaning I recycle the same 10 or so cards throughout my entropy generating process. Or perhaps I only use riffle shuffles, which means cards near the bottom will never leave the bottom. Or perhaps I don't bother shuffling between every card because it takes too long. And so on. There are too many variables and too many corners which can be cut which you cannot do with flipping a coin or rolling a dice.

When we are talking about the security of your entire wallet here, I really don't think the 15 minutes it takes to flip a coin 256 times is too much to ask. Just like when people say "check a few characters at the end of the address" - it is ridiculous to cut corners and save your self the 10 seconds it takes to check the whole address.

The more bits you disable, the easier it will be to detect the "unnatural" operation of the fake generator. There must be a compromise, you must turn off so many bits that you yourself cannot go over everything quickly knowing the mask. You must have a computer with several powerful video cards on which the search time can be, for example, 1 month. In addition to the example I described above, you can run the result of the fake generator through the SHA-256 function to mask a large number of disabled bits.

Correct, you can use this seed words for any wallet you want and it will work perfectly, I would just suggest that people should double check and test if they imported everything correctly.
This way you can be sure that you are eliminating any weaknesses all devices can have during seed generation with random or not so random generated results.

Now all you have to do is to write a simple instructions with few images like Bitbox did, create a topic about that and people might actually start using it. 
There are no stats for this, but I think that from all possible methods people used card decks the least for seed generation.

It doesn't even have to be fake random generator, it's enough that results can be recreated and repeated, and that is why people use all sorts of weird ways to create randomness, including radioactive decay.
There is interesting list of random number generators throughout history, but they are all pseudorandom number generator, that are deterministic and NOT truly random:
https://en.wikipedia.org/wiki/List_of_random_number_generators

I'm not an expert in cryptography, but wouldn't this method be easily detectable? I mean, by comparing the sequence of falsely generated numbers, someone could probably catch a pattern, right?

To create a fake random number generator, there is no need to create any databases, especially since there is nowhere to store them in the hardware wallet. To generate non-random 24 words, you need to create a 256-bit mask that will disable certain bits (set to 0) from the number generated by a real random number generator. Each disabled bit will reduce the search time of the seed phrase by 2 times.
An example for an 8 bit number:
10010101 - random number
    “AND”   - logical multiplication
00011001 - mask
      =
00010001 - fake random number
When iterating over a number, we only need to iterate over 1, 4 and 5 bits, since the rest of the bits will be guaranteed to be 0.
In this example, the search time will be reduced by 32 times.
The attacker will have to periodically perform a complete search of the seed phrase using the mask he has created and check the positive balances.

I've not seen this before. It's a really cool way of doing it actually. And you definitely don't need a Bitbox to use this method, as you can use any open source tool to calculate the 24th word. Even better if you flip your coin 3 times to get the first 3 bits of the last word rather than manually picking from the 8 options.

The most fair way of doing it would simply be to treat black cards as 0 and red cards as 1, draw a card, make a note, and then shuffle that card back in to the deck and repeat 256 times.

A somewhat quicker way would be to treat spades as 00, clubs as 01, diamonds as 10, and hearts as 11 (for example), draw a card, make a note, shuffle that card back in to the deck and repeat 128 times.

Ian Coleman's site accepts cards as an entropy source, but I don't like the way it does it. In his system, to assign each of the 52 cards a different value, 32 cards contribute 5 bits of entropy, 16 cards contribute 4 bits, and 4 cards contribute 2 bits, since 2⁵ + 2⁴ + 2² = 52. I don't like the fact that some cards are "more secure" than others. It also encourages someone to shuffle a deck of cards and then simply draw them all in order. This reduces entropy, since after you have used one card you will never use it again, and so that patterns of bits will never be repeated.

Using his method for a full deck of cards will give you what is claimed to be 232 bits of entropy, but in reality it will be less than that for the reasons I have given above. If you use the full deck of cards to generate a 12 word (128 bit) seed phrase, then you will be fine, but if you stop inputting cards when his site tells you you have reached 128 bits, then actually your seed phrase will be weaker than advertised.

Often times something that is quick and easy it's not always a good choice, and I prefer to do something myself even if it means it's going to be a bit slower.
One good example of instructions for generating your own seed words with dices is written by Bitbox wallet team, and it's not complicated at all:
https://shiftcrypto.ch/blog/roll-the-dice-generate-your-own-seed/

PDF version is also available with backup card you can print with your printer:
https://shiftcrypto.ch/bitbox02/BitBox_Diceware_HowTo.pdf

I think that every home have at least one deck of cards if not more, but it's strange that so far I didn't found a single article that shows how you can use your deck for generating seed words.
It's probably best to use dices, and I don't think they are tweaked and weighted unless you got them from some dirty casino

I agree with what you say especially if hardware wallets are closed source, with exception of few hardware wallets that have Verifiable Seed Generation, but I could say the same thing for regular computers also.
How do you know that seed phrase wasn't pre-generated by software wallet and stored on somewhere on your hard drive or memory of your computer?
Safest way is entering your own manually generated seed words in any wallets, software or hardware.

There is no real way with a hardware wallet to verify the whole process.

The hardware wallet shows you a seed phrase. How do you know that seed phrase wasn't pre-generated and stored on a list of seed phrases on a database somewhere?
So then they show you the entropy, so you can verify that the seed phrase was produced from the entropy displayed. How do you know that entropy wasn't pre-generated and stored on a list of entropy on a database somewhere?
Maybe you generate new entropy 1 million times. How do you know that the generation really is random and not using a deterministic process?

The only way to resolve this is to use a hardware wallet which allows you to enter your own entropy (and then verify externally that the seed phrase your hardware wallet gives you does indeed match the entropy you fed it), or to generate your own seed phrase manually and enter that in to your hardware wallet, such as by flipping a coin 256 times, calculating the checksum, and then encoding the result in to BIP39 words.

I would probably trust a HW wallet manufacturer over an entity that only generates a random number. You are already trusting the HW wallet manufacturer if you are using it to sign transactions. Ditto if you are using a phone to store your keys.

A dice does guarantee entropy, it is free (minus the cost of the dice), assuming you are sure the dice is not weighed. You could also use a deck of cards, although I am not sure how to ensure the deck is properly shuffled. IMO, the best way to guarantee entropy would be to use a quarter (other USD coins would also work), although the process of flipping the coin and recording the result can be tedious and some people might take shortcuts.

Interesting device.

Even were it NOT able to generate fully random seed words using the generator, you could get *pretty close* by doing something like below:

1.  Decide: 12 words?  24 words?  (etc.)
2.  Generate a 12 word wallet, write down the last 6 words only
3.  Generate another 12 words, write down every "even number" word (the second, fourth, sixth, eighth, etc.)
4.  Combine the above 12 words in whatever order you decide, this would serve as your "plan" for generating future seeds
5.  Remember your "plan", do it the same way each time in the future
6.  And add the "13th Word" (24th) for added security to your HW wallet

*  *  *

Perhaps the time comes when we would all like to see an easy and quick way to generate seed words by hand from the Github word list (https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt).

2048, I believe is 2^11.  Would that imply that you could get 11 coins (same coins, good condition), and do the below?

1.  Toss the coins down, start next step with the coin furthest left (for example)
2.  If "heads", that would direct you to the first half of the BIP 39 list, "tails" the second half
3.  Next coin, the heads the first half of remaining words from step 2, tails the second
4.  Next coin, same procedure.
5.  After doing the above with the 11 coins, you have your first word
6.  Repeat coins toss for second word....

You see?  Not so easy nor quick.  Quick and easy random is not so quick...  Thoughts?  

(Octahedral dice might save a little time, but...)


EDIT: The below link will take you to an article by "Arman the Parman", where he details a way to generate your own seed.

https://bitcoinmagazine.com/culture/diy-bitcoin-private-key-project

Alas, it is still neither quick nor easy to do this..