Topic: Seed Generation in Hardware Wallets (Read 881 times)

I can confirm everything works very good with M5StickV, and this is great to have if you like to have smaller size hardware wallet.
Another good thing about M5StickV is that you can run/remove Krux code and add some other firmware on it, for example code for Jade wallet can be added following instructions below:
https://github.com/Blockstream/Jade

That being said, price for Maix Amigo is around $50 and M5StickV has similar price now, so Maix Amigo is much better option overall.
When I purchased M5StickV price was much lower with some discount.

I've used it.  When creating a seed, it asks you to tap the screen to take a picture for use as entropy.  Then the screen shows the camera view.  Tap.  Captured.  Done.  It's quick & easy.

Here's a full review I wrote & posted in the forum (EDIT: with a lot of pics.  Check it out).

There's tons of info on their Github:


You can pick up hardware to run Krux for under $50, so it's cheap to try.  I like using it on a Maix Amigo because of the large touchscreen, but the M5StickV is another option that is similar in size to a Blockstream Jade.

Which github account were you viewing, this one? https://github.com/selfcustody/krux

Thanks for response.  Could you head me to the proper source of this information? I've sieved their GitHub account but didn't find anything relevant.

 I'm an owner of  Passport 2 and looking for the decent companion to my wallet to use it as a cosigner in multisig.

 Krux might be viewed as candidate  if it would meet my requirements.

Aside from the standard randomization, Krux has the user take a photo & uses that image as data for additional entropy.

For the record, I'm not involved with Krux in any way.  I watched a review of an earlier version of it by Crypto-Guide on youtube, and since hardware to run it on was under $50, I figured I'd give it a shot.  Of all the hardware wallets I've used, this is the one that impressed me the most thanks to the combination of using the camera for additional entropy, having a large touchscreen for fast & easy text entry, being fully airgapped, using encrypted SeedQR, using passphrase QR, and the UI is so clear & intuitive.  I hope SeedSigner eventually adds these features, because that's another project I really like.

Exactly.
Old smartphone can work better than Ngrave if you don't care about open source code, and you can also install Graphene OS on Pixel and get device with open source software.
You pay less money for this, and you can always switch back to use it as regular smartphone.
I think newer Pixel devices also have secure space, that is not exactly secure element, but it gives additional security.
Krux app can work on smartphones, but there are other wallets you can use without internet connection.

It's not off-topic and it's not pathetic.
Seed phrase IS generated on Krux and Krux is DIY hardware wallet, not a banana.

All that is good but seems to be fully  off-topic (and pathetic at the same time) .

The core of this thread is to discuss various techniques used by hardware wallets to harvest the randomness while your post said  nothing about this.

Thus. let's resume the natural course.

How would you compare the quality of entropy generated by Krux vs other wallets listed by OP?

I hate that you're right, but...  you're right.

I'm of the opinion that we all owe it to the community to keep teaching people how to properly secure their coins.  I've explained passphrases and how to create a strong one more times that I can even remember, but I keep doing it, because it matters.  I've explained the reasons to write a seed down on paper and make a metal backup, and store those two items in two separate locations only you have access to.  I've written about the importance of these things more times than I can remember.  I'm sure many of you have too.  And we have to keep on explaining, and keep on teaching, because so many people still don't understand the basics of security, and because there's a constant influx of newcomers who need to learn these things.

But no matter how hard we try to help...  as you said...  most people don't really care about security until it's too late, and then they blame everyone else.

We have to keep trying anyway, because for every ten idiots who don't listen, if we're lucky there will be one person who does.

In terms of securing a seed: My favorite hardware wallet is an open source project called Krux.  It's fully airgapped and uses SeedQR.  Krux makes it easy to create an encrypted SeedQR, so even if somebody finds the QR code, they can't use it (or even tell what it is).  The encrypted SeedQRs don't even need Krux to be decrypted (so long as you don't lose the decryption key you created, which is basically a password or passphrase).  It's a brilliant system, and the hardware to run it on only costs around $50.

Doesn't really matter, considering they aren't open source: https://github.com/ngraveio/zero-firmware

And given that their secure element and OS are going to remain closed source (https://support.ngrave.io/hc/en-us/articles/4409555395217-Is-the-ZERO-open-source-), then we will just have to take them at their word. Note that their word includes calling their device "100% offline" and "the coldest wallet", but also involves connecting it to a computer via USB in order to update it.

BTW, those plates  are for the storing BIP 32 root seed (= NGRAVE  "Perfect Key") rather than for the SEED phrase. If user will chose to create wallet with BIP 39 SEED phrase then those plates are useless (at least for storing that phrase itself) and he will search for alternative way (or wiil be in need to take an additional converting). I think they should  add and highlight this in the description of GRAPHENE (=  set of those two plates) product.

Sure, but why would anyone give people less secure option with single point of failure anyway, even if it's only optional?
You know for sure that someone will use this since it is available, and most people don't really care about better security until some disasters happens, and than they can blame everyone else.

Yeah, but no one is obliged to acquire the whole set that includes those  two steel plates. User is free to buy only single hardware wallet ( too expensive for me though) and use the well-behaved method of storing SEED phrase on stainless washers as  following all recommendations described in this threat.  

As to their TRNG,  the landing page of official site states  that it is based on their patented chip, but I didn't find the relevant patent. Maybe will try once more.

I didn't know about this information, but I will add it in first post.
However, I don't think it's needed to add additional entropy when you are already using TRUE RNG, especially not if you are adding biometrics like fingerprint that is unique piece of information.
You can't have two of the same fingerprints in the world even for twins, but you can duplicate any fingerprints very easily.

That sounds like a single point of failure to me
And let's not forget that Ngrave is maybe of the most expensive hardware wallets in the world right now.

I think there is no ideal approach to achieve 100% randomness using at least one  computational device (in their case TRNG) no matter how to mix entropy coming from various sources.

But,in my view,  the scheme used by  NGRAVE is worth sharing as it is in the tideway of this threat.

No doubts,  your analysis of NGRAVE-technicality is vary valuable addition   and should be taken into account.

I've read through the links you provided, and while there are some good things about their system, there are some bad things as well.

Combining their RNG with entropy from physical sources is good. Ambient light from a camera is good depending on how they extract the entropy from the picture (although the article does not go in to that). Fingerprints are bad, for the same reasons that all biometrics are bad - they are easily copied and easily faked. The user interaction section is utterly meaningless. Swapping around 8 substrings gives 8! = 40,320 combinations, which could be bruteforced in a second. This part is security theater rather than anything meaningful.

Their justification for their back up system makes a lot of incorrect statements:

Multi-sig.

You go to your second back up.

And their back up system is even weirder. They use two steel plates, one acting as a decryption key for the other. So if you lose one, you've lost your coins. So no different to a standard back up, except now you've got two separate single points of failure. But then they say if you lose the decryption plate, NGRAVE can recover it for you? And if you want, you can complete KYC and store the data on your other plate with them as well? All in all it is the worst of all systems - single points of failure, zero redundancy, and a trusted third party being involved as well.

@dkbit98, hi!

I think it is worth to add to the list NGRAVE ZERO, which uses the unique way to generate randomness by combining data taken from internal TRNG, fingerprint scanner and ambient light captured by the build-in  camera. They claim that such procedure  elevates entropy to the next level when compared to all existing hardware wallets.


https://www.ngrave.io/en/academy/post/beyond-mnemonic-phrases-the-path-to-the-ngrave-perfect-key
https://www.ngrave.io/en/blog/why-randomness-is-central-to-crypto-but-so-hard-to-achieve

Please, find some qualification regarding Seed generation in Passport. To reach the highest level of randomness in the course of SEED creation Passport preliminary mixes entropy taken from ADC fed by Avalanche source with those ones from two build-in  RNGs (one of them is the part of MCU, the other one  is in SE):


The relevant  code to manage involved ADC on MCU can be found  here.

SeedSigner DIY device added to the list.
They have different approach for generating entropy compared to many other hardware wallets and 24-word BIP39 seed phrase can be created with 99 dice rolls, by taking a digital photo, or be doing coin flips.
Thank you @JL0 and @A S M for your contribution.

PS
If anyone notices any mistake in my list please tell me to make a correction.
You can also submit new wallets that are not listed yet, but only do it if you have official confirmation with links for entropy generation method.

In addition to creating entopy using dice rolls, there should also be:

Options to add final word entropy
Coin flips
Select BIP39 word
Finalize with zeros
Added final word calc screen showing bit-level entropy + checksum bits
https://github.com/SeedSigner/seedsigner/releases/tag/0.5.1[/list]

[/list]

Thank you for contributing.
I added seed generation procedure for Specter device based on github link you posted.

I won't add anything for SeedSigner until I can find clear confirmation or source link.
If I remember correctly they have some kind of dice method of seed phrase generation but I couldn't find any information about that on their website.
I would appreciate if you could help with this @JL0

I follow Specter DIY project since the time it was created. Regarding SEED entropy, device uses the mix from a few internal  sources :

Sure, but I don't remember exact process of generating seed phrase for this DIY devices you mentioned.
You can write how this is done for both devices with one sentence and source link, than I will add separate section for DIY devices, Krux will probably be there also.

PS
For some reason I am currently not able to open SeedSigner website, and I see it's online for other people.

@dkbit98
could you add Specter DIY and SeedSigner please?

I think they will have to implement this option in their new upcoming hardware wallet, and this issue is still Open on github.
Trezor One is senior device and oldest hardware wallet in the world, and I think it would be waste of time trying to put everything inside, as much as I would like.

Thanks, this is good article and I think I saw it before when I was checking out Specter wallet.

First thing that comes on my mind is Raspberry Pi Zero 1.3, but maybe even Raspberry Pi Pico can do this, if you know how to program them.
Other option are TTGO T-Display or M5Stack devices (similar like jade wallet) that are written in micro python I think.

The code required to simply hash an input and spit out an output is incredibly simple and very easy to write yourself, so you can be certain that the software is not doing anything malicious. You can then manually combine the checksum with your entropy and manually convert it all in to words.

Once you have arrived at your final seed phrase, you are still going to be importing it on to an airgapped device to create an airgapped wallet from which you can sign unsigned transactions generated elsewhere. If you are going to be using this device to store your wallet, then you are at minimal additional risk using the same airgapped device to generate the checksum from your manual entropy.

Jimmy Song proposed something similar for Trezor two years ago: https://github.com/trezor/trezor-firmware/issues/1293 They never implemented it.

If you are interested in the topic of how to generate mnemonic words manually in general, and with coin flips in particular, I would recommend you another detailed instruction which caught my attention recently: https://estudiobitcoin.com/do-you-trust-your-seed-dont-generate-it-yourself/

The main problem with all "offline" instructions, as always, is how to calculate a checksum for a specific entropy without having to rely on devices that may have been tampered with or infected with malicious software. I have been thinking about a small-sized open-source hardware device that has only one function, which is to give a SHA256 output for a given input. Is there such a device?

It appears his site does in fact assume cards are replaced (and presumably shuffled) each time a card is picked.

I would agree with you that this is not a good setup as I believe it will cause you to miscalculate the actual amount of entropy you are "getting" when generating your seed.

https://iancoleman.io/bip39/
Check the box titled "Show entropy details" near the top.
Select "Card" from the radio buttons on the right hand side (or skip this step, once you start entering your cards it should automatically detect the entropy type).
Start entering your cards in the format VALUE SUIT. For example, AH for ace of hearts, 5S for 5 of spades, TD for ten of diamonds (Jack/Queen/King are J/Q/K respectively).

A private key (or a seed) is just a very large number. If you do some task with a random output, all you have to do is assign each outcome a value, and do some calculation with the output of that value.

For example, if you wanted to roll dice (6 sided), you might use the following procedure:
start out with an arbitrary number, perhaps 0, called "num"
each time you roll your dice, add the value of the dice to "num" then multiple "num" times the value of the dice. If your dice are not numbered but have a unique color on each side, you could assign a value to each color and follow the same procedure. The resulting value for "num" is your private key, although you will likely need to apply additional function(s) on the number in order for most wallet software to be able to do anything with your private key.

If you were to use a deck of cards you could assign each card a value and follow the above procedure.

If you wanted to generate a seed you can write down, you could use the following procedure:
Assign each of the 2048 words in the BIP39 word list a value.
Your first word will be the output of "num" modulo 2047.
Use integer division on "num" to divide "num" by 2047 to get your new "num" value
Repeat until you have an appropriate number of seed words.

I am not able to find where on his site you can use cards to generate a seed.

If you pick the top card from a 52 card deck of cards, any given card will have a 1-in-52 chance of being chosen. If you pick two cards, the particular order that you pick those two cards is one out of 2652 possibilities, which is just over 11 bits of entropy. If you pick 31 cards, I calculate that particular order of cards will work out to approximately 160 bits of entropy. If you pick all 52 cards (without ever reshuffling), the specific order you picked the cards will give you approximately 225 bits of entropy according to my calculations.

So as long as you can shuffle the cards well one time, you will be able to generate a "strong" private key.

I won't, because I think using cards is inferior to simply flipping a coin.

There are all the disadvantages I discussed above, but also there is the issue with shuffling a deck of cards. Every time you flip a coin you are pretty much guaranteed a random result, even if you are "bad" at flipping a coin. Whatever happened on the last several flips has no bearing on what happens on future flips.

Now consider a deck of cards. Perhaps I am bad at shuffling, and so whatever card I drew from the top last has a higher than average chance of staying near the top, meaning I recycle the same 10 or so cards throughout my entropy generating process. Or perhaps I only use riffle shuffles, which means cards near the bottom will never leave the bottom. Or perhaps I don't bother shuffling between every card because it takes too long. And so on. There are too many variables and too many corners which can be cut which you cannot do with flipping a coin or rolling a dice.

When we are talking about the security of your entire wallet here, I really don't think the 15 minutes it takes to flip a coin 256 times is too much to ask. Just like when people say "check a few characters at the end of the address" - it is ridiculous to cut corners and save your self the 10 seconds it takes to check the whole address.

The more bits you disable, the easier it will be to detect the "unnatural" operation of the fake generator. There must be a compromise, you must turn off so many bits that you yourself cannot go over everything quickly knowing the mask. You must have a computer with several powerful video cards on which the search time can be, for example, 1 month. In addition to the example I described above, you can run the result of the fake generator through the SHA-256 function to mask a large number of disabled bits.

Correct, you can use this seed words for any wallet you want and it will work perfectly, I would just suggest that people should double check and test if they imported everything correctly.
This way you can be sure that you are eliminating any weaknesses all devices can have during seed generation with random or not so random generated results.

Now all you have to do is to write a simple instructions with few images like Bitbox did, create a topic about that and people might actually start using it. 
There are no stats for this, but I think that from all possible methods people used card decks the least for seed generation.

It doesn't even have to be fake random generator, it's enough that results can be recreated and repeated, and that is why people use all sorts of weird ways to create randomness, including radioactive decay.
There is interesting list of random number generators throughout history, but they are all pseudorandom number generator, that are deterministic and NOT truly random:
https://en.wikipedia.org/wiki/List_of_random_number_generators

I'm not an expert in cryptography, but wouldn't this method be easily detectable? I mean, by comparing the sequence of falsely generated numbers, someone could probably catch a pattern, right?

To create a fake random number generator, there is no need to create any databases, especially since there is nowhere to store them in the hardware wallet. To generate non-random 24 words, you need to create a 256-bit mask that will disable certain bits (set to 0) from the number generated by a real random number generator. Each disabled bit will reduce the search time of the seed phrase by 2 times.
An example for an 8 bit number:
10010101 - random number
    “AND”   - logical multiplication
00011001 - mask
      =
00010001 - fake random number
When iterating over a number, we only need to iterate over 1, 4 and 5 bits, since the rest of the bits will be guaranteed to be 0.
In this example, the search time will be reduced by 32 times.
The attacker will have to periodically perform a complete search of the seed phrase using the mask he has created and check the positive balances.

I've not seen this before. It's a really cool way of doing it actually. And you definitely don't need a Bitbox to use this method, as you can use any open source tool to calculate the 24th word. Even better if you flip your coin 3 times to get the first 3 bits of the last word rather than manually picking from the 8 options.

The most fair way of doing it would simply be to treat black cards as 0 and red cards as 1, draw a card, make a note, and then shuffle that card back in to the deck and repeat 256 times.

A somewhat quicker way would be to treat spades as 00, clubs as 01, diamonds as 10, and hearts as 11 (for example), draw a card, make a note, shuffle that card back in to the deck and repeat 128 times.

Ian Coleman's site accepts cards as an entropy source, but I don't like the way it does it. In his system, to assign each of the 52 cards a different value, 32 cards contribute 5 bits of entropy, 16 cards contribute 4 bits, and 4 cards contribute 2 bits, since 2⁵ + 2⁴ + 2² = 52. I don't like the fact that some cards are "more secure" than others. It also encourages someone to shuffle a deck of cards and then simply draw them all in order. This reduces entropy, since after you have used one card you will never use it again, and so that patterns of bits will never be repeated.

Using his method for a full deck of cards will give you what is claimed to be 232 bits of entropy, but in reality it will be less than that for the reasons I have given above. If you use the full deck of cards to generate a 12 word (128 bit) seed phrase, then you will be fine, but if you stop inputting cards when his site tells you you have reached 128 bits, then actually your seed phrase will be weaker than advertised.

Often times something that is quick and easy it's not always a good choice, and I prefer to do something myself even if it means it's going to be a bit slower.
One good example of instructions for generating your own seed words with dices is written by Bitbox wallet team, and it's not complicated at all:
https://shiftcrypto.ch/blog/roll-the-dice-generate-your-own-seed/

PDF version is also available with backup card you can print with your printer:
https://shiftcrypto.ch/bitbox02/BitBox_Diceware_HowTo.pdf

I think that every home have at least one deck of cards if not more, but it's strange that so far I didn't found a single article that shows how you can use your deck for generating seed words.
It's probably best to use dices, and I don't think they are tweaked and weighted unless you got them from some dirty casino

I agree with what you say especially if hardware wallets are closed source, with exception of few hardware wallets that have Verifiable Seed Generation, but I could say the same thing for regular computers also.
How do you know that seed phrase wasn't pre-generated by software wallet and stored on somewhere on your hard drive or memory of your computer?
Safest way is entering your own manually generated seed words in any wallets, software or hardware.

There is no real way with a hardware wallet to verify the whole process.

The hardware wallet shows you a seed phrase. How do you know that seed phrase wasn't pre-generated and stored on a list of seed phrases on a database somewhere?
So then they show you the entropy, so you can verify that the seed phrase was produced from the entropy displayed. How do you know that entropy wasn't pre-generated and stored on a list of entropy on a database somewhere?
Maybe you generate new entropy 1 million times. How do you know that the generation really is random and not using a deterministic process?

The only way to resolve this is to use a hardware wallet which allows you to enter your own entropy (and then verify externally that the seed phrase your hardware wallet gives you does indeed match the entropy you fed it), or to generate your own seed phrase manually and enter that in to your hardware wallet, such as by flipping a coin 256 times, calculating the checksum, and then encoding the result in to BIP39 words.

I would probably trust a HW wallet manufacturer over an entity that only generates a random number. You are already trusting the HW wallet manufacturer if you are using it to sign transactions. Ditto if you are using a phone to store your keys.

A dice does guarantee entropy, it is free (minus the cost of the dice), assuming you are sure the dice is not weighed. You could also use a deck of cards, although I am not sure how to ensure the deck is properly shuffled. IMO, the best way to guarantee entropy would be to use a quarter (other USD coins would also work), although the process of flipping the coin and recording the result can be tedious and some people might take shortcuts.

Interesting device.

Even were it NOT able to generate fully random seed words using the generator, you could get *pretty close* by doing something like below:

1.  Decide: 12 words?  24 words?  (etc.)
2.  Generate a 12 word wallet, write down the last 6 words only
3.  Generate another 12 words, write down every "even number" word (the second, fourth, sixth, eighth, etc.)
4.  Combine the above 12 words in whatever order you decide, this would serve as your "plan" for generating future seeds
5.  Remember your "plan", do it the same way each time in the future
6.  And add the "13th Word" (24th) for added security to your HW wallet

*  *  *

Perhaps the time comes when we would all like to see an easy and quick way to generate seed words by hand from the Github word list (https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt).

2048, I believe is 2^11.  Would that imply that you could get 11 coins (same coins, good condition), and do the below?

1.  Toss the coins down, start next step with the coin furthest left (for example)
2.  If "heads", that would direct you to the first half of the BIP 39 list, "tails" the second half
3.  Next coin, the heads the first half of remaining words from step 2, tails the second
4.  Next coin, same procedure.
5.  After doing the above with the 11 coins, you have your first word
6.  Repeat coins toss for second word....

You see?  Not so easy nor quick.  Quick and easy random is not so quick...  Thoughts?  

(Octahedral dice might save a little time, but...)


EDIT: The below link will take you to an article by "Arman the Parman", where he details a way to generate your own seed.

https://bitcoinmagazine.com/culture/diy-bitcoin-private-key-project

Alas, it is still neither quick nor easy to do this..

There is one device like this made by hardware wallet manufacturer Ellipal, and it has one purpose to be Mnemonic Phrase Generator with BIP39 standard.
They claim it is true random generator device that is offline and they call it ELLIPAL Joy, second claim is they are open source but I couldn't found any source code on github last time i checked.
Note that I didn't test this device that was released recently, and I don't recommend it to anyone but it can be purchased for $39.90 currently.


https://www.ellipal.com/pages/ellipal-joy-mnemonic-generator

Another free, safe and offline alternative is to use your own physical dices for generating seed words, without use of any device.
Later you can import this to any wallet you want, including hardware wallet.

Alternatively, if you want to store large amounts and do not trust the built-in random number generators, you can buy, for example, a Keystone wallet and use it only to generate seed phrases using dice, and then use this seed in other hardware wallets.
It would not be bad if someone from the manufacturer created a separate inexpensive device for generating seed phrases using dice or coins, and also had a built-in mnemonic converter Ian Coleman.

Maybe there's a quick-n-dirty workaround to this issue for us non-tech folks.

1.   Create a new wallet in Wasabi (or most other wallets, any that you feel you can trust), write down the words...
2.   Create a few receive addresses (easy in Wasabi)
3.   Then "restore" that wallet into your hardware device
4.  Send off one, two or three small separate amounts; check that the receiving addresses in your HW wallet match those in Wasabi

The only issue I see (but invite critiques) is that your HW wallet will "have touched the internet".  Which might be corrected (?):

5.   Send off BTC from your HW wallet to another wallet
6.   Delete your HW wallet
7.   Create a new wallet in your HW
8.   Fund that with small amount(s)
9.   Send that amount out to another wallet (as in 5)
10.  Create another new wallet in your HW device...

Not quite clear what you mean?
The wallet, having generated a random number (for example, 256 bits), adds 8 bits of the checksum and sends it to a function that converts it to base 2048 and outputs 24 numbers of 11 bits each, which is then replaced with the corresponding word from bip39 dictionary. All this is easily verified.
Or do you think there may be a second fake random number generator in the wallet?

Let's say they do exactly that, how long are they going to wait before they start emptying people's wallets? The two most popular brands are Trezor and Ledger. The Trezor One was released back in 2014, the Ledger Nano S came out in 2016. We have gone through two significant bull runs. The one at the end of 2017 and the one we witnessed recently when the BTC price almost hit $69.000. I think especially the 2nd one was the perfect opportunity to cash out a billion or two. But we aren't seeing cases where people lose money where the users themselves didn't make mistakes that led to the loss of funds.     

This is not exactly correct, even if it's true that humans and their brains are generally bad for creating randomness, using simple tools like dices and cards, changes the game a lot.
I would dare to say that you can create better and safer random results with dices, following simple instruction than using most hardware wallets for this.
Coldcard and Keystone are only wallets that have Verifiable Seed Generation as far as I know (Passport is working on this also).

I used official websites as source of information and I only mentioned word mnemonic one time for (ledger wallet) in first post, so I didn't mix anything.
Order of mnemonic words can be random or not random, but that was not the point at all.

What I seem to understand after looking through the excellent research that you presented us is that the majority of reputable hardware wallets are very transparent about how they are generating random numbers, they all are using only certified methods of generation of random numbers, etc. In short, they seem definitely much better than human beings at generating randomness (the degree of disorder is higher). However, what I don't understand is how actually we can verify that mnemonic phrases, which are being shown upon initial setup, really come from these random numbers. As far as I know, no hardware wallet shows you the initial entropy from which the mnemonic seed phrase is generated. That means we can't verify the result if we don't know what the initial data was. What if they generate truly random numbers, but then give us completely unrelated results, that is,  pre-made malicious phrases?


After rereading your post I noticed that you are mixing up "entropy" and "mnemonic" or rather use them interchangeably, which is not quite correct because they are not the same thing especially when we are talking about the generation of random numbers. Mnemonic words aren't random at all because they are mathematically and deterministically derived from entropy.

Information update:

Onekey mini uses internal random number generator that satisfies NIST SP 800-90A/B/C; CSPRNG is used to guarante the quality of randomness, which is equivalent to DIEDARD TEST, FIPS 140-2, TEST U01 test criteria.
Onekey Mini is using Trezor wallet forked and changed code, but they added secure element and made other changes.
Source: https://onekey.so/security

PS
If anyone notice any mistakes or missing info in first post, please make suggestion for correction, providing source information and links.

Yeah .. aws-iot-edukit is awesome, btw talking to cryptography educational stuff and textbooks I like that old style lecture on
stream ciphers, xor circuits, random numbers, perfect cipher

Lecture 3: Stream Ciphers, Random Numbers and the One Time Pad by Christof Paar

But question on top of my mind stack now is..
ok we designed a diagram .. sent it out to a semiconductor manufacturer fabric etc.. how can we know test if the schema we asked for is nothing more, nothing less?

Yes it is plain old ESP32 board and anyone can purchase their own and load it with Jade open source code, so there is no need to buy from their official store.
I would prefer buying something like M5Stack Core2 ESP32 AWS (has secure element) but I think anything like cheap TTGO T-Display will work just fine.

You can even use cheap M5StickC ESP32 and cad STL file to 3d print your own Jade hardware wallet and then load it with Jade code.
This means that you can make your own diy wallet for $10 or $20 and not wait to pay $40 for out of stock product.


m5stack.com

Thanks dkbit98 for the insight. Very interresting indeed. I am reading about



I am trying to make it more clear in my small brain. I am reading again some foundations about random numbers and a case study at textbook chapter about it... btw, kindly made public by the authors Niels, Bruce, Tadayoshi

https://www.schneier.com/wp-content/uploads/2015/12/fortuna.pdf

On regards to Jade wallet sounds a nice project (out of stock ) do they use esp32 chip (Manufacturer: Espressif Systems)?
I guess it is ESP32-S ins't it? (Reliable Security features ensured by RSA-based secure boot, AES-XTS-based flash encryption, the innovative digital signature and the HMAC peripheral, “World Controller”)

https://www.espressif.com/en/products/socs

So I was interested to know how Jade hardware wallet is doing entropy and generating seed words, but I couldn't find that information anywhere on their website.
After contacting Jade wallet developers I got reply that they are working on readme file and support page with more detailed information, but for now I got this explanation:

Jade wallet comes with a hardware random number generator (from esp32 chip), and when device is started it uses accumulator similar like in bitcoin core.
This stores a 32 bytes state generated by sha512 hashing of a number of things: its previous state, 64 bytes from the hardware random generator, data from the stack, various counters (cpu ticks and global) and sensors (hall and temperature), as well as extra entropy provided by the companion app.
The result of the sha512 is split in two: half becomes the new 32 bytes state and the other half is provided as the entropy requested and fed to the standard bip39 entropy to mnemonic function.
The hashing function is called at boot and at each time entropy is requested as well as any time a button or the wheel is touched.

This looks something similar like Trezor is doing with mixing entropy of hardware random generator and computer, but it's not exactly the same.

I guess that only way to be sure is to open and destroy the wallet in this process to identify the chip, as they have everything closed source, but I would personally don't use Safepal for holding my coins, maybe only for some play money.
Not enough security experts examined Safepal for potential exploits and bugs, but I am thinking of asking some of them in private to make unbiased tests.
One more thing is that Binance exchange is now pumping Safepal wallet and their useless token, so I expect more people will try to break and exploit it now.

Hi,

I cant stressed how important entropy is to BTC.

I even took this photo at Science Museum in London ages ago.

(host auto delete after > month)

so my question is ...

I just ordered a safepal s1 for testing and they claim
the chip comes from Germany BSI AIS31

https://docs.safepal.io/safepal-hardware-wallet/security-features/hardware-security/true-random-number-generator

How can I be sure their wallet really got that hardware?

The entropy is not necessarily 256 bits, the bits used will determine how many words the seed phrase will contain. Using 128 bits will bring about 12 seed words, 160 bits will bring about 15 seed words, 192 bits will bring about 18 seed words, 224 bits will bring about 21 seed words while 256 bits will bring about 24 seed words. These are the standards used in generating seed phrase, especially the 12 and 24 seed phrases are common.

reserved

Some people are asking a good question, how can they trust that Hardware Wallets are randomly generating Bitcoin seed words?

First, whatever device you are using and not just a hardware wallet, but also your smart phone, computer or any other device, you need to have some basic trust or verify everything on your own and that is not always easy.
Generally speaking, hardware wallets that are open source and existed longer time have been examined by many security experts and they are considered safer but none of them is 100% safe.
Hardware wallets are made to simplify things for average newbie, but you should always remember that seed words are more important than your hardware device.

Humans are bad in making anything random so forget about it if you had an idea to pick 24 random words from your head/wordlist and used them as your seed words.
You need to achieve good 256bit entropy or disorder and good old dices or coin flipping are some way to achieve this so you don't have to trust their random number generators.

How are Hardware Wallets doing entropy?

Trezor One and T is mixing external entropy from computer with internal entropy from built-in hardware random number generator RFC 6979,  and this can be verified on their github page.

Trezor 3  to be updated...

Ledger wallet is using Random Number Generator from their closed source Secure Element to generate mnemonic seed with AIS 31* certification.

ColdCard have the option for using internal true random number generator from their secure element or to use D6 Dice Rolls that can be verified. Verifiable Seed Generation.

Keystone is using Random Number Generator from their open source Secure Element and it can generate seed with casino-grade dices. Verifiable Seed Generation.

Passport wallet is using Avalanche noise source, an open source true random number generator (one of them is the part of MCU, the other one  is in SE). Verifiable Seed Generation.

Bitbox is using five different entropy sources from factory setup, secure element, regular chip, computer and device password, everything is open source and with latest update you can roll dices for verifiable seed generation.

Safepal is using closed source secure element for random number generation with AIS 31* and FIPS PUB 140–2** certification

BC Vault uses built-in hardware gyro sensor and various timings with human shaking the device for random number generation.

Jade wallet is mixing internal entropy from built-in hardware random number generator and various other things with companion app entropy.

Onekey mini uses internal random number generator that satisfies NIST SP 800-90A/B/C; CSPRNG is used to guarante the quality of randomness, which is equivalent to DIEDARD TEST, FIPS 140-2, TEST U01 test criteria.

Ngrave zero is combining data taken from internal TRNG, fingerprint scanner and ambient light captured by the build-in camera.

---

Specter DIY uses mix of multiple sources of entropy, TRNG of the microcontroller, Touchscreen and Built-in microphones (not yet), that are all hashed together.

SeedSigner DIY creates 24-word BIP39 seed phrase with 99 dice rolls or by taking a digital photo; and it can be be done with coin flips.

---

RNG https://en.wikipedia.org/wiki/Random_number_generation

TRNG - True Random Number Generator
HRNG - Hardware Random Number Generator (generates genuinely random numbers)
PRNG - Pseudo Random Number Generator  (generates numbers that look random, but are deterministic and reproducable)

Random number generator is used in IT, lottery systems, gaming, for passports and ID cards, smartphones, in NFC and chip manufacturing.

*AIS 31 certification standard used by Germany BSI
**FIPS PUB 140–2 certification standard used by US government

work in progress