Topic: SeedSigner: Review (Read 628 times)

That's my taste, right there! Better than both plastic and aluminum. I neither knew about the wooden fiber; I don't have a 3D printer, but I like the aesthetics.  

My point is that you wouldn't call such a thing "random". You would call it unfair or biased. If you know that heads comes more frequently than tails, then you can predict the final output. If both heads and tails have the same probability, then you wouldn't call it "truly random", just "random" would do fine. I agree that it mustn't be binary, but where do we draw the line between random and non-random?

It just seems to me that we don't care if the dice is completely fair-- ergo, random. What matters to us is if it is rolled enough times-- ergo, the entropy generated is sufficient. Therefore, we don't care about being "truly random" or not, we care about minimizing the predictability (maximizing the entropy).

I already showed you aluminum metal case for Seedsigner, and there are many variations of plastic cases, but someone recently made unique wooden SeedSigner case!
I didn't know this, but apparently you can also use wooden fibers in 3d printing machines to make enclosures like this.
This looks amazing, and you can download and print your own as .stl files and everything else is released as open source  
https://github.com/SeedSigner/seedsigner/tree/dev/enclosures/open_pill_mini_w_coverplate


https://twitter.com/SeedSigner/status/1757890380572270810

No it's not because there are to many ''random stickers'' for something that is not really random and can be reproduced.

Let's just say that, fortunately, SeedSigner won't allow me to use a single dice result as an entropy! 

Is it just me or is the phrase "true randomness" a bit of mixture of pleonasm and misleadingness? It kinda bothers me. If something is random, then people can't guess it; the outcome is totally unpredictable, and every possible outcome has the same probability. If that would be false, you wouldn't call it "fake randomness". You would simply call it non-random, or biased. In the case with generating entropy, both /dev/urandom and dice rolls are evidently random, hereby "truly random". But what matters in the end is being provably random.

Rolling dice is provably random, because you control the interface. /dev/urandom on the other hand requires some trust on the hardware.

Be careful with that, or you'll end up like coldcard user who used their dice generation feature with weak entropy and lost all his coins.  
Same could be said for any generation that is not true random, and that means that it can be reproduced and cracked much easier.

As far as I know RaspberryOS aka Raspbian is literally based on Debian linux code.
https://en.wikipedia.org/wiki/Raspberry_Pi_OS

Anyway, I saw Seedsigner devs are finishing conversion of code for much more devices soon, as a part of new HRF bounty.
That means you will be able to run Seedsigner code on more devices soon, not just on Rpi.

 

My bad! It doesn't have a RAM requirement, so it probably works with all models as displayed.

Is it me or you compare the disk (card) size the OS image file with the device's RAM capacity?
From the image file at the end more space will be occupied and also you don't have to keep all the OS files in RAM in the same time, right?

No you are not missing anything. It just works I can't do anything with it though, so I abandonned it.

By the way, I just checked, because I also found it curious, I run the legacy version which requires 363MB.


Sounds like a rational explanation. Sounds like I should abandon the idea. Consider it a bad idea, or better, a not valid idea.

Anyway, thanks again for the guide / review. It was helpful.

It is odd, though, because Raspbian Lite OS requires 520 MB of RAM, whereas Pi zero can handle up to 512 MB. Am I missing anything?

It is not a Linux distro. How do I know? Hint: 99.9% of the code is written in Python! 

Anyways, I don't believe that users should put trust on a CSPRNG that is not tested enough (as we wouldn't go with /dev/urandom). Besides, the spirit of the project is to trust none, including your RNG! 

You can install Linux on RPi Zero 2W which is the model I have. I have installed Raspbian Lite. The problem with it, is that it supports WiFi, which is a problem. Anyway, SeedSigner is an OS, so we need to go deep into its code to check if we can use something like /dev/urandom. If SeedSigner is like a linux distribution, it could be possible, but I seriously have no idea if it is doable.

I disregard the "take a seed picture" for generating entropy too. However, using coin / dice results as the entropy is the single most provable way to generate randomness. I agree that /dev/urandom is sufficient for the most part, but not for the paranoid (AKA, those who don't trust their device).

Raspberry Pi zero isn't designed to run Linux, as far as I'm concerned. It has 512 MB RAM, and almost all distros I know require more than that. How do you suggest we utilize such a source without having e.g., /dev/urandom?

Brilliant guide BlackHatCoiner. I have also tried to assemble a SeedSigner in the past. Suddenly the camera stopped working and I had it changed.

I like SeedSigner because in general I like DIY stuff. However, I dislike the "enter your own randomness" idea. Therefore I don't really use it.

But SeedSigner had all the small conveniences I wanted. Like the fact that you can easily scan a QR code to load the wallet (I think Jade has this feature too).

Nevertheless, I have a question and I have also thought about it. Do you believe it would be a good idea to slightly change the code to generate entropy using some CSPRNG source? It's still too abstract in my mind, but perhaps you have thought about it too. I mean since the code is open-source. I have recently written this script: https://bitcointalksearch.org/topic/--5483173 which uses /dev/urandom to generate entropy. It doesn't do anything too fancy, but perhaps we could incorporate something similar to the Seed Signer. Perhaps...

You can if you are brilliant like Crypto Guide  
He didn't post anything for more than a month, so I am sure he is working on something new to release in public.
One of the rear crypto guys you can follow on youtube this days:
https://youtu.be/NTdiji9KpRE

Now imagine using a Seedsigner in combinaison with a Seedkeeper to safeguard your seedphrase in a secure element...

If you like what SeedSigner is doing than you are going to love the new premium version enclosure made from high quality aluminum metal.
There are several websites already offering this product as a separate enclosure only for €69, or as a prebuilt version for €150, and there are a bunch of colors to choose from.
I just love how cool it looks with milled, sandblasted and anodized aluminum case.


https://www.gobrrr.me/product/seedsigner-aludiy/
https://vulcan21.com/product/seedsigner-premium-orange/
https://xmrstreet.store/product/monerosigner/
https://btc-hardware-solutions.square.site/product/premium-milled-aluminum-seedsigner/20?cs=true&cst=custom

PS
Seedsigner devs are also working on payjoin implementation for more privacy, and other code improvements.

Important updates.

As of writing this, v0.7.0 is released.

- You can now verify addresses[1][2]. That solves the security problem of an attacker compromising your watch-only wallet and replacing your addresses with theirs, and tricking you into believing you own bitcoin that you actually don't. Now that is impossible if you verify the address with your seed signer right before you request receiving bitcoin.
- You can now sign messages[3][4][5]. Same as with unsigned transactions, you can request from a supported wallet software (e.g., Sparrow) to sign a message by scanning and displaying QR codes.
- SeedSigner is reproducible[6].
- Booting takes about 12 seconds to finish, which is about 66% less than in v0.5.0.

And other highlighted in their repository.

[1] https://talkimg.com/images/2024/01/29/kcbbN.png
[2] https://talkimg.com/images/2024/01/29/kcDSa.png
[3] https://talkimg.com/images/2024/01/29/kcOso.png
[4] https://talkimg.com/images/2024/01/29/kcW9T.png
[5] https://talkimg.com/images/2024/01/29/kcqal.png
[6] https://github.com/SeedSigner/seedsigner/releases/

Bump.

Fixed dead images using Talkimg.

Dear lord, I had forgotten to respond to this kind offer... I've already used to the orange pill now, but thanks! 

---

---

So, apparently, the dice results aren't calculated as I thought, with 1.66 bits in each roll.

Instead, they choose to SHA256 the result, which looks like "25516341...", and then convert the hash to mnemonic. At least that's what I understand from their source code. So, 50 rolls, if the dice is fair, provide 6^50 bits of security*, which is about 3 times 2^128. However, because I'm completely paranoid when it comes to dice fairness, I've chosen to roll it 99 times. Just in case.

BlackHatCoiner, I don't know where you're located, but I can print something like this for free for you mate.

Even made a topic about this after joining the forum. I don't operate the machines anymore lately, but I can fire them up if needed.

Actually it seems he did his research and apparently the Linux kernel does use external sources of entropy nowadays; which would mean the gap between PRNG and TRNG is closing a bit.

But when you get into very large or very small numbers (or probabilities in this case), they get extremely hard to imagine.
I like these types of videos to better envision them:
https://www.youtube.com/watch?v=tnIFQIu3tZ0

A little off-topic, but this one is about the security of 256-bit:
https://www.youtube.com/watch?v=S9JGmA5_unY

And of course the well-known dyson sphere infographic:


What I'm trying to say is that in the field of such large / small numbers, even pretty large factors may not make a large practical difference.
For example, an entropy multiple orders of magnitude worse than another one, can be practically just as secure, while mathematically and information-theoretically being a lot worse.

That's why sometimes (also in this thread) statements are made about software randomness being 'very bad entropy' or similar, even though it may still be totally viable for many applications. It's just 'terrible' in information theory / maths realms.

Dude, you can print the case anywhere you want in your local area for few bucks  
I am sure you can find bunch of ads from people and services who are offering 3d printing services, most I know are 3d designers or just owners of 3d printers.
They don't even know what they are printing when I order it from them, it's dirt cheap and I don't have to wait more than few hours or a day for delivery.

It's simple math, and if you are not mathematician you can't understand it easily.
Companies wouldn't waste millions of dollars to achieve true randomness if gameboy, nintendo or raspberry pi was able to achieve this.
Research this subject deeper to understand it better, key point is if something can be reproduced or not.

That's interesting; I suppose though that the quality of randomness (entropy) will vary by the type of device in question. Some may have more 'sensors' or other ways to acquire external noise. It should also be kept in mind that a big challenge of hardware entropy is digitizing an analog entropy source without 'moulding' it in a certain way that introduces a bias, which would detrimentally affect the entropy.

To be honest, I don't think a state-of-the-art PRNG (especially if it does use external sources of entropy as you described) will be realistically easier to attack (think of stuff like a hundred years instead of 200 and numbers like this, if not higher). Even though it might be off by magnitudes from a true randomness source, today's software randomness is usually good enough for all practical scenarios.

If /dev/urandom really incorporates what I'd call true randomness and doesn't degrade its entropy too much, it means it's trying to get more and more similar (or even become) a TRNG in the long run. This again shows that on paper, a TRNG is always better; it's just that it's not always feasible or practical to implement in off-the-shelf devices. Even an outdated, seed-based PRNG is enough for most (read: non-cryptographic) use-cases, like generating random bytes for something.

By the way, a quick web search revealed, that apparently, /dev/random is better for cryptograhpy.

Actually, this seems like pretty sensible advice before generating a seed from /dev/random or /dev/urandom:

It does use "real" source of entropy, or to formulate more properly: It does use events happening outside the machine, such as environmental noises:
Does this make them more susceptible to a brute-force attack? I'm trying to understand what's the weakness of pseudo-randomness, but I feel like beating a dead horse.

The issue with this (besides the slight argument from authority) is that it's a little bit like the issue of 'n-th generation PoS blockchain' - if you're building sophisticated, fancy stuff on top of a bad foundation, you won't get the best results and will always be restricted by the limits of your foundation. PRNG is only pseudo-random and doesn't use any 'real' source of entropy; just algorithms that try to get as close as possible to that. Sure, they're well researched and gradually improved in decades of research, but they remain 'pseudo'-random.

I can change it whenever I want, but I don't want to wait 2+ weeks again nor to pay 20+ EUR for a case. The one I have does the job nevertheless. No, I don't have a 3D printer.


Seriously though, why isn't an RNG generating true random results, and if it isn't, which opens up a philosophical question, why does the TRNG, indeed, generate true randomness? To be precise, urandom is a Cryptographically Secure Pseudorandom Number Generator (CSPRNG), and to be honest, I'm a complete noob when it comes to this field, but I somewhat agree with this perspective.

One more interesting thing I saw is that some people are working on new SeedSigner OS with minimal Raspberry Pi image.
I didn't test this myself, but this is step in good direction because I never liked slow loading speed for SeedSigner, and I think this can speed up things a lot.
This project is open source, and it's freely posted with easy instructions on github by DesobedienteTecnologico:
https://github.com/DesobedienteTecnologico/seedsigner-os

It seems that the time is not far off when users will massively assemble devices for themselves using open-source software and available components, following the example of BlackHatCoiner. This allows you to individualize each device to suit your needs and tasks. I wanted something similar to appear, but to my surprise, as it turned out, it is already possible to assemble the device myself and it's just great. The issue of security of funds for bitcoiners will always be relevant and the emergence of such a hand-made direction was inevitable. Especially considering that hardware wallet manufacturers are increasingly gaining influence and power in this niche, which in itself contradicts the idea of ​​freedom and decentralization. So, people who understand the advantages of homemade devices (of course, I mean assembly from ready-made components, as in the review of this topic) will abandon the already widespread hardware wallets, like ledger and trezor.

For anyone who is interested to test how SeedSigner wallet works, without actually purchasing RaspberryPi and other hardware elements, you can try testing SeedSigner elmulator.
This is working on desktop computers for all operating systems (windows/linux/mac) and I saw someone was able to install it on old android smartphone.
Code is released on github by enteropositivo:


https://github.com/enteropositivo/seedsigner-emulator

Yes it does, and that's what it'll remain for me, because not only don't I have enough crypto to justify another HW wallet, but I'd have to learn how to do everything BlackHatCoiner did to create this neat-looking wallet.  I give him props for doing so, because it looks cool as hell and I've long been fascinated by Raspberry Pi's.

Thanks for posting this, OP.  I'm going to go back and give your post a closer read and try to learn something.

Thanks for the review. RPis have a hardware RNG as /dev/hwrng and to my knowledge it passes most of the die-hard tests. Throw your dice or hash a picture and XOR it with /dev/urandom and/or /dev/hwrng: this way even suboptimal dice throws don't matter when XORed with a good-enough "true" random independent entropy source.
For meatspace it's difficult to produce good randomness.

First time I heard about gobrrr website was in bitcointalk forum and I think they have very good prices for everything, especially when we know how hard is to find Raspberry Pi with lower prices on other websites.

There is nothing wrong with Orange Pill case and you can change it anytime if you do it carefully.
I prefer printing my own case with custom colors with freely available .STL files.

Any device that have RNG option is not really generating true random results that can't be reproduced, that is why we have TRNG,
but wallets like trezor are trying to fix this with mixing multiple sources to create better random value, that is still not good in my opinion.

I have thought a while ago to build the Seedsigner but unfortunately, the components that are available in my country are just too expensive so I just hang it for some time while waiting for the prices to come down. Anyway, props to you, this review furtherly explains about what Seedsigner is all about.

---

Their whole OS is indeed fully booted up from the ram[1]. Even if you do a manual installation, it recommends the user to disable the swap file[2].

---

I found this repo which may explain the reasoning why they decided to go that way: https://github.com/SeedSigner/independent_custody_guide#creating-secure-private-keys-in-a-trust-minimized-way.

Not sure I agree with their explanation of wanting to generate entropy via meatspace. I'd like to think that a hardwallet takes much of the responsibility of generating entropy off the person as possible, since for me hardware wallets are more likely to be bought, and used by newbies. Alright, maybe SeedSigner isn't as accessible as ready made options, but still I prefer to idea of taking that out of the users hands or at very least giving an option to the user.

Ah, yeah I seem to have forgotten about that small detail . That makes sense. Well cheers for the review, wasn't overly familiar with SeedSigner.

Excellent review.

In all honesty I feel the idea is a lot better than the execution.  I had considered conducting this experiment myself but decided against it feeling it's not as safe, secure, or functional as an air-gapped Pi (or other PC) running an open-source OS such as Ubuntu.  My main concern with the setup is that you have to keep your seed phrases accessible or pull them out of hiding once in a while, which exposes them to significantly more risk than is necessary.  Conversely, an air-gapped PC can store your seeds relatively safely behind strong encryption, and multiple layers of encryption can be implemented.  Once you're seeds are paired with wallets they never need to be exposed again.

Theft of loss of SeedSigner appears to pose slightly less risk, assuming the seed is thoroughly purged from the system.  I haven't audited the code, but I assume the seed is stored in ram while the device is in use.  If the OS uses swap files to store the seed it can retain the information unless it's overwritten with random bits as the device is being powered down.  I don't know about you, but none of that would really ease my concerns if the device was stolen.  Again, a thoroughly encrypted OS is likely to buy you more time to discover the loss of the device and move your funds.

One benefit to the experiment, however is that if you tire of it you have all you need to convert it into an air-gapped PC (with the exception that I would want a bigger screen.)

All in all, it looks like a really fun project whether you use it to manage funds or not.  

I ordered it from gobrrr.

Yep, but I thought the default would be a better option. Proved wrong. 

Which thing isn't random nor secure exactly? Pi's RNG? urandom?

But, I don't blame them for my possibly less unpredictable entropy. Of course and it's my responsibility to ensure the dice is fair. But, you don't get to force me go with your way, just because you think it's right. This attitude is translated to a little disrespect, one might say, towards actual cryptographers who've studied more than you've done, and have concluded to using a CSPRNG.

Let me choose a "Use Pi's RNG" option, and if you don't recommend it, show a warning.

Nice to see you decided to give SeedSigner a try BlackHatCoiner, but you didn't say if you ordered that orange pill case from third party or you  3d printed it yourself?
I have to say there are much better and smaller SeedSigner cases and I prefer them instead of this default option, my favorite is Lil'Pill but there are other .STL files released as open source.

This is fortunately advantage for me, and I prefer to generate my own seed words.
Most people would just use default entropy generation that is not really random nor secure, that is why they decided to go this direction.
If you make any mistake during this process you can only blame yourself, not SeedSigner aka Rpi

I tested Sparrow wallet before and I think it's even better for multisig setup compared to Electrum wallet.
There are some stuff they need to fix with adding and removing devices (that was when I tried it), but I generally liked it and it's good alternative for Electrum.

Nice review!
It looks like a wonderfully nice toy, it's on my wish list too for some while, for when my HW dies or Pi Zero will be again in stock in my country, whichever comes first.
Until then the software should also get more mature + maybe Electrum will also implement the missing feature(s).


Camera + screen are the two directions/devices for transferring information between SeedSigner and the hot wallet. Both are crucially important.

It's necessary. Without the camera you can't scan the PSBT from your computer's monitor.

Always a massive fan of users DIYing this sort of stuff. I've sadly run out of merit though.

I'm assuming the dearest piece of kit here is the camera, which might not be necessary for users that don't want to scan QR codes? Since, most other hardware wallets don't offer this, you could potentially even argue that this is an additional expense that isn't really needed. I guess the convenience is there if you need it though.

Prologue
So, a month ago, I was trying to find out which hardware wallet should I buy. My conditions were simple; it had to be open-source and I had to make the purchase in the most private way possible. My only option was to buy BitBox 1, but it happens to be old, deprecated and their developers aren't known for being privacy seekers, which really underwhelmed me.

My only choice was to purchase a hardware wallet outside my country using a poste restante, which I didn't want to do for personal reasons. But, then dkbit98 suggested something I hadn't thought of; do the job with a Pi.

And so I did. I bought a RPi Zero, a camera, a little screen and a few other stuff, and built a SeedSigner; an air-gapped hardware wallet signing device, which takes security into the next level.  

Disclaimer: There's no affiliation with SeedSigner and this thread isn't sponsored. I just bought it and share my thoughts.

---

---

In summary:

Pros:

• Open source, github page: https://github.com/SeedSigner/seedsigner
• Air-gapped
• Relatively cheap ($50~$100)
• Separation between private key storage and signing
• Can be bought anonymously (without KYC, AOPP etc.)

Cons:

• Little hard setup
• Experimental software; the project is, well from what I can judge, in an early stage
• Works only with BlueWallet, Nunchuk, Sparrow, Specter Desktop
• It's forcing you to generate the entropy yourself

---

---

Alright, let's begin.

SeedSigner aims to give a solution to one problem; the cost and complexity of multi-sig usage. However, at the same time, it can be used for single-sig setups, lowering the cost of your "hot" storage as well. There's nothing saved inside the SD card, besides your settings which is optional, therefore there's less danger for funds' loss. When you shut down SeedSigner, it erases the seeds; they're meant to be kept temporarily in memory and you have to import the seed on each startup. And that's basically one of the features that makes SeedSigner differentiate.

This has the following advantage: You can have the device on plain sight (don't, but you get the idea). As far as I understand, this is implemented to reduce the risk of money loss. For cold storage, create the QR code and find a good hiding spot. For daily transactions, you can just insert it into your drawer etc., without minding much.


For quick imports, use QR scanning:

---

Unfortunately, you can't create a new seed with an internal RNG. SeedSigner somewhat forces you to generate the entropy yourself. Either with a picture or dice rolls.


I get the spirit of "trust none!", but that's just wrong. It should allow you to generate random entropy, even with a warning. Furthermore, it gives a false sense of security. If you don't test the dice is decently fair, then you shouldn't generate a wallet. Period. Quoting a forum legendary is needed here:

Hashing a picture can also be problematic, see thread: Turn photos into Bitcoin wallets. So, here's a feedback: Include /dev/urandom. Simple. Do it for those who want to avoid this fuss.

This is how they justify it:

One thing I also don't understand is how the rolls are 50/99 exactly. Doesn't each give 1.66 bits of entropy on average?  

---

These are the features:

One thing I've forgotten to say is that, besides open-source, the code is also easy to read. It's 100% written in Python, and there aren't many files to check. It doesn't take more than an hour. The src/seedsigner/models is what's all about.

---

How to use it

These are the steps to spend money:

• Create a seed.
• Export the master public key with a QR code.
• Import the master public key to a wallet software. (From the available, I prefer Sparrow*)
• Create a transaction.
• Export the PSBT in QR code from your computer's screen.
• Scan the QR code from SeedSigner.
• Sign the transaction from Seed Signer.
• Export the signed transaction in QR code.
• Scan the QR code from your computer.
• Broadcast the signed transaction

Ta-da! Transaction signed in the air!  

*Sparrow is a wallet I'd never used, as I put Electrum above others, but I'll have to admit it's good. Perhaps even better than Electrum. The reason you can't use Electrum (at least not easily) is because it doesn't support animated QR codes, which is the way SeedSigner exports xpub keys and signs transactions. That's because the screen isn't big enough.

---

---