Bitcoin Forum

Here is an interesting tweet from ColdCard I've come across recently:

https://i.imgur.com/JpbiBJG.jpg
https://twitter.com/COLDCARDwallet/status/1334210450947534850

It is an advertisement for the new product "Dice set," with which to generate a random 256-bit number to create a seed phrase for your Coldcard and which is now available in the Coinkite store. https://store.coinkite.com/store/dice-100

According to Coldcard's tweet, it is now easier to generate a seed with dice rolls because you don't have to toss dice 100 times if you can toss 100 dice once instead.

In my opinion, this information is misleading, and users may end up losing their funds because of weak entropy!

You won't get a truly random number when tossing 100 dice at once because of two reasons. Firstly, the sequence at which to count dice after a toss is unknown, meaning that it is up to you to decide. Human decisions lead to the decrease of entropy since humans are bad at randomness. Secondly, given that all dice are of the same color, the sequence cannot be determined beforehand. Both factors clearly tell us that buying 100 dice doesn't make sense and even harmful.

What do you think?

It is.

To calculate entropy, we'll have to use log2 (6) - log base 2 of 6.

That gives us an entropy of approximately 2.58496250072 per dice roll. 128 bit entropy should be enough of an entropy which would result in at least 50 dice rolls to reach. When you have 100 dice, you can probably pick around 50 biased dice and still end up with 128bit of entropy.

The choice of word and the phrasing could be misleading and it'll help if they'll point this out in the packaging of the dice. I think the sequence of picking the dices will have a significant effect on the entropy but there is a decent cushioning before you'll really endanger the user's funds. You can only truly achieve 256bits of entropy with 100 unbiased dice rolls. Picking all of them with bias would just be creating a brainwallet.

Actually, has there been a successful attempt to intentionally sabotage the RNG within an OS during a key generation?


I think using dice rolls to generate entropy is not that bad of an idea. Especially when the point of it is to ensure that ColdCard isn't tampering with the seeds. Given that the key pad only has space for numerical characters, using dice rolls to generate entropy for a ColdCard wallet is probably the only way for the user to be sure that the RNG of the ColdCard isn't compromised.

I think it is bad ( decrease the randomness) even if the dice are not biased, let alone throwing a single throw of the dice that may be biased.

In general, does it enter into the calculation of the expected value^[1]? We have a specific iteration of an experiment that has a limited range of options (1 to 6).

If all the dice are rolled once, then repeating it several times may result in lower quality random private keys.

[1] How To Calculate Expected Value (Worked Examples) (https://www.youtube.com/watch?v=JiD9dqUYalQ)

I've seen few news about RNG sabotage on library or programming language (mainly javascript) level, but never on OS level.
After all, if you could sabotage the OS which require superuser/root, there are more practical ways to steal/intercept one's data.

But at least there are few vulnerability about RNG on linux kernel,
https://www.cvedetails.com/cve/CVE-2009-3238/ (https://www.cvedetails.com/cve/CVE-2009-3238/)
https://www.cvedetails.com/cve/CVE-2007-4311/ (https://www.cvedetails.com/cve/CVE-2007-4311/)
https://www.cvedetails.com/cve/CVE-2018-1108/ (https://www.cvedetails.com/cve/CVE-2018-1108/)

What does expected value has to do with the generation of entropy though? Each of the dice has an equal chance of landing on each of the face. The expected value shouldn't matter since you're not calculating the average value of the dice nor anything similar.

Each of the unbiased dice roll will provide a certain and fixed amount of entropy because it is truly random. For example, if the 5th value is 6 in the first set of 100 and the 5th value is 5 in the second set, the resultant seed will be different. For someone to crack this, they'll have to land the dices at exactly the same value for 100 consecutive times, with the same permutation. This would be a pretty near impossible feat, giving the user a 256bit of entropy.

Theoretically, the biased sequence of picking the dices after a single roll could drastically decrease entropy and therefore lead to a loss of funds. Let us assume that a potential newcomer has no idea about how exactly a seed phrase is generated and why the degree of disorder is so important when calculating a given phrase. In my opinion, an average user doesn't necessarily need to know all this, otherwise, we will never see widely adopted bitcoin. Anyway, he or she just purchased their first ColdCard hardware wallet and also a set of dices, for whatever reason. Later, they found an interesting option in it, which is manual wallet generating via dice rolls. It sounds cool and familiar: it is like a game. They tossed their 100 dices at once, and then they need to insert these numbers into their wallet. The problem is they don't know at which sequence to count dices.

They asked ColdCard developers and got an answer:

https://i.imgur.com/hd80UPx.jpg

The sequence doesn't matter, you must be paranoid if you ask this!

They counted their dices the way they saw fit and got a random number: 1111111111111222222222222222222333333333333333333333344444444444444444444444444 44555555555555555555555555......6666666666666666

They inserted that number and generated a seed phrase.

Their response is quite underwhelming to say the least. Isn't their hardware wallet designed for the paranoid with the inclusion of all the epoxy transparent chips and stuff? This issue isn't about paranoia at all and is a legitimate concern. Oh wells, I hope they actually misunderstood your point.

Their response is at least ridiculous and misleading. It seems that the ColdCard marketing team has forgotten to ask the development team for advice before posting a tweet. Basically yes, their wallet is mostly designed for paranoid, experienced users who should know how things work in general and how to properly generate a seed phrase in particular. That all makes me think why they fail to answer, put it another way, are giving a misleading answer when paranoid and experienced users ask them the right questions.

Had a brief email exchange with them and this is their response:

I guess that's your answer. Their stand is that they hope the customer doesn't specifically choose the sequence of the dice.  I don't think it's a great idea to not at least put a warning but if that's their stand then so be it. Tried to convince them otherwise through quite a few (lengthy) emails but I guess they have their own rationale as well. Hope it works well for them and the customers buying it (I personally think the coldcard is okay but nothing else).

Don't get why they won't recognise it as a potential (however small) issue that they have given how the design is geared towards those who are paranoid. But hey, who am I to criticize them on this? :D

Thank you for your help! I am still not convinced and wouldn't recommend buying that particular product albeit I do like ColdCard hardware wallet because it looks neat. Despite the fact I ain't a tech-savvy person, I believe that any sequence, no matter how random it may be, would be specific since it would be human who would choose it. It is weird that the Coldcard team prefers not to talk about it and is silently selling a useless set of dices for 20 bucks instead. I am a bit disappointed.

Possible stupid question incoming:
Does it have to be a regular 6 sided die?
Can't we increase randomness by using a 10 or 20 or whatever sided die?

I'm sure the answer is out there, but I am truly having a brain freeze at the moment.

-Dave

https://www.mathartfun.com/shopsite_sc/store/html/d24.jpg

Nope.
Depends on how many times you roll the dice. Having a larger number of possible outcomes for each dice will increase the entropy, think log2 (x), let x be the number of sides. The problem here lies with the bias when choosing specific dices for the sequence of entropy though.

Although DaveF, with your picture you have inadvertently stumbled across a potential solution - different colored dice.

If you pick the order you are going to write down the result of the dice based on the color before you roll, then that removes the issue of bias in choosing the order. Using your picture and going clockwise, we choose the order blue, black, green, red, white. We roll the five 20-sided dice, for 4.32 entropy per dice, for a total of ~21.6 bits of entropy. Repeat 6 times for 128 bits, or 12 times for 256 bits, writing down the numbers in the same color order each time.

How about a funnel connected to a transparent tube so all dice ends up in it in a certain order? #ducttapeengineering

Yeah, I'm confused as to how they don't see the issue with just ending up with a large number of dice sitting in front of a person who then has to choose what order they need to be used in...

It's really no different to giving a user say 2048 words and saying "pick 12/24 of these" ::) ::)


I like it... but then I'm a fan of stupidly simple solutions ;)

Hmmmm.
They do make dice up to some really stupid large number of sides and in more then the 5 colors listed.
So a set of 7 dice. Six of 120 sided dice in various colors (or clear if that's your thing):
https://mathartfun.com/shopsite_sc/store/html/d120Clear.jpg

And a 7th die that has a different color on each side.
You set the 6 of them in any order you like.
You then roll the 7th and that is the color you start from.

Repeat each time so even if one of the others does have a bias towards a number or set of numbers it will not always be in the same location in the line up unless the 6 sided die also has a bias.

Now....who has a 3d printer handy?

-Dave

In my opinion, that makes the whole process of tossing unnecessarily complicated and time-wasting. We don't know a possible outcome if we determine the sequence of colors beforehand, so the result can't and won't be biased in any case. But I like the idea of using many-sided dice: it both increases entropy and enjoyment of generating seeds. But why stop there? Spherical dice have an unlimited number of sides and are easy to produce...


https://www.tarquingroup.com/media/catalog/product/cache/1/image/9df78eab33525d08d6e5fb8d27136e95/F/B/FBA_555_l_2.jpg

Source: https://www.tarquingroup.com/spherical-dice-5-round-dice.html

It's fun to read how this business attempt from Coldcard is turning into an epic fail! A pack of 100 dices to ease the process of creating entropy but no solution for determining the randomness of the dice sequence, this has to go down as one of the most absurd business ideas. Wait until I start selling a pack of 256 one-cent coins for $5.12 each. Easy money!

---

Well, technically it's different. Picking 12/24 words from 2048 won't work because last word includes checksum so wallets will show it as invalid seed.

By the time you get up to a 120 sided die, you are on 6.9 bits of entropy per roll, meaning you only need 19 rolls to generate 128 bits of entropy. At that point, it's going to be far easier to just roll 19 times than mess around with colors and orders.

You could also pick all 12/24 words and have the software just change the last one to the appropriate word with the correct checksum. Either way you are still manually picking your entropy so it is terrible decision, even if you are picking from a random subset (in the case of rolling 100 dice).

Some wallets (Bluewallet is one of them if I am not mistaken) allow you to combine the methods with which entropy is generated. For example, you can use coins, dice of a different number of sides, and software random number generator to create a single seed. You can combine these methods, use them in different orders, etc. But I consider this method less safe when compared with hardware wallets.

True, but they are re-usable forever. No hardware updates, etc.
Also, this seems to be turning into a bit of a thought experiment. Which is good. Someone, ColdCard, Who I like, came up with a dumb marketing idea. Lets work on a better one, that does not have to be marketed.



But messing around with dice is fun. Unless you are in a casino playing Craps, then messing with the dice will get you thrown out :-)
Yes, the larger number of sides does let you roll less. But I figure if you are going to do it with dice then go all the way and use as much entropy as possible.

-Dave


https://www.questionablecontent.net/comics/3183.png

Wouldn't we be bumping into the limits of cheap plastic molding tolerances with such a dice?

Rolling a bunch of six-sided dice and just counting them left-to-right top-to-bottom seems better than any complication TBH. Don't need to buy a 100 either, just grab what you can find in the board games laying around, or if you're one of the cool kids who doesn't play board games... well, toss a bucket of coins on a tile floor.

The biggest reason to stick to "normal" 6 sided dice is that plenty of companies make them in "casino grade" transparent colors with sharp edges. This minimizes any bias and prevents cheating. The casino rules also prevent cheating. You have to roll the dice across the table and it has to bounce back to be counted.

In practice, just bounce your own dice without looking at it for a few seconds and you'll be fine.

For most normal people, rolling 100 times or rolling 100 dice one time is good enough provided you have all other physical security in place.

For the issue of rolling 100 dice all at once, you can probably get a large enough box to put them in, then shake a little until they are semi-lined up at the bottom. They will be in some sort of order which you can then use, left to right, top to bottom.

You could also just get your 100 dice, throw them across the room, and use a stick to collect them, they'll be in a semi-random order.

It would be fun to roll 100 different colored dice, then take a picture of it, export the RAW file, and hash that.

This, in addition to any other entropy your hardware already generates from the OS, mouse movement, etc.

Someone pointed out to me a few decks of cards will also work quite well.
Pull out all the J - Q - K and shuffle well.
Pick the top "X" cards from "Y" decks and then shuffle well and do it again.

There are a lot of ways to do it if you want to avoid the electronic ones.

-Dave

Ian Coleman's site (https://iancoleman.io/bip39/) will let you use all the cards from a full deck. Just click on "Show entropy details" an then click on "Card" on the right hand side, and enter the number and suit of each card you draw. It works by assigning some cards 5 bits of entropy (32 possible combinations), some cards 4 bits of entropy (16 possible combinations) and some cards 2 bits of entropy (4 possible combinations), for a total of 52 possible combinations. If you simply shuffle a full deck of cards and then draw all the cards, you will therefore reach 232 bits of entropy, so it leaves you a bit short for 24 words, but is enough for 12, 15, 18, or 21 words, but doing so is not entirely random since you are forcing the use of each card exactly once.

Better as you say to shuffle the deck after a set small number of cards and start again.

Raffle stubs, Cards in a deck, Dice, Coin toss ... Dice is the one that makes the most sense, and if you really want or need a little "overkill" then just roll a few more times. Roll 101 times > more than 256 bits worth then feed it through a 256 bit hash function. I would not completely dismiss electronic ones (the hash function is not practical to be hand computed.)

6 sided Casino Grade dice would be your "gold" standard (bitcoin standard?) since casinos handle millions of dollars and obviously they do not want to be cheated. You can have your own lottery ball machine at home but it would not be practical.