Bitcoin Forum

Some weeks ago I made a visual tool to create a bitcoin private key. The most secure way for key generation is to flip a physical coin 256 times. I flipped a coin 256 times, and made a video how to create the bitcoin private key with my tool.

Here is the video instruction: https://youtu.be/WyBdYhwweaE (https://youtu.be/WyBdYhwweaE)

The total time just for flipping a coin was 16 minutes, plus some minutes to fill the cells in my key generator. So, the fastest way to create a safe bitcoin private key with the physical 256 coin flips is appox. 15-20 minutes.

Enjoy!  ::)

PS. The project discussion is also available here: https://bitcointalk.org/index.php?topic=5187401.0

What about flipping 256 coins all at once? I would expect that to be a lot faster.

I do not think that it is easier. In practice, flipping one coin 256 times is faster than flipping all 256 coins at once (in the terms of the private key generation).
1) As you flip 256 coins at once, they will fly to different corners of the room. Difficult to collect without losing some of them.
2) Flipping is only one step, you still need to enter the outcome of each coin (find every coin, collect it, etc) --> time
3) I used 2EUR (it is 8.5gr, 1.95mm width, 25.75mm dia). So, 256 coins are 2.2kg weight - no very easy to flip  :o {1EUR is 7.5gr, so the total weight is like the same 1.92kg}
4) As for me i do not have 256 equal coins :-) 256 of 2EUR coins is 512 EUR. Usually prefer notes for such amounts  8)

But i do not 100% sure that flipping one coin (as in my video) is faster. And will be very glad if somebody makes such experiment: flip 256 coins at once, and make a private key based on their outcomes.

Haha, very interesting way to generate a private key, 20 minutes well spent mate!

Not sure if it's the safest way to generate a private key, but it's definetly the most fun way to do something like that.

Flipping at once would be easier if you could contain the flip, it saves you the motion of flipping them one by one and going around and recording the results is easier then flipping them all one by one.

If you generate 256 bit of your private key flipping a coin, you can 100% be sure that all your 256 bits are absolutely random.
If you generate a private key with the help of some software/wallet/other service, you can not be sure in their random algorythm. In some cases they also could be pseudorandom, generating the predefined keys within the predefined range (even if you use them offline).

This is misleading, physical things like coins or dice can have a lot non-randomness if they were not designed specifically for the purpose of generating random numbers - https://www.schneier.com/blog/archives/2009/08/non-randomness.html

If you are paranoid about your computer being backdoored to generate non-random keys, you should probably just stop using Bitcoin, since backdoored system can cause harm in many other ways - for example, generating non-random k parameter in ECDSA.

Also, generating private key inside the browser is much less secure compared to software, especially if it's done online.

That's true, but it depends on the software. For example, using ledgers software which randomally creates private keys it would be impossible for you to backdoor your way into it, due to limited internet connection and you needing to actually access the ledger wallet.

RNG is a weird topic and it's too advanced for this thread. But dice and coin flips are not completely random all the time.

Ok, for fun there is also a "pattern" way of key generation: https://youtu.be/0Ug4YBEyRFQ (https://youtu.be/0Ug4YBEyRFQ)
This is like brain wallet, but use logos, patterns, symbols and other visual ideas  :D

Such pattern keys could be used for small gifts and funny presents to others.

since your tool supports it, try finding a 16 sided dice and roll that. these dies are also a popular way of creating random numbers (in hexadecimal format) and they are specially designed to be unbiased and produce a truly random result. the befit of it is that you only need to roll it 64 times which is a lot less than 256 times flipping a coin.

Looked at  video and should say the private key you generated via shaking a disposable cup is not random but rather pseudorandom in fact is the coin in the cup has the limits in  all directions.  IMHO, you would get the better results with  flipping   the coin up by the snap of two fingers.

Yes, non-random k value in digital signatures is much much bigger problem! It is like appear on public absolutely nude with the clear private key written on the body  ;D

Thank you for your feedback. Probably you are right.
There are different ways of flipping the coin - https://www.wikihow.com/Flip-a-Coin (https://www.wikihow.com/Flip-a-Coin)
And iI beleive that every human flipping a coin makes it in some pseudorandom way because of his habits, physical conditions, etc. And in fact, all these different singularities would add the additional entropy for the key generation process (like one man will make the flips with 51%/49% odds, another with 48%/52% odds, etc

Cool idea! You are right, my tool allows to input the HEX value of the private key.
I searched 16side HEX dices and found a lot of them in internet for 1-3USD. Will order this dice for my experiments, nice thing.
Thank you!

If I have more time and I am bored then I will try doing that entertaining way of creating a private key. But given that time is crucial for me I guess Ill just pass and just be contented to the private key attached to the generated address on websites that host webwallets. Though it will take a long time to make a private key but I imagine it to be fun. I do thank you for sharing it in this forum and it really adds another folder to my knowledge about crypto.

Nice. I guess it safer to do this offline as you suggested in your other thread. And a clean or brand new pc would be more suitable for even better security.
Generating a private keys in this way can be quite intimidating. The next thing would probably be to make it easier for even a 10year old kid to generate his own private keys in this way.

I don't agree that the results are absolutely random. The coin weight might be a little biased, and you may have some muscular memory also which may lead to less randomness. Ofc this it is enough random for a private key generationg...... But I believe that are some better computer-based methods.

I still think the most secure way of generating a private key is through a hardware wallet. However, for educational purposes, this flipping method is amazing.

Can you explain the algorithm and the process of private key generation by a hardware wallet (ley's say by Ledger)?

Ledger nano does not generate private keys, but a BIP 39 24 word mnemonic seed. Different from what you are doing, because generating private keys directly (however, this allows you to create just one address)

I was able to find this information regarding randomness of the process (i think this is what you are looking for)





If you think their entropy is not good enough, you can also add a passphrase to your seed, it will add an additional entropy to your private keys generation.

Actually the same random number: 256bit number - they still generate a 256bit number (like 256 coin flips in my case). They just use this number in a different way: they append 8 first bits (actually repeat them) to receive 264bits in order to present it by 24 words. So, first of all they generate 256bit number, and later present this number by 24 words from 2,048 determined words list.

Hence, the common thing in "coin flip" and "hardware wallet" is a 256bit number generation. My visual tool makes it visually flipping a coin 256 times with 50%/50% chances for every bit, and I evaluated these 256 bits as absolutely random. Howeve you argued this and said that:

Probably we compare the different things: randomness and security. If you mean the most secure way, i also beleive that the hardware wallet could be better (at least the user does not know the key and does not have some parts of it in memory). For security we should consider more things, not only randomness.

But I was talking about randomness saying that the coin flip method is absolutely random. If you still beleive that hardware wallet generates "more random" number rather than a physical coin flip, can you please describe why? In other words, why the AIS-31 compliant true random number generator (TRNG) generates a more random 256bit number rather than physical coin fliped 256 times?

I do not understand the limitations on AIS-31 compliant. Maybe someone who has more knowledge can help us better ( i would move this topic to technical discussion board for better inputs from community and less yobit spammers).

But there are limitations on randomness of flipping a coin over and over again.

1 - muscular memory -  i don't know if that expression is correct, I am talking about you doing the exactly same movement 256 times is not totally random. Your movement may not be 50-50, but 30-70, as it is the same over and over again. Maybe if you asked to different 256 people flip the coin once, it would have a better randomness.

2 - coin may have not be completely balanced, which could also lead to biased results (not 50-50).

But anyway, as I said before, I think it is enough randomness for a priavate key generation. Don't know if it is better or not than AIS-31. But flipping a coin is not perfectly random imo.

It's certainly not perfectly random but it's safer than relying on so called "True Random" Number Generators that can be bugged or having design weaknesses, and are actually just trustful blackboxes. I think it's well known physical sources of entropy are safer than digital ones.

With the iancoleman page you can generate 24 words seeds by using 6 sided dices, 52 cards decks, binary sources(like coin flips), etc.

https://iancoleman.io/bip39/ (enable Show entropy details)

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

I'm not sure about that, it's well known that computer generated entropy is globally less safe than physical ones, where have you seen the opposite?

https://www.fourmilab.ch/random/

https://iancoleman.io/bip39/

https://www.bitaddress.org

Casino grade dice are the only dice that should be used.

They are used by casinos for good reasons. They are transparent. They have sharp edges. They are accurate to 0.01 mm or have very small tolerance. They are perfect cubes. Each face has equal weight.

Then, as in the game craps, you should roll them across a surface and only count the result if it bounces back against the other side.

https://www.youtube.com/watch?v=W9zJ0b91SQ0
https://www.youtube.com/watch?v=7n8LNxGbZbs

Use dice rolling machines to roll dice a million times. Fun project.

If feel like that is major overkill. Randomness is not the primary goal.

In a brute force attack, the attacker uses their knowledge of any biases to reduce the search space. A purely random number has no biases, so it is an effective tool. But, it is not a necessary condition since a lack of randomness does not necessarily give the attacker any information.

Suppose, I have a hardware random number generator that tends to set some bits to 1 and some other bits to 0. If the attacker does not know which bits are biased and what their biases are, they have no information that will help them.

You can say that flipping a coin is not truly random, but it is effectively random to the attacker unless they know the exact conditions that were present when the coin was flipped.

Suppose I take 256 coins and set a number of of them to heads and the rest to tails, and then I arrange them in a certain order. Assuming that the number of heads vs. tails and the order of the coins makes no difference to me (i.e., I have no obvious biases), the result is effectively random to the attacker even though it is not random at all.

Well, you could always grab a cheap bucketfull of regular game dice, shake them for a few seconds in a container, then dump them on the floor, take a picture of the floor with the dice, grab the raw or jpeg file, and get it's SHA256, use that result as the private key (or as input to another generator).

Might be overkill, but it's fun. And you'll only need to do it once.

Personally, I'd just use the bip39 page and click on 24 words a few times, then save the extended private key somewhere; maybe make a few more. At least those can be loaded into most hardware wallets and Electrum.

its a really good idea. and can be updated. for example you can use 2d20 or something else. it can be more attractive. this is a proof of how flexible bitcoin is i think.

Such a techique is not equivalent of true random generator and all of the resulting keys shouldn't ever be trusted.

If you wish a guaranteed and independent entropy then you can buy any uranium mineral and use Geuger counter to make as many random bytes as you want.

I tried this and it worked very well.

https://www.youtube.com/watch?v=00h0_Tq8ThA
https://www.youtube.com/watch?v=vtk1o2Qc0u4
https://www.youtube.com/watch?v=pBdqaxtJFHQ
https://www.youtube.com/watch?v=bmK_MVnli7c

My source code is here:

https://github.com/CryptoManiac/rng

It works much faster than flipping the coins and provides a real, guaranteed and unconditioned security.

Agree with you.


In most cases the attacker will not know the biases. However in case he knows some bits are 52% instead of 50%, this information will not actually help in practice, because the total possible combinations still will tend to a very big number close to 2^256

Wouldn't rolling a d20 dice be even more effective? coins is 1/2 x 256 d20 is 1/20 x 256 you will get your average out of 20 in 5% increments instead of 50% ones with coin flips.
Alternatively, you can just count 11+ as On or true and 10 or less Off or false. It depends if you want a % ratio or just an on or off like binary code.

I would personally use dice then coins. More random. You could probably achieve the same as 256 coin flips with fewer dice rolls but that is some serious maths stuff and my head is too sore right now.

If I have made a mistake or something is not right just let me know. I'm not 100% sure if I am right about this.

Actually this way is the same as coin flip - chances are still 50%/50%. It does not matter if you roll d6 dice counting 4-5-6 as "1" and counting 1-2-3 as "0", or roll d20 dice counting 11-20 as "1" and 1-10 as "0" or flip the coin - te chances are still 50%/50%. But if you like a dice - no problem of course )


Yes, it is possible to achieve the same with less dice rolls. But for integer calculation it is better to take the dice with the quantity of sides equal to the 2 power.
For example, for d16 dice you need only 64 rolls. The maths is easy: you need to receive 256bits, one d16 roll gives you 4 bits, so the total quantity of rolls is 256/4 = 64.
Why d16 roll gives 4 bits? - because 16 is 2^4, and the possible combinations of one d16 roll are from 0 to F (in HEX), or from 0 to 15 (in DEC), or from 0000 to 1111 (in BIN) - exactly 4 bits.

PS. One d20 roll gives Log2(20) = 4.32bits (not integer number). So, you need 59.233 rolls :) Or, you can make 59 rolls by d20 dice to receive almost 255 bits (254.99), and add 1 coin flip ) But better to make 60 rolls and have more bits. Anyway, with d20 dice you need 60 operations. In general, the total quantity of operations with n-outcome physical source is 256/log2(n).

I do agree that flipping a coin 256 times is very random. In all reality though the odds are only 50% each flip. I feel that with a computuer it would be really easy to come up with the exact outcome pretty easily. That is of course after several tries. As flipping a coin is one of the most random/Not random option there is. It is either going to be A or B. You just have to keep trying until A, and B, match up 250 times! I would rather just type a bunch of letters or wiggle my mouse a few times. I feel the odds of finding it that way would be much harder!

I do like the idea though. I do see how it could be beneficial!

I'm not going out to buy any uranium. I mean, if you already have access to such material, then fine. Otherwise stick to a bunch of dice / coins / cards or any of hundreds of cryptographically secure PRNGs.

I like this one:
http://pwgen-win.sourceforge.net/

Used it awhile back to make random passwords that use Base58check (so they look like bitcoin addresses or private keys).

Uranium ore is available at eBay and the prices are quite reasonable. It's not illegal when people are selling some useless rocks to each other. These are just rocks, literally, and there is nothing dangerous in them. As long as you don't drop them on the people's heads from the balcony, of course.

first of all my point is that people should never use a method that they may not understand the risk of. for instance using a coin may sound safe but what if the user who was using this method used a biased coin? or messed up entering the results and put more 1s than he should have? or what if he used a bad code that converted things wrong?....

secondly when you say "less safe" you should know that it does not mean "not safe". for example there has been millions of bitcoin keys used so far, i bet 99% of them are produced by a computer and an RNG. we only have rare cases where a shitty tool like blockchain.info wallet, etc led to losses due to bad RNG. the decent tools such as bitcoin core, electrum, and lots of others have never had such problems!

I agree that millions of keys were produced by a simple computer's RNG, and these wallets are still alive. For example, where are a lot of stories people mined in 2009-2011 years but lost their private keys on old hard drives and computers. In 2009 there was only one tool - bitcoin application - which generated the address for less than a second based on computer RNG. The first users even did not understand what was the private key - they had only bitcoin addresses showed in the application, private keys were encoded within the wallet.dat file. "Not safe" computer RNG was used or private key generation. Why have that early addreses not hacked yet? The answer is that the numbers in bitcoin are so large that "not safe" randomness "and not perfect entropy" is still enough to safe funds for a long period of time.