Bitcoin Forum
September 22, 2019, 07:37:28 PM
 News: If you like a topic and you see an orange "bump" link, click it. More info.
 Home Help Search Login Register More
 Pages: [1]
 Author Topic: Entropy, how to calculate it from series of outcome  (Read 319 times)
Sanglotslongs2
Full Member

Offline

Activity: 248
Merit: 103

 October 21, 2018, 07:21:24 AMMerited by dbshck (2)

Hello,

I want to generate my own private key with dice and/or other very entropic phenomenon. But how can I calculate if my data have a good entropy ? I mean if I throw dice in a certain way too much time maybe my outcome will not be trully random, maybe my dice is not a very good dice and have imperfection etc.

So can I just throw it 300+ and if I don't have 0.166666% each result (1,2,3,4,5,6) it's not good ?

Also I want to write my own series of dice result just to compare how deficient is my brain when I try to generate true randomness.

Thanks

1569181048
Hero Member

Offline

Posts: 1569181048

Ignore
 1569181048

1569181048
 Report to moderator
1569181048
Hero Member

Offline

Posts: 1569181048

Ignore
 1569181048

1569181048
 Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1569181048
Hero Member

Offline

Posts: 1569181048

Ignore
 1569181048

1569181048
 Report to moderator
1569181048
Hero Member

Offline

Posts: 1569181048

Ignore
 1569181048

1569181048
 Report to moderator
bob123
Legendary

Offline

Activity: 1022
Merit: 1529

 October 21, 2018, 10:41:44 AMMerited by dbshck (4), bones261 (2)

I want to generate my own private key with dice and/or other very entropic phenomenon. But how can I calculate if my data have a good entropy ? I mean if I throw dice in a certain way too much time maybe my outcome will not be trully random, maybe my dice is not a very good dice and have imperfection etc.

Dice rolls are never random.

If you knew all necessary information (exact surface conditions, air resistance, rotating speed, ..) you could predict each roll with your dice. That's far away from being 'truly random'.

So can I just throw it 300+ and if I don't have 0.166666% each result (1,2,3,4,5,6) it's not good ?

You can't say that, no.

The probability tells you that if you are doing up to an infinite amount of rolls, you'll have pretty close to 0.166666% of each result.
But this is NOT a guarantee. Especially with such a low number (300), this doesn't need to be the case at all. You'd need at least a few hundred thousands of tries to be sure the output is 'kind of random'.

Also I want to write my own series of dice result just to compare how deficient is my brain when I try to generate true randomness.

No need to waste your time. The human brain is less than '1/10 random' as an PRNG.

If you want to create the private key yourself (without any wallet), i'd suggest to boot up a live linux, let it run a few minutes, open and close random programs, and then use /dev/urandom to generate a private key:

Code:
openssl ecparam -genkey -name secp256k1 -rand /dev/urandom

This is way more random than your brain or any dice rolls can ever be. And it only takes 5 seconds compared to a few hours.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
aplistir
Full Member

Offline

Activity: 351
Merit: 161

 October 21, 2018, 11:34:22 AM

One sure way to ensure randomness is to generate 2 keys.
First generate one with whatever way you like, eg, coin, dice or manually by pencil.

Then generate the 2.nd one with urandom.

And combine the 2 keys with XOR.

1.st:    01101001...
2.nd:   01011011...
result:  00110010...
(in XOR you add binary bits together bit by bit. if they are the same the result is 0, if one is 0 and other is 1 the result is 1)

In this way, even if only one of your keys is truly random, the result is still random.

Foxpup
Legendary

Offline

Activity: 2674
Merit: 1587

Vile Vixen

 October 21, 2018, 12:24:02 PMMerited by suchmoon (4), dbshck (2), theymos_away (2), pooya87 (1)

And combine the 2 keys with XOR.
Don't do this. In the unlikely event that there is any correlation between the two random sources, XOR will cancel them out, reducing entropy. The correct way to combine multiple entropy sources is to concatenate them, then hash the result.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
aplistir
Full Member

Offline

Activity: 351
Merit: 161

 October 21, 2018, 01:31:50 PM

And combine the 2 keys with XOR.
Don't do this. In the unlikely event that there is any correlation between the two random sources, XOR will cancel them out, reducing entropy. The correct way to combine multiple entropy sources is to concatenate them, then hash the result.
Interesting
I have heard about the possibility of using hash for combining 2 keys, but never knew how to do it.

Can it be so simple.

Sanglotslongs2
Full Member

Offline

Activity: 248
Merit: 103

 October 21, 2018, 05:04:11 PMLast edit: October 21, 2018, 05:17:30 PM by Sanglotslongs2

Dice rolls are never random.

If you knew all necessary information (exact surface conditions, air resistance, rotating speed, ..) you could predict each roll with your dice. That's far away from being 'truly random'.
I know but all this variables can be good enough to generate a private key.

No need to waste your time. The human brain is less than '1/10 random' as an PRNG.

Do you have a source for this ? I would like to read more about it

If you want to create the private key yourself (without any wallet), i'd suggest to boot up a live linux, let it run a few minutes, open and close random programs, and then use /dev/urandom to generate a private key:

Code:
openssl ecparam -genkey -name secp256k1 -rand /dev/urandom

I know that "randomness" is calculated from a lot of variables (memory usage in your message) is this process open ? Can we know what the variables are ? I know that INTEL'S CPU do it in a black box but it must be open process too. Thanks.

ETFbitcoin
Legendary

Offline

Activity: 1764
Merit: 2030

Use SegWit and enjoy lower fees.

 October 21, 2018, 05:24:11 PM

No need to waste your time. The human brain is less than '1/10 random' as an PRNG.

Do you have a source for this ? I would like to read more about it

I haven't read the thesis thoroughly, but there are few interesting things such as human choice of PIN in page 60.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
odolvlobo
Legendary

Offline

Activity: 2618
Merit: 1401

 October 22, 2018, 07:23:59 AMLast edit: October 25, 2018, 12:30:47 AM by odolvloboMerited by HeRetiK (1)

So can I just throw it 300+ and if I don't have 0.166666% each result (1,2,3,4,5,6) it's not good ?

I don't think there is a way to measure entropy of the generator from the outcomes. Also, when somebody says that something has "N bits of entropy", they are assuming an ideal RNG.

As for measuring the quality of your dice rolling, I think that simply measuring the uniformity of the distribution for a large number of rolls is probably sufficient, since a roll is probably not significantly affected by a previous roll or the time of the roll or the conditions during the roll.

If you want to be more thorough, then here is some information about other tests you can run: https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=906762

Dice rolls are never random.

If you knew all necessary information (exact surface conditions, air resistance, rotating speed, ..) you could predict each roll with your dice. That's far away from being 'truly random'.

That's an extreme statement. You could say the same thing about Brownian motion. In the end, it doesn't really matter if it is truly random or not. The end justifies the means when it comes to an RNG.

Buy stuff on Amazon at a discount with bitcoins or convert Amazon points to bitcoins: Purse.io
Join an anti-signature campaign: Click ignore on the members of signature campaigns.
HeRetiK
Legendary

Offline

Activity: 1232
Merit: 1123

the forkings will continue until morale improves

 October 22, 2018, 10:24:21 AM

Dice rolls are never random.

If you knew all necessary information (exact surface conditions, air resistance, rotating speed, ..) you could predict each roll with your dice. That's far away from being 'truly random'.

That's an extreme statement. You could say the same thing about Brownian motion. In the end, it doesn't really matter if it is truly random or not. The end justifies the means when it comes to an RNG.

Precisely.

You could also say the same about:

If you want to create the private key yourself (without any wallet), i'd suggest to boot up a live linux, let it run a few minutes, open and close random programs, and then use /dev/urandom to generate a private key:

Code:
openssl ecparam -genkey -name secp256k1 -rand /dev/urandom

Both are deterministic in the end, as long as you dig deep enough (but not so deep as to enter the quantum realm). The latter being obviously more practical than throwing dice.

As long as the result looks random to an outside observer, ie. does not show any bias towards certain numbers, you're golden. That is, as long as an adversary is unable to acquire the input required to (re)create the pseudo-random output. Which can be reasonably assumed for both physical dice and /dev/urandom.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Diamond Dallas Page
Newbie

Offline

Activity: 7
Merit: 7

 October 22, 2018, 11:23:54 AM

Hello,

I want to generate my own private key with dice and/or other very entropic phenomenon. But how can I calculate if my data have a good entropy ? I mean if I throw dice in a certain way too much time maybe my outcome will not be trully random, maybe my dice is not a very good dice and have imperfection etc.

So can I just throw it 300+ and if I don't have 0.166666% each result (1,2,3,4,5,6) it's not good ?

Also I want to write my own series of dice result just to compare how deficient is my brain when I try to generate true randomness.

Thanks

Try using the an open source program called ent. Here are the results for rolling a die six times with the result vector of <666666>.

% echo -n "666666" | ./ent

Entropy = 0.000000 bits per byte.

Optimum compression would reduce the size of this 6 byte file by 100 percent.

Chi square distribution for 6 samples is 1530.00, and randomly would exceed this value less than 0.01 percent of the times.

Arithmetic mean value of data bytes is 54.0000 (127.5 = random). Monte Carlo value for Pi is 4.000000000 (error 27.32 percent). Serial correlation coefficient is undefined (all values equal!).
bob123
Legendary

Offline

Activity: 1022
Merit: 1529

 October 24, 2018, 08:54:04 AM

Dice rolls are never random.

If you knew all necessary information (exact surface conditions, air resistance, rotating speed, ..) you could predict each roll with your dice. That's far away from being 'truly random'.

That's an extreme statement. You could say the same thing about Brownian motion. In the end, it doesn't really matter if it is truly random or not. The end justifies the means when it comes to an RNG.

Precisely.

You could also say the same about:

If you want to create the private key yourself (without any wallet), i'd suggest to boot up a live linux, let it run a few minutes, open and close random programs, and then use /dev/urandom to generate a private key:

Code:
openssl ecparam -genkey -name secp256k1 -rand /dev/urandom

Both are deterministic in the end, as long as you dig deep enough (but not so deep as to enter the quantum realm). The latter being obviously more practical than throwing dice.

As long as the result looks random to an outside observer, ie. does not show any bias towards certain numbers, you're golden. That is, as long as an adversary is unable to acquire the input required to (re)create the pseudo-random output. Which can be reasonably assumed for both physical dice and /dev/urandom.

That's correct. I have never claimed that /dev/urandom is truly random.

I just wanted to clear out the 'how to be sure that dice rolls are truly random' question.

More precisely my statement was:

This is way more random than your brain or any dice rolls can ever be.

And that's still my opinion. Humans tend to throw the dice in a similar motion each time. Especially with hundreds of rolls.
The outcome will be less random. And the brain being one of the worst sources of entropy should be commonly known, at least if you really need a random number and are ready to spend a few minutes to read into this subject.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
HeRetiK
Legendary

Offline

Activity: 1232
Merit: 1123

the forkings will continue until morale improves

 October 24, 2018, 09:07:49 AM

That's correct. I have never claimed that /dev/urandom is truly random.

I just wanted to clear out the 'how to be sure that dice rolls are truly random' question.

More precisely my statement was:

This is way more random than your brain or any dice rolls can ever be.

Fair enough.

And that's still my opinion. Humans tend to throw the dice in a similar motion each time. Especially with hundreds of rolls.
The outcome will be less random. And the brain being one of the worst sources of entropy should be commonly known, at least if you really need a random number and are ready to spend a few minutes to read into this subject.

I have my doubts about the first -- at least when someone tries to properly roll the dice and not just fake it -- but I absolutely agree with the brain being one of the worst sources of entropy (and real world attacks seem to support that claim).

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Sanglotslongs2
Full Member

Offline

Activity: 248
Merit: 103

 October 24, 2018, 07:57:26 PM

I wish to generate with dice my private key because I don't know if there is a risk to to not have a good random number if I run the prog on CPU. Is there documentation where they compare CPU random number ? If AMD / Intel / Broadcom have their specs. Because it's not only a software problem, I guess that true random number are also hardware dependant.

theymos_away
Member

Offline

Activity: 83
Merit: 26

 October 24, 2018, 08:36:06 PMLast edit: October 24, 2018, 09:04:21 PM by theymos_away

On Linux, that's basically how /dev/{,u}random works anyway. It does something like sha1(past_randomness + new entropy from keyboard etc.) repeatedly in order to produce endless random data. (This is a slight simplification, but it's more-or-less like this.)

CPUs offer a randomness instruction, but it's not used on Linux because people don't trust it. The CPU behaves deterministically, and entropy is gathered from elsewhere.

You can analyze the quality of random data to *some* extent using eg. ent (http://www.fourmilab.ch/random/), but it is logically impossible to know whether some data is truly random. For example, the output of a secure hash function should on average always test as perfectly random, indistinguishable from perfect quantum randomness, even if it's a hash of "1234" etc. OTOH, highly ordered-looking data can come out of a true random source sometimes.
RocketSingh
Legendary

Offline

Activity: 1622
Merit: 1010

 October 24, 2018, 09:04:09 PM

I want to generate my own private key with dice and/or other very entropic phenomenon.
Bitcoin blockchain itself is a great source of entropy. Last digit of each block is itself random. There is a dedicated thread discussing this phenomenon - https://bitcointalk.org/index.php?topic=1493510.0

ETFbitcoin
Legendary

Offline

Activity: 1764
Merit: 2030

Use SegWit and enjoy lower fees.

 October 25, 2018, 01:44:08 AM

Bitcoin blockchain itself is a great source of entropy. Last digit of each block is itself random. There is a dedicated thread discussing this phenomenon - https://bitcointalk.org/index.php?topic=1493510.0

Except that it's far less secure/random if it's used improperly, Thoughts on this private key stealing mystery have detailed case about it.
CSPRNG is still more secure and attacker almost have no information to correctly guess private key with balance.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Sanglotslongs2
Full Member

Offline

Activity: 248
Merit: 103

 October 25, 2018, 05:38:24 PM

I want to generate my own private key with dice and/or other very entropic phenomenon.
Bitcoin blockchain itself is a great source of entropy. Last digit of each block is itself random. There is a dedicated thread discussing this phenomenon - https://bitcointalk.org/index.php?topic=1493510.0

Yes but since it's public and a lot of people know bitcoin is it secure to use it ? Some hacker can "datamining" the hash of each blocks to steal cryptos. The same way they did datamining on brain wallet, a lot of people wich passphrase was a poem get hacked because the passphrase was hashed to a private key so hacker can attack all brain wallet in the same time (it's different from a bruteforce because bruteforce is agains a sample of encrypted data).

 Pages: [1]