Using mouse input for extra entropy

[pereira4]

Truecrypt/Veracrypt uses something interesting during the creation of encrypted volumes: it asks for the user to move his mouse in random patterns for extra entropy. Could this be beneficial when creating an HD wallet for the first time? See this:

https://www.youtube.com/watch?v=cxo8xosH_TI&t=15m07s

Just an idea if someone is developing a wallet or if this could be implemented within existing wallets improving entropy.

[1714682330]

1714682330

[1714682330]

1714682330

[1714682330]

1714682330

[bitmover]

There are wallets doing that already.
Like this one

https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-wallet.html

You move your mouse until you make the necessary entropy. You can use your keyboard as well with your mouse movements. After that, your private key is generated.

However, I read somewhere that humans are not good sources of entropy.... so maybe that is not a good idea. We problably keep moving the mouse in some crazy pattern.

[LoyceV]

You move your mouse until you make the necessary entropy. You can use your keyboard as well with your mouse movements. After that, your private key is generated.

When I do this, I move my mouse with my other hand, and criss cross my hands on the keyboards to make it less likely to use a repetitive pattern.

However, I read somewhere that humans are not good sources of entropy.... so maybe that is not a good idea. We problably keep moving the mouse in some crazy pattern.

I always assumed this isn't the only source of entropy they use, but it's added to some other random generator in the computer. I've just tested it on https://www.bitaddress.org: without using my mouse (Tab many times to be able to type in the entry field), I filled it by holding the A-button. After that, I did the same again. As expected, this produced 2 different private keys.

[bitmover]

I always assumed this isn't the only source of entropy they use, but it's added to some other random generator in the computer. I've just tested it on https://www.bitaddress.org: without using my mouse (Tab many times to be able to type in the entry field), I filled it by holding the A-button. After that, I did the same again. As expected, this produced 2 different private keys.

I agree that the website uses also another source of entropy. Otherwise, some private keys generated would eventually collide.

And different users would eventually share the same keys , as this website is very popular and new keys are generated every day

[khaled0111]

I always assumed this isn't the only source of entropy they use, but it's added to some other random generator in the computer. I've just tested it on https://www.bitaddress.org: without using my mouse (Tab many times to be able to type in the entry field), I filled it by holding the A-button. After that, I did the same again. As expected, this produced 2 different private keys.

True.
You will not get the same address. Bitaddress does not use only mouse movements or keystrokes to generate entropy:

bitaddress.org) Uses a PRNG that is seeded with a 256 byte array. That initial seed is used by the PRNG to generate 32 bytes for each address on the page based on the same 256 byte seed pool. To inject entropy into the PRNG's seed pool browser fingerprinting, time, key presses, mouse movements and hardware randomness from the OS are all xor'd together. As well the output of the PRNG is xor'd with the hardware randomness.

[PrimeNumber7]

However, I read somewhere that humans are not good sources of entropy.... so maybe that is not a good idea. We problably keep moving the mouse in some crazy pattern.

I always assumed this isn't the only source of entropy they use, but it's added to some other random generator in the computer. I've just tested it on https://www.bitaddress.org: without using my mouse (Tab many times to be able to type in the entry field), I filled it by holding the A-button. After that, I did the same again. As expected, this produced 2 different private keys.

I believe the idea is to address the risk of having flawed RNG because of the computer being compromised and not producing truly random numbers when directed.

A compromised computer producing not truly random numbers is unlikely to produce a collusion after two 'random' events. They will rather produce random numbers in a smaller space. The output will appear random without testing, but someone with knowledge of the specific space numbers will be generated will be able to generate a collusion with fairly low effort.

The movement of the mouse is intended to counter the above risk in adding user specific random to create a larger space of possible private keys even if the computer's random function is compromised.

[ABCbits]

A compromised computer producing not truly random numbers is unlikely to produce a collusion after two 'random' events. They will rather produce random numbers in a smaller space. The output will appear random without testing, but someone with knowledge of the specific space numbers will be generated will be able to generate a collusion with fairly low effort.

The movement of the mouse is intended to counter the above risk in adding user specific random to create a larger space of possible private keys even if the computer's random function is compromised.

If computer/OS random function (such as /dev/random) is compromised, then that means your computer most likely is compromised as well since you need superuser access to compromise it.
It's different case if there's malicious update by OS provider or OS's random function had vulnerability to begin with.

Besides, good entropy won't help if the output is biased.

[Abdussamad]

There are wallets doing that already.
Like this one

bitcoin paper wallet

You move your mouse until you make the necessary entropy. You can use your keyboard as well with your mouse movements. After that, your private key is generated.

However, I read somewhere that humans are not good sources of entropy.... so maybe that is not a good idea. We problably keep moving the mouse in some crazy pattern.

This site isn't safe. Please remove your active link to it. You don't want to help it rank better in the search engine results pages!

[bitmover]

This site isn't safe. Please remove your active link to it. You don't want to help it rank better in the search engine results pages!

No site is safe for newbies. You should always use a hardware wallet if you are a newbie.

It was his fault.

I generated my bitcoin paper wallet on https://bitcoinpaperwallet.com/ in January, 2019. I did it online in my browser and didn’t follow through all the recommendations at https://bitcoinpaperwallet.com/#security page.

That guuy didn't follow recommendations and is now crying that he was hacked....

[Abdussamad]

This site isn't safe. Please remove your active link to it. You don't want to help it rank better in the search engine results pages!

No site is safe for newbies. You should always use a hardware wallet if you are a newbie.

It was his fault.

I generated my bitcoin paper wallet on in January, 2019. I did it online in my browser and didn’t follow through all the recommendations at 

That guuy didn't follow recommendations and is now crying that he was hacked....

If the site is compromised it doesn't matter if you use it offline or online. The owner of the site could easily set it up to generate compromised private keys. Other users have complained about this site too. It  is not safe.

[bob123]

If the site is compromised it doesn't matter if you use it offline or online. The owner of the site could easily set it up to generate compromised private keys. Other users have complained about this site too. It  is not safe.

Do you know how much people have complained about electrum already ? Countless..
Do you regard electrum as not being safe too ?

I do not agree with any kind of paper wallet creation through websites (regardless whether online or offline). But without proper evidence, or at least some indications, calling a random paper wallet website not safe is not completely correct.
No website is safe for newbies. No web wallet is. And no desktop wallet is.
Nothing is safe for a user without common sense. Not even a hardware wallet.

Are there any indications why this website should be avoided (besides newbies complaining about it) ?

[Abdussamad]

If the site is compromised it doesn't matter if you use it offline or online. The owner of the site could easily set it up to generate compromised private keys. Other users have complained about this site too. It  is not safe.

Do you know how much people have complained about electrum already ? Countless..
Do you regard electrum as not being safe too ?

I do not agree with any kind of paper wallet creation through websites (regardless whether online or offline). But without proper evidence, or at least some indications, calling a random paper wallet website not safe is not completely correct.
No website is safe for newbies. No web wallet is. And no desktop wallet is.
Nothing is safe for a user without common sense. Not even a hardware wallet.

Are there any indications why this website should be avoided (besides newbies complaining about it) ?

The original owner washed his hands of it years ago. He may have sold it to a scammer or he may have broken bad himself. It cannot be trusted.

[bitmover]

The original owner washed his hands of it years ago. He may have sold it to a scammer or he may have broken bad himself. It cannot be trusted.

Did you expect that the former owner of the website do anything different? He said he sold the website and cannot be responsible for it anymore

What did you expect? Like "ok, I sold my website but I can guarantee that the new owner is an honest guy and I am responsible for his actions"

That's not how things work. And if you properly airgap your computer, the risks of using this website are very low (or non existent)

[bob123]

That's not how things work. And if you properly airgap your computer, the risks of using this website are very low (or non existent)

Not necessarily.

If the PRNG is sabotaged or it is coded to only create X (e.g. 1.000.000) different private keys, then even using it offline would not be safe.
And that would probably be the most realistic attack if an bad actor would use such a site to steal funds.

[Abdussamad]

The original owner washed his hands of it years ago. He may have sold it to a scammer or he may have broken bad himself. It cannot be trusted.

Did you expect that the former owner of the website do anything different? He said he sold the website and cannot be responsible for it anymore

What did you expect? Like "ok, I sold my website but I can guarantee that the new owner is an honest guy and I am responsible for his actions"

If you sell your site to a scammer then you definitely bear some responsibility. You're setting people up to lose money. The only way to legitimately exit such a business is to sell it to someone you know is honest. Otherwise you don't sell it at all and yes that means you lose out on the gains but it is the right thing to do.

An example of the correct way to do things can be found in the sale of multibit software to keepkey. The multibit developers made sure to sell to a trusted entity in the space. When Keepkey found themselves incapable of maintaining the software they chose to shutdown the project rather than sell it to a malicious entity. They could have sold it and recovered the amount they spent on acquiring multibit but they chose doing the right thing over material gains. All in all no user lost funds and the reputations of all parties involved were maintained.

That's not how things work. And if you properly airgap your computer, the risks of using this website are very low (or non existent)

No, you are mistaken. If the site is malicious it could be programmed to generate private keys known to the site owner. In that case it doesn't need network connectivity to compromise wallets so using it offline doesn't make a damn bit of difference.

[pereira4]

Good idea, but AFAIK some wallet already use /dev/random and few OS-level random which generally accepted for cryptography usage.
Additionally, /dev/random have various entropy source which is more "random" than mouse.

The point is to add an extra set of entropy on top of using /dev/random and whatever other RNG, it's just to spice things up after you've setup your whole thing, obviously you can't depend on mouse input alone, but I don't see how this isn't an improvement in overall entropy, assuming the whole thing is done in an airgapped computer and so on (unlike the guy that requested that online site).

[bitmover]

No, you are mistaken. If the site is malicious it could be programmed to generate private keys known to the site owner. In that case it doesn't need network connectivity to compromise wallets so using it offline doesn't make a damn bit of difference.

Well, until you have some evidence that this is happening, you can't condemn the website.

You showed me a link of a newbie that lost hia funds because he didn't take any precaution and didn't follow website recommendations.

[PrimeNumber7]

A compromised computer producing not truly random numbers is unlikely to produce a collusion after two 'random' events. They will rather produce random numbers in a smaller space. The output will appear random without testing, but someone with knowledge of the specific space numbers will be generated will be able to generate a collusion with fairly low effort.

The movement of the mouse is intended to counter the above risk in adding user specific random to create a larger space of possible private keys even if the computer's random function is compromised.

If computer/OS random function (such as /dev/random) is compromised, then that means your computer most likely is compromised as well since you need superuser access to compromise it.
<>
Besides, good entropy won't help if the output is biased.

Using your mouse for additional 'randomness' will only help against a narrow subset of possible attacks, but one that is difficult to detect.

This might help you if you are using an 'offline' computer to generate private keys that has previously been exposed to the internet, but that will not be connected to the internet in the future. An attacker may anticipate this and mess with the /dev/random function and nothing else.

I understand this private key generation will take both the output from the /dev/random and the mouse movements converted into a number, and display a private key based on both. So if the /dev/random produces the same output two times, the difference in mouse movements will cause the software to produce two private keys.

[bob123]

So if the /dev/random produces the same output two times, the difference in mouse movements will cause the software to produce two private keys.

This won't happen. /dev/random uses multiple sources as entroy, including CPU interrupts and noise from drivers.
You won't produce the same result twice. Adding mouse movement won't change much.

/dev/random and /dev/urandom both are considered good PRNGs.


And even tho an attacker might be able to compromise those files, this also means he already compromised the system and therefore does not need to change /dev/random at all.

[Abdussamad]

No, you are mistaken. If the site is malicious it could be programmed to generate private keys known to the site owner. In that case it doesn't need network connectivity to compromise wallets so using it offline doesn't make a damn bit of difference.

Well, until you have some evidence that this is happening, you can't condemn the website.

You showed me a link of a newbie that lost hia funds because he didn't take any precaution and didn't follow website recommendations.

Another victim of bitcoin paper wallet dot com: https://www.reddit.com/r/CryptoCurrency/comments/cyd6uj/bitcoinpaperwalletcom_scam_or_not_4_btc_stolen/ .