Private Key by 256 coin flips

[Saint-loup]

I do not understand the limitations on AIS-31 compliant. Maybe someone who has more knowledge can help us better ( i would move this topic to technical discussion board for better inputs from community and less yobit spammers).

But there are limitations on randomness of flipping a coin over and over again.

1 - muscular memory -  i don't know if that expression is correct, I am talking about you doing the exactly same movement 256 times is not totally random. Your movement may not be 50-50, but 30-70, as it is the same over and over again. Maybe if you asked to different 256 people flip the coin once, it would have a better randomness.

2 - coin may have not be completely balanced, which could also lead to biased results (not 50-50).

But anyway, as I said before, I think it is enough randomness for a priavate key generation. Don't know if it is better or not than AIS-31. But flipping a coin is not perfectly random imo.

It's certainly not perfectly random but it's safer than relying on so called "True Random" Number Generators that can be bugged or having design weaknesses, and are actually just trustful blackboxes. I think it's well known physical sources of entropy are safer than digital ones.

With the iancoleman page you can generate 24 words seeds by using 6 sided dices, 52 cards decks, binary sources(like coin flips), etc.

https://iancoleman.io/bip39/ (enable Show entropy details)

[1715147836]

1715147836

[1715147836]

1715147836

[1715147836]

1715147836

[1715147836]

1715147836

[1715147836]

1715147836

[1715147836]

1715147836

[BrewMaster]

+++

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

[Saint-loup]

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

I'm not sure about that, it's well known that computer generated entropy is globally less safe than physical ones, where have you seen the opposite?

Applying this test to the output of various pseudorandom sequence generators is interesting. The low-order 8 bits returned by the standard Unix rand() function, for example, yields:
Chi square distribution for 500000 samples is 0.01, and randomly would exceed this value more than 99.99 percent of the times.
While an improved generator [Park & Miller] reports:
Chi square distribution for 500000 samples is 212.53, and randomly would exceed this value 97.53 percent of the times.
Thus, the standard Unix generator (or at least the low-order bytes it returns) is unacceptably non-random, while the improved generator is much better but still sufficiently non-random to cause concern for demanding applications.

https://www.fourmilab.ch/random/

Entropy values must be sourced from a strong source of randomness. This means flipping a fair coin, rolling a fair dice, noise measurements etc.

https://iancoleman.io/bip39/

An important part of creating a Bitcoin wallet is ensuring the random numbers used to create the wallet are truly random. Physical randomness is better than computer generated pseudo-randomness. The easiest way to generate physical randomness is with dice.

https://www.bitaddress.org

[Dabs]

Casino grade dice are the only dice that should be used.

They are used by casinos for good reasons. They are transparent. They have sharp edges. They are accurate to 0.01 mm or have very small tolerance. They are perfect cubes. Each face has equal weight.

Then, as in the game craps, you should roll them across a surface and only count the result if it bounces back against the other side.

https://www.youtube.com/watch?v=W9zJ0b91SQ0
https://www.youtube.com/watch?v=7n8LNxGbZbs

Use dice rolling machines to roll dice a million times. Fun project.

[odolvlobo]

Casino grade dice are the only dice that should be used. ...

If feel like that is major overkill. Randomness is not the primary goal.

In a brute force attack, the attacker uses their knowledge of any biases to reduce the search space. A purely random number has no biases, so it is an effective tool. But, it is not a necessary condition since a lack of randomness does not necessarily give the attacker any information.

Suppose, I have a hardware random number generator that tends to set some bits to 1 and some other bits to 0. If the attacker does not know which bits are biased and what their biases are, they have no information that will help them.

You can say that flipping a coin is not truly random, but it is effectively random to the attacker unless they know the exact conditions that were present when the coin was flipped.

Suppose I take 256 coins and set a number of of them to heads and the rest to tails, and then I arrange them in a certain order. Assuming that the number of heads vs. tails and the order of the coins makes no difference to me (i.e., I have no obvious biases), the result is effectively random to the attacker even though it is not random at all.

[Dabs]

Casino grade dice are the only dice that should be used. ...

If feel like that is major overkill. Randomness is not the primary goal.

Well, you could always grab a cheap bucketfull of regular game dice, shake them for a few seconds in a container, then dump them on the floor, take a picture of the floor with the dice, grab the raw or jpeg file, and get it's SHA256, use that result as the private key (or as input to another generator).

Might be overkill, but it's fun. And you'll only need to do it once.

Personally, I'd just use the bip39 page and click on 24 words a few times, then save the extended private key somewhere; maybe make a few more. At least those can be loaded into most hardware wallets and Electrum.

[koinsever]

its a really good idea. and can be updated. for example you can use 2d20 or something else. it can be more attractive. this is a proof of how flexible bitcoin is i think.

[Balthazar]

Some weeks ago I made a visual tool to create a bitcoin private key. The most secure way for key generation is to flip a physical coin 256 times. I flipped a coin 256 times, and made a video how to create the bitcoin private key with my tool.

Here is the video instruction: https://youtu.be/WyBdYhwweaE

Such a techique is not equivalent of true random generator and all of the resulting keys shouldn't ever be trusted.

It's certainly not perfectly random but it's safer than relying on so called "True Random" Number Generators that can be bugged or having design weaknesses, and are actually just trustful blackboxes.

If you wish a guaranteed and independent entropy then you can buy any uranium mineral and use Geuger counter to make as many random bytes as you want.

I tried this and it worked very well.

https://www.youtube.com/watch?v=00h0_Tq8ThA
https://www.youtube.com/watch?v=vtk1o2Qc0u4
https://www.youtube.com/watch?v=pBdqaxtJFHQ
https://www.youtube.com/watch?v=bmK_MVnli7c

My source code is here:

https://github.com/CryptoManiac/rng

It works much faster than flipping the coins and provides a real, guaranteed and unconditioned security.

[MrFreeDragon]

-snip-
Suppose, I have a hardware random number generator that tends to set some bits to 1 and some other bits to 0. If the attacker does not know which bits are biased and what their biases are, they have no information that will help them.

You can say that flipping a coin is not truly random, but it is effectively random to the attacker unless they know the exact conditions that were present when the coin was flipped.
-snip-

Agree with you.

-snip-
And I beleive that every human flipping a coin makes it in some pseudorandom way because of his habits, physical conditions, etc. And in fact, all these different singularities would add the additional entropy for the key generation process (like one man will make the flips with 51%/49% odds, another with 48%/52% odds, etc

In most cases the attacker will not know the biases. However in case he knows some bits are 52% instead of 50%, this information will not actually help in practice, because the total possible combinations still will tend to a very big number close to 2^256

[Zionatin]

Wouldn't rolling a d20 dice be even more effective? coins is 1/2 x 256 d20 is 1/20 x 256 you will get your average out of 20 in 5% increments instead of 50% ones with coin flips.
Alternatively, you can just count 11+ as On or true and 10 or less Off or false. It depends if you want a % ratio or just an on or off like binary code.

I would personally use dice then coins. More random. You could probably achieve the same as 256 coin flips with fewer dice rolls but that is some serious maths stuff and my head is too sore right now.

If I have made a mistake or something is not right just let me know. I'm not 100% sure if I am right about this.

[MrFreeDragon]

-snip-
Alternatively, you can just count 11+ as On or true and 10 or less Off or false. It depends if you want a % ratio or just an on or off like binary code.
-snip-

Actually this way is the same as coin flip - chances are still 50%/50%. It does not matter if you roll d6 dice counting 4-5-6 as "1" and counting 1-2-3 as "0", or roll d20 dice counting 11-20 as "1" and 1-10 as "0" or flip the coin - te chances are still 50%/50%. But if you like a dice - no problem of course )

-snip-
I would personally use dice then coins. More random. You could probably achieve the same as 256 coin flips with fewer dice rolls but that is some serious maths stuff and my head is too sore right now.

If I have made a mistake or something is not right just let me know. I'm not 100% sure if I am right about this.

Yes, it is possible to achieve the same with less dice rolls. But for integer calculation it is better to take the dice with the quantity of sides equal to the 2 power.
For example, for d16 dice you need only 64 rolls. The maths is easy: you need to receive 256bits, one d16 roll gives you 4 bits, so the total quantity of rolls is 256/4 = 64.
Why d16 roll gives 4 bits? - because 16 is 2^4, and the possible combinations of one d16 roll are from 0 to F (in HEX), or from 0 to 15 (in DEC), or from 0000 to 1111 (in BIN) - exactly 4 bits.

PS. One d20 roll gives Log2(20) = 4.32bits (not integer number). So, you need 59.233 rolls Or, you can make 59 rolls by d20 dice to receive almost 255 bits (254.99), and add 1 coin flip ) But better to make 60 rolls and have more bits. Anyway, with d20 dice you need 60 operations. In general, the total quantity of operations with n-outcome physical source is 256/log2(n).

[Devawnm367]

I do agree that flipping a coin 256 times is very random. In all reality though the odds are only 50% each flip. I feel that with a computuer it would be really easy to come up with the exact outcome pretty easily. That is of course after several tries. As flipping a coin is one of the most random/Not random option there is. It is either going to be A or B. You just have to keep trying until A, and B, match up 250 times! I would rather just type a bunch of letters or wiggle my mouse a few times. I feel the odds of finding it that way would be much harder!

I do like the idea though. I do see how it could be beneficial!

[Dabs]

I'm not going out to buy any uranium. I mean, if you already have access to such material, then fine. Otherwise stick to a bunch of dice / coins / cards or any of hundreds of cryptographically secure PRNGs.

I like this one:
http://pwgen-win.sourceforge.net/

Used it awhile back to make random passwords that use Base58check (so they look like bitcoin addresses or private keys).

[Balthazar]

I'm not going out to buy any uranium. I mean, if you already have access to such material, then fine. Otherwise stick to a bunch of dice / coins / cards or any of hundreds of cryptographically secure PRNGs.

I like this one:
http://pwgen-win.sourceforge.net/

Used it awhile back to make random passwords that use Base58check (so they look like bitcoin addresses or private keys).

Uranium ore is available at eBay and the prices are quite reasonable. It's not illegal when people are selling some useless rocks to each other. These are just rocks, literally, and there is nothing dangerous in them. As long as you don't drop them on the people's heads from the balcony, of course.

[BrewMaster]

meddling with entropy and using a physical source (anything except what your computer generates) should be considered an advanced topic which regular users should not try to perform without first educating themselves on how it is done correctly and are aware of possible biases and other issues that might be involved.

I'm not sure about that, it's well known that computer generated entropy is globally less safe than physical ones, where have you seen the opposite?

first of all my point is that people should never use a method that they may not understand the risk of. for instance using a coin may sound safe but what if the user who was using this method used a biased coin? or messed up entering the results and put more 1s than he should have? or what if he used a bad code that converted things wrong?....

secondly when you say "less safe" you should know that it does not mean "not safe". for example there has been millions of bitcoin keys used so far, i bet 99% of them are produced by a computer and an RNG. we only have rare cases where a shitty tool like blockchain.info wallet, etc led to losses due to bad RNG. the decent tools such as bitcoin core, electrum, and lots of others have never had such problems!

[MrFreeDragon]

first of all my point is that people should never use a method that they may not understand the risk of. for instance using a coin may sound

secondly when you say "less safe" you should know that it does not mean "not safe". for example there has been millions of bitcoin keys used so far, i bet 99% of them are produced by a computer and an RNG. we only have rare cases where a shitty tool like blockchain.info wallet, etc led to losses due to bad RNG. the decent tools such as bitcoin core, electrum, and lots of others have never had such problems!

I agree that millions of keys were produced by a simple computer's RNG, and these wallets are still alive. For example, where are a lot of stories people mined in 2009-2011 years but lost their private keys on old hard drives and computers. In 2009 there was only one tool - bitcoin application - which generated the address for less than a second based on computer RNG. The first users even did not understand what was the private key - they had only bitcoin addresses showed in the application, private keys were encoded within the wallet.dat file. "Not safe" computer RNG was used or private key generation. Why have that early addreses not hacked yet? The answer is that the numbers in bitcoin are so large that "not safe" randomness "and not perfect entropy" is still enough to safe funds for a long period of time.