How to significantly decrease the randomness of your newly generated seed phrase

[witcher_sense]

Here is an interesting tweet from ColdCard I've come across recently:


https://twitter.com/COLDCARDwallet/status/1334210450947534850

It is an advertisement for the new product "Dice set," with which to generate a random 256-bit number to create a seed phrase for your Coldcard and which is now available in the Coinkite store. https://store.coinkite.com/store/dice-100

According to Coldcard's tweet, it is now easier to generate a seed with dice rolls because you don't have to toss dice 100 times if you can toss 100 dice once instead.

In my opinion, this information is misleading, and users may end up losing their funds because of weak entropy!

You won't get a truly random number when tossing 100 dice at once because of two reasons. Firstly, the sequence at which to count dice after a toss is unknown, meaning that it is up to you to decide. Human decisions lead to the decrease of entropy since humans are bad at randomness. Secondly, given that all dice are of the same color, the sequence cannot be determined beforehand. Both factors clearly tell us that buying 100 dice doesn't make sense and even harmful.

What do you think?

[1715498938]

1715498938

[1715498938]

1715498938

[ranochigo]

It is.

To calculate entropy, we'll have to use log2 (6) - log base 2 of 6.

That gives us an entropy of approximately 2.58496250072 per dice roll. 128 bit entropy should be enough of an entropy which would result in at least 50 dice rolls to reach. When you have 100 dice, you can probably pick around 50 biased dice and still end up with 128bit of entropy.

The choice of word and the phrasing could be misleading and it'll help if they'll point this out in the packaging of the dice. I think the sequence of picking the dices will have a significant effect on the entropy but there is a decent cushioning before you'll really endanger the user's funds. You can only truly achieve 256bits of entropy with 100 unbiased dice rolls. Picking all of them with bias would just be creating a brainwallet.

[ranochigo]

Sounds cool. but honestly i would rather use CSPRNG library or /dev/urandom from my terminal

Code:

cat /dev/urandom | xxd -l 16 -p

Actually, has there been a successful attempt to intentionally sabotage the RNG within an OS during a key generation?


I think using dice rolls to generate entropy is not that bad of an idea. Especially when the point of it is to ensure that ColdCard isn't tampering with the seeds. Given that the key pad only has space for numerical characters, using dice rolls to generate entropy for a ColdCard wallet is probably the only way for the user to be sure that the RNG of the ColdCard isn't compromised.

[hugeblack]

I think it is bad ( decrease the randomness) even if the dice are not biased, let alone throwing a single throw of the dice that may be biased.

In general, does it enter into the calculation of the expected value^[1]? We have a specific iteration of an experiment that has a limited range of options (1 to 6).

If all the dice are rolled once, then repeating it several times may result in lower quality random private keys.

[1] How To Calculate Expected Value (Worked Examples)

[ABCbits]

Sounds cool. but honestly i would rather use CSPRNG library or /dev/urandom from my terminal

Code:

cat /dev/urandom | xxd -l 16 -p

Actually, has there been a successful attempt to intentionally sabotage the RNG within an OS during a key generation?

I've seen few news about RNG sabotage on library or programming language (mainly javascript) level, but never on OS level.
After all, if you could sabotage the OS which require superuser/root, there are more practical ways to steal/intercept one's data.

But at least there are few vulnerability about RNG on linux kernel,
https://www.cvedetails.com/cve/CVE-2009-3238/
https://www.cvedetails.com/cve/CVE-2007-4311/
https://www.cvedetails.com/cve/CVE-2018-1108/

[ranochigo]

In general, does it enter into the calculation of the expected value^[1]? We have a specific iteration of an experiment that has a limited range of options (1 to 6).

If all the dice are rolled once, then repeating it several times may result in lower quality random private keys.

[1] How To Calculate Expected Value (Worked Examples)

What does expected value has to do with the generation of entropy though? Each of the dice has an equal chance of landing on each of the face. The expected value shouldn't matter since you're not calculating the average value of the dice nor anything similar.

Each of the unbiased dice roll will provide a certain and fixed amount of entropy because it is truly random. For example, if the 5th value is 6 in the first set of 100 and the 5th value is 5 in the second set, the resultant seed will be different. For someone to crack this, they'll have to land the dices at exactly the same value for 100 consecutive times, with the same permutation. This would be a pretty near impossible feat, giving the user a 256bit of entropy.

[witcher_sense]

I think the sequence of picking the dices will have a significant effect on the entropy but there is a decent cushioning before you'll really endanger the user's funds. You can only truly achieve 256bits of entropy with 100 unbiased dice rolls. Picking all of them with bias would just be creating a brainwallet.

Theoretically, the biased sequence of picking the dices after a single roll could drastically decrease entropy and therefore lead to a loss of funds. Let us assume that a potential newcomer has no idea about how exactly a seed phrase is generated and why the degree of disorder is so important when calculating a given phrase. In my opinion, an average user doesn't necessarily need to know all this, otherwise, we will never see widely adopted bitcoin. Anyway, he or she just purchased their first ColdCard hardware wallet and also a set of dices, for whatever reason. Later, they found an interesting option in it, which is manual wallet generating via dice rolls. It sounds cool and familiar: it is like a game. They tossed their 100 dices at once, and then they need to insert these numbers into their wallet. The problem is they don't know at which sequence to count dices.

They asked ColdCard developers and got an answer:



The sequence doesn't matter, you must be paranoid if you ask this!

They counted their dices the way they saw fit and got a random number: 1111111111111222222222222222222333333333333333333333344444444444444444444444444 44555555555555555555555555......6666666666666666

They inserted that number and generated a seed phrase.

[ranochigo]

The sequence doesn't matter, you must be paranoid if you ask this!

They counted their dices the way they saw fit and got a random number: 1111111111111222222222222222222333333333333333333333344444444444444444444444444 44555555555555555555555555......6666666666666666

They inserted that number and generated a seed phrase.

Their response is quite underwhelming to say the least. Isn't their hardware wallet designed for the paranoid with the inclusion of all the epoxy transparent chips and stuff? This issue isn't about paranoia at all and is a legitimate concern. Oh wells, I hope they actually misunderstood your point.

[witcher_sense]

Their response is at least ridiculous and misleading. It seems that the ColdCard marketing team has forgotten to ask the development team for advice before posting a tweet. Basically yes, their wallet is mostly designed for paranoid, experienced users who should know how things work in general and how to properly generate a seed phrase in particular. That all makes me think why they fail to answer, put it another way, are giving a misleading answer when paranoid and experienced users ask them the right questions.

[ranochigo]

Had a brief email exchange with them and this is their response:

Hi ranochigo,

Hopefully the customers who buy dice specifically, will understand that putting them back into order after rolling would be bad idea. We ship them loose in a plastic bag, so they will arrive with lots of entropy ready to go. Let's hope our customers don't undermine that!

I guess that's your answer. Their stand is that they hope the customer doesn't specifically choose the sequence of the dice.  I don't think it's a great idea to not at least put a warning but if that's their stand then so be it. Tried to convince them otherwise through quite a few (lengthy) emails but I guess they have their own rationale as well. Hope it works well for them and the customers buying it (I personally think the coldcard is okay but nothing else).

Don't get why they won't recognise it as a potential (however small) issue that they have given how the design is geared towards those who are paranoid. But hey, who am I to criticize them on this?

[witcher_sense]

I guess that's your answer. Their stand is that they hope the customer doesn't specifically choose the sequence of the dice.  I don't think it's a great idea to not at least put a warning but if that's their stand then so be it. Tried to convince them otherwise through quite a few (lengthy) emails but I guess they have their own rationale as well. Hope it works well for them and the customers buying it (I personally think the coldcard is okay but nothing else).

Don't get why they won't recognise it as a potential (however small) issue that they have given how the design is geared towards those who are paranoid. But hey, who am I to criticize them on this?

Thank you for your help! I am still not convinced and wouldn't recommend buying that particular product albeit I do like ColdCard hardware wallet because it looks neat. Despite the fact I ain't a tech-savvy person, I believe that any sequence, no matter how random it may be, would be specific since it would be human who would choose it. It is weird that the Coldcard team prefers not to talk about it and is silently selling a useless set of dices for 20 bucks instead. I am a bit disappointed.

[DaveF]

Possible stupid question incoming:
Does it have to be a regular 6 sided die?
Can't we increase randomness by using a 10 or 20 or whatever sided die?

I'm sure the answer is out there, but I am truly having a brain freeze at the moment.

-Dave

[ranochigo]

Does it have to be a regular 6 sided die?

Nope.

Can't we increase randomness by using a 10 or 20 or whatever sided die?

I'm sure the answer is out there, but I am truly having a brain freeze at the moment.

Depends on how many times you roll the dice. Having a larger number of possible outcomes for each dice will increase the entropy, think log2 (x), let x be the number of sides. The problem here lies with the bias when choosing specific dices for the sequence of entropy though.

[o_e_l_e_o]

Although DaveF, with your picture you have inadvertently stumbled across a potential solution - different colored dice.

If you pick the order you are going to write down the result of the dice based on the color before you roll, then that removes the issue of bias in choosing the order. Using your picture and going clockwise, we choose the order blue, black, green, red, white. We roll the five 20-sided dice, for 4.32 entropy per dice, for a total of ~21.6 bits of entropy. Repeat 6 times for 128 bits, or 12 times for 256 bits, writing down the numbers in the same color order each time.

[suchmoon]

How about a funnel connected to a transparent tube so all dice ends up in it in a certain order? #ducttapeengineering

[HCP]

Yeah, I'm confused as to how they don't see the issue with just ending up with a large number of dice sitting in front of a person who then has to choose what order they need to be used in...

It's really no different to giving a user say 2048 words and saying "pick 12/24 of these"

How about a funnel connected to a transparent tube so all dice ends up in it in a certain order? #ducttapeengineering

I like it... but then I'm a fan of stupidly simple solutions

[DaveF]

Hmmmm.
They do make dice up to some really stupid large number of sides and in more then the 5 colors listed.
So a set of 7 dice. Six of 120 sided dice in various colors (or clear if that's your thing):


And a 7th die that has a different color on each side.
You set the 6 of them in any order you like.
You then roll the 7th and that is the color you start from.

Repeat each time so even if one of the others does have a bias towards a number or set of numbers it will not always be in the same location in the line up unless the 6 sided die also has a bias.

Now....who has a 3d printer handy?

-Dave

[witcher_sense]

Hmmmm.
They do make dice up to some really stupid large number of sides and in more then the 5 colors listed.
So a set of 7 dice. Six of 120 sided dice in various colors (or clear if that's your thing):


And a 7th die that has a different color on each side.
You set the 6 of them in any order you like.
You then roll the 7th and that is the color you start from.

Repeat each time so even if one of the others does have a bias towards a number or set of numbers it will not always be in the same location in the line up unless the 6 sided die also has a bias.

Now....who has a 3d printer handy?

-Dave

In my opinion, that makes the whole process of tossing unnecessarily complicated and time-wasting. We don't know a possible outcome if we determine the sequence of colors beforehand, so the result can't and won't be biased in any case. But I like the idea of using many-sided dice: it both increases entropy and enjoyment of generating seeds. But why stop there? Spherical dice have an unlimited number of sides and are easy to produce...




Source: https://www.tarquingroup.com/spherical-dice-5-round-dice.html

[webtricks]

It's fun to read how this business attempt from Coldcard is turning into an epic fail! A pack of 100 dices to ease the process of creating entropy but no solution for determining the randomness of the dice sequence, this has to go down as one of the most absurd business ideas. Wait until I start selling a pack of 256 one-cent coins for $5.12 each. Easy money!

It's really no different to giving a user say 2048 words and saying "pick 12/24 of these"

Well, technically it's different. Picking 12/24 words from 2048 won't work because last word includes checksum so wallets will show it as invalid seed.

[o_e_l_e_o]

By the time you get up to a 120 sided die, you are on 6.9 bits of entropy per roll, meaning you only need 19 rolls to generate 128 bits of entropy. At that point, it's going to be far easier to just roll 19 times than mess around with colors and orders.

True, but you could chose first 11/23 words, then the software will fill few last bits randomly, then generate the checksum and convert it (few last bits & checksum) to words.

You could also pick all 12/24 words and have the software just change the last one to the appropriate word with the correct checksum. Either way you are still manually picking your entropy so it is terrible decision, even if you are picking from a random subset (in the case of rolling 100 dice).