Seed Generation in Hardware Wallets

[dkbit98]

Some people are asking a good question, how can they trust that Hardware Wallets are randomly generating Bitcoin seed words?

First, whatever device you are using and not just a hardware wallet, but also your smart phone, computer or any other device, you need to have some basic trust or verify everything on your own and that is not always easy.
Generally speaking, hardware wallets that are open source and existed longer time have been examined by many security experts and they are considered safer but none of them is 100% safe.
Hardware wallets are made to simplify things for average newbie, but you should always remember that seed words are more important than your hardware device.

Humans are bad in making anything random so forget about it if you had an idea to pick 24 random words from your head/wordlist and used them as your seed words.
You need to achieve good 256bit entropy or disorder and good old dices or coin flipping are some way to achieve this so you don't have to trust their random number generators.

How are Hardware Wallets doing entropy?

Trezor One and T is mixing external entropy from computer with internal entropy from built-in hardware random number generator RFC 6979,  and this can be verified on their github page.

Trezor 3  to be updated...

Ledger wallet is using Random Number Generator from their closed source Secure Element to generate mnemonic seed with AIS 31* certification.

ColdCard have the option for using internal true random number generator from their secure element or to use D6 Dice Rolls that can be verified. Verifiable Seed Generation.

Keystone is using Random Number Generator from their open source Secure Element and it can generate seed with casino-grade dices. Verifiable Seed Generation.

Passport wallet is using Avalanche noise source, an open source true random number generator (one of them is the part of MCU, the other one  is in SE). Verifiable Seed Generation.

Bitbox is using five different entropy sources from factory setup, secure element, regular chip, computer and device password, everything is open source and with latest update you can roll dices for verifiable seed generation.

Safepal is using closed source secure element for random number generation with AIS 31* and FIPS PUB 140–2** certification

BC Vault uses built-in hardware gyro sensor and various timings with human shaking the device for random number generation.

Jade wallet is mixing internal entropy from built-in hardware random number generator and various other things with companion app entropy.

Onekey mini uses internal random number generator that satisfies NIST SP 800-90A/B/C; CSPRNG is used to guarante the quality of randomness, which is equivalent to DIEDARD TEST, FIPS 140-2, TEST U01 test criteria.

Ngrave zero is combining data taken from internal TRNG, fingerprint scanner and ambient light captured by the build-in camera.


Specter DIY uses mix of multiple sources of entropy, TRNG of the microcontroller, Touchscreen and Built-in microphones (not yet), that are all hashed together.

SeedSigner DIY creates 24-word BIP39 seed phrase with 99 dice rolls or by taking a digital photo; and it can be be done with coin flips.



RNG

Random number generation is a process which, often by means of a random number generator (RNG), generates a sequence of numbers or symbols that cannot be reasonably predicted better than by a random chance.

https://en.wikipedia.org/wiki/Random_number_generation

TRNG - True Random Number Generator
HRNG - Hardware Random Number Generator (generates genuinely random numbers)
PRNG - Pseudo Random Number Generator  (generates numbers that look random, but are deterministic and reproducable)

Random number generator is used in IT, lottery systems, gaming, for passports and ID cards, smartphones, in NFC and chip manufacturing.

*AIS 31 certification standard used by Germany BSI
**FIPS PUB 140–2 certification standard used by US government

work in progress

[1715064319]

1715064319

[1715064319]

1715064319

[dkbit98]

reserved

[Charles-Tim]

You need to achieve good 256bit entropy or disorder and good old dices or coin flipping are some way to achieve this so you don't have to trust their random number generators.

The entropy is not necessarily 256 bits, the bits used will determine how many words the seed phrase will contain. Using 128 bits will bring about 12 seed words, 160 bits will bring about 15 seed words, 192 bits will bring about 18 seed words, 224 bits will bring about 21 seed words while 256 bits will bring about 24 seed words. These are the standards used in generating seed phrase, especially the 12 and 24 seed phrases are common.

[Max_Headroom]

Hi,

I cant stressed how important entropy is to BTC.

I even took this photo at Science Museum in London ages ago.

(host auto delete after > month)

so my question is ...

I just ordered a safepal s1 for testing and they claim
the chip comes from Germany BSI AIS31

https://docs.safepal.io/safepal-hardware-wallet/security-features/hardware-security/true-random-number-generator

How can I be sure their wallet really got that hardware?

[dkbit98]

How can I be sure their wallet really got that hardware?

I guess that only way to be sure is to open and destroy the wallet in this process to identify the chip, as they have everything closed source, but I would personally don't use Safepal for holding my coins, maybe only for some play money.
Not enough security experts examined Safepal for potential exploits and bugs, but I am thinking of asking some of them in private to make unbiased tests.
One more thing is that Binance exchange is now pumping Safepal wallet and their useless token, so I expect more people will try to break and exploit it now.

[dkbit98]

So I was interested to know how Jade hardware wallet is doing entropy and generating seed words, but I couldn't find that information anywhere on their website.
After contacting Jade wallet developers I got reply that they are working on readme file and support page with more detailed information, but for now I got this explanation:

Jade wallet comes with a hardware random number generator (from esp32 chip), and when device is started it uses accumulator similar like in bitcoin core.
This stores a 32 bytes state generated by sha512 hashing of a number of things: its previous state, 64 bytes from the hardware random generator, data from the stack, various counters (cpu ticks and global) and sensors (hall and temperature), as well as extra entropy provided by the companion app.
The result of the sha512 is split in two: half becomes the new 32 bytes state and the other half is provided as the entropy requested and fed to the standard bip39 entropy to mnemonic function.
The hashing function is called at boot and at each time entropy is requested as well as any time a button or the wheel is touched.

This looks something similar like Trezor is doing with mixing entropy of hardware random generator and computer, but it's not exactly the same.

[Max_Headroom]

So I was interested to know how Jade hardware wallet is doing entropy and generating seed words, but I couldn't find that information anywhere on their website.
After contacting Jade wallet developers I got reply that they are working on readme file and support page with more detailed information, but for now I got this explanation:

Jade wallet comes with a hardware random number generator (from esp32 chip), and when device is started it uses accumulator similar like in bitcoin core.
This stores a 32 bytes state generated by sha512 hashing of a number of things: its previous state, 64 bytes from the hardware random generator, data from the stack, various counters (cpu ticks and global) and sensors (hall and temperature), as well as extra entropy provided by the companion app.
The result of the sha512 is split in two: half becomes the new 32 bytes state and the other half is provided as the entropy requested and fed to the standard bip39 entropy to mnemonic function.
The hashing function is called at boot and at each time entropy is requested as well as any time a button or the wheel is touched.

This looks something similar like Trezor is doing with mixing entropy of hardware random generator and computer, but it's not exactly the same.

Thanks dkbit98 for the insight. Very interresting indeed. I am reading about

Code:

static inline int64_t GetPerformanceCounter() noexcept
{
    // Read the hardware time stamp counter when available.
    // See https://en.wikipedia.org/wiki/Time_Stamp_Counter for more information.

The result of the sha512 is split in two: half becomes the new 32 bytes state

I am trying to make it more clear in my small brain. I am reading again some foundations about random numbers and a case study at textbook chapter about it... btw, kindly made public by the authors Niels, Bruce, Tadayoshi

https://www.schneier.com/wp-content/uploads/2015/12/fortuna.pdf

On regards to Jade wallet sounds a nice project (out of stock ) do they use esp32 chip (Manufacturer: Espressif Systems)?
I guess it is ESP32-S ins't it? (Reliable Security features ensured by RSA-based secure boot, AES-XTS-based flash encryption, the innovative digital signature and the HMAC peripheral, “World Controller”)

https://www.espressif.com/en/products/socs

[dkbit98]

On regards to Jade wallet sounds a nice project (out of stock ) do they use esp32 chip (Manufacturer: Espressif Systems)?
I guess it is ESP32-S ins't it?

Yes it is plain old ESP32 board and anyone can purchase their own and load it with Jade open source code, so there is no need to buy from their official store.
I would prefer buying something like M5Stack Core2 ESP32 AWS (has secure element) but I think anything like cheap TTGO T-Display will work just fine.

You can even use cheap M5StickC ESP32 and cad STL file to 3d print your own Jade hardware wallet and then load it with Jade code.
This means that you can make your own diy wallet for $10 or $20 and not wait to pay $40 for out of stock product.


m5stack.com

[Max_Headroom]

On regards to Jade wallet sounds a nice project (out of stock ) do they use esp32 chip (Manufacturer: Espressif Systems)?
I guess it is ESP32-S ins't it?

Yes it is plain old ESP32 board and anyone can purchase their own and load it with Jade open source code, so there is no need to buy from their official store.
I would prefer buying something like M5Stack Core2 ESP32 AWS (has secure element) but I think anything like cheap TTGO T-Display will work just fine.

You can even use cheap M5StickC ESP32 and cad STL file to 3d print your own Jade hardware wallet and then load it with Jade code.
This means that you can make your own diy wallet for $10 or $20 and not wait to pay $40 for out of stock product.


m5stack.com

Yeah .. aws-iot-edukit is awesome, btw talking to cryptography educational stuff and textbooks I like that old style lecture on
stream ciphers, xor circuits, random numbers, perfect cipher

Lecture 3: Stream Ciphers, Random Numbers and the One Time Pad by Christof Paar

But question on top of my mind stack now is..
ok we designed a diagram .. sent it out to a semiconductor manufacturer fabric etc.. how can we know test if the schema we asked for is nothing more, nothing less?

[dkbit98]

Information update:

Onekey mini uses internal random number generator that satisfies NIST SP 800-90A/B/C; CSPRNG is used to guarante the quality of randomness, which is equivalent to DIEDARD TEST, FIPS 140-2, TEST U01 test criteria.
Onekey Mini is using Trezor wallet forked and changed code, but they added secure element and made other changes.
Source: https://onekey.so/security

PS
If anyone notice any mistakes or missing info in first post, please make suggestion for correction, providing source information and links.

[witcher_sense]

What I seem to understand after looking through the excellent research that you presented us is that the majority of reputable hardware wallets are very transparent about how they are generating random numbers, they all are using only certified methods of generation of random numbers, etc. In short, they seem definitely much better than human beings at generating randomness (the degree of disorder is higher). However, what I don't understand is how actually we can verify that mnemonic phrases, which are being shown upon initial setup, really come from these random numbers. As far as I know, no hardware wallet shows you the initial entropy from which the mnemonic seed phrase is generated. That means we can't verify the result if we don't know what the initial data was. What if they generate truly random numbers, but then give us completely unrelated results, that is,  pre-made malicious phrases?

If anyone notice any mistakes or missing info in first post, please make suggestion for correction, providing source information and links.

After rereading your post I noticed that you are mixing up "entropy" and "mnemonic" or rather use them interchangeably, which is not quite correct because they are not the same thing especially when we are talking about the generation of random numbers. Mnemonic words aren't random at all because they are mathematically and deterministically derived from entropy.

[dkbit98]

In short, they seem definitely much better than human beings at generating randomness (the degree of disorder is higher).

This is not exactly correct, even if it's true that humans and their brains are generally bad for creating randomness, using simple tools like dices and cards, changes the game a lot.
I would dare to say that you can create better and safer random results with dices, following simple instruction than using most hardware wallets for this.
Coldcard and Keystone are only wallets that have Verifiable Seed Generation as far as I know (Passport is working on this also).

After rereading your post I noticed that you are mixing up "entropy" and "mnemonic" or rather use them interchangeably, which is not quite correct because they are not the same thing especially when we are talking about the generation of random numbers. Mnemonic words aren't random at all because they are mathematically and deterministically derived from entropy.

I used official websites as source of information and I only mentioned word mnemonic one time for (ledger wallet) in first post, so I didn't mix anything.
Order of mnemonic words can be random or not random, but that was not the point at all.

[Pmalek]

What if they generate truly random numbers, but then give us completely unrelated results, that is,  pre-made malicious phrases?

Let's say they do exactly that, how long are they going to wait before they start emptying people's wallets? The two most popular brands are Trezor and Ledger. The Trezor One was released back in 2014, the Ledger Nano S came out in 2016. We have gone through two significant bull runs. The one at the end of 2017 and the one we witnessed recently when the BTC price almost hit $69.000. I think especially the 2nd one was the perfect opportunity to cash out a billion or two. But we aren't seeing cases where people lose money where the users themselves didn't make mistakes that led to the loss of funds.     

[tenant48]

However, what I don't understand is how actually we can verify that mnemonic phrases, which are being shown upon initial setup, really come from these random numbers. As far as I know, no hardware wallet shows you the initial entropy from which the mnemonic seed phrase is generated. That means we can't verify the result if we don't know what the initial data was. What if they generate truly random numbers, but then give us completely unrelated results, that is,  pre-made malicious phrases?

Not quite clear what you mean?
The wallet, having generated a random number (for example, 256 bits), adds 8 bits of the checksum and sends it to a function that converts it to base 2048 and outputs 24 numbers of 11 bits each, which is then replaced with the corresponding word from bip39 dictionary. All this is easily verified.
Or do you think there may be a second fake random number generator in the wallet?

[OROBTC]

However, what I don't understand is how actually we can verify that mnemonic phrases, which are being shown upon initial setup, really come from these random numbers. As far as I know, no hardware wallet shows you the initial entropy from which the mnemonic seed phrase is generated. That means we can't verify the result if we don't know what the initial data was. What if they generate truly random numbers, but then give us completely unrelated results, that is,  pre-made malicious phrases?

Not quite clear what you mean?
The wallet, having generated a random number (for example, 256 bits), adds 8 bits of the checksum and sends it to a function that converts it to base 2048 and outputs 24 numbers of 11 bits each, which is then replaced with the corresponding word from bip39 dictionary. All this is easily verified.
Or do you think there may be a second fake random number generator in the wallet?

Maybe there's a quick-n-dirty workaround to this issue for us non-tech folks.

1.   Create a new wallet in Wasabi (or most other wallets, any that you feel you can trust), write down the words...
2.   Create a few receive addresses (easy in Wasabi)
3.   Then "restore" that wallet into your hardware device
4.  Send off one, two or three small separate amounts; check that the receiving addresses in your HW wallet match those in Wasabi

The only issue I see (but invite critiques) is that your HW wallet will "have touched the internet".  Which might be corrected (?):

5.   Send off BTC from your HW wallet to another wallet
6.   Delete your HW wallet
7.   Create a new wallet in your HW
8.   Fund that with small amount(s)
9.   Send that amount out to another wallet (as in 5)
10.  Create another new wallet in your HW device...

[tenant48]

The only issue I see (but invite critiques) is that your HW wallet will "have touched the internet".  Which might be corrected (?):

Alternatively, if you want to store large amounts and do not trust the built-in random number generators, you can buy, for example, a Keystone wallet and use it only to generate seed phrases using dice, and then use this seed in other hardware wallets.
It would not be bad if someone from the manufacturer created a separate inexpensive device for generating seed phrases using dice or coins, and also had a built-in mnemonic converter Ian Coleman.

[dkbit98]

Alternatively, if you want to store large amounts and do not trust the built-in random number generators, you can buy, for example, a Keystone wallet and use it only to generate seed phrases using dice, and then use this seed in other hardware wallets.
It would not be bad if someone from the manufacturer created a separate inexpensive device for generating seed phrases using dice or coins, and also had a built-in mnemonic converter Ian Coleman.

There is one device like this made by hardware wallet manufacturer Ellipal, and it has one purpose to be Mnemonic Phrase Generator with BIP39 standard.
They claim it is true random generator device that is offline and they call it ELLIPAL Joy, second claim is they are open source but I couldn't found any source code on github last time i checked.
Note that I didn't test this device that was released recently, and I don't recommend it to anyone but it can be purchased for $39.90 currently.


https://www.ellipal.com/pages/ellipal-joy-mnemonic-generator

Another free, safe and offline alternative is to use your own physical dices for generating seed words, without use of any device.
Later you can import this to any wallet you want, including hardware wallet.

[OROBTC]

Alternatively, if you want to store large amounts and do not trust the built-in random number generators, you can buy, for example, a Keystone wallet and use it only to generate seed phrases using dice, and then use this seed in other hardware wallets.
It would not be bad if someone from the manufacturer created a separate inexpensive device for generating seed phrases using dice or coins, and also had a built-in mnemonic converter Ian Coleman.

There is one device like this made by hardware wallet manufacturer Ellipal, and it has one purpose to be Mnemonic Phrase Generator with BIP39 standard.
They claim it is true random generator device that is offline and they call it ELLIPAL Joy, second claim is they are open source but I couldn't found any source code on github last time i checked.
Note that I didn't test this device that was released recently, and I don't recommend it to anyone but it can be purchased for $39.90 currently.


https://www.ellipal.com/pages/ellipal-joy-mnemonic-generator

Another free, safe and offline alternative is to use your own physical dices for generating seed words, without use of any device.
Later you can import this to any wallet you want, including hardware wallet.

Interesting device.

Even were it NOT able to generate fully random seed words using the generator, you could get *pretty close* by doing something like below:

1.  Decide: 12 words?  24 words?  (etc.)
2.  Generate a 12 word wallet, write down the last 6 words only
3.  Generate another 12 words, write down every "even number" word (the second, fourth, sixth, eighth, etc.)
4.  Combine the above 12 words in whatever order you decide, this would serve as your "plan" for generating future seeds
5.  Remember your "plan", do it the same way each time in the future
6.  And add the "13th Word" (24th) for added security to your HW wallet

*  *  *

Perhaps the time comes when we would all like to see an easy and quick way to generate seed words by hand from the Github word list (https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt).

2048, I believe is 2^11.  Would that imply that you could get 11 coins (same coins, good condition), and do the below?

1.  Toss the coins down, start next step with the coin furthest left (for example)
2.  If "heads", that would direct you to the first half of the BIP 39 list, "tails" the second half
3.  Next coin, the heads the first half of remaining words from step 2, tails the second
4.  Next coin, same procedure.
5.  After doing the above with the 11 coins, you have your first word
6.  Repeat coins toss for second word....

You see?  Not so easy nor quick.  Quick and easy random is not so quick...  Thoughts?  

(Octahedral dice might save a little time, but...)


EDIT: The below link will take you to an article by "Arman the Parman", where he details a way to generate your own seed.

https://bitcoinmagazine.com/culture/diy-bitcoin-private-key-project

Alas, it is still neither quick nor easy to do this..

[PrimeNumber7]

Another free, safe and offline alternative is to use your own physical dices for generating seed words, without use of any device.
Later you can import this to any wallet you want, including hardware wallet.

I would probably trust a HW wallet manufacturer over an entity that only generates a random number. You are already trusting the HW wallet manufacturer if you are using it to sign transactions. Ditto if you are using a phone to store your keys.

A dice does guarantee entropy, it is free (minus the cost of the dice), assuming you are sure the dice is not weighed. You could also use a deck of cards, although I am not sure how to ensure the deck is properly shuffled. IMO, the best way to guarantee entropy would be to use a quarter (other USD coins would also work), although the process of flipping the coin and recording the result can be tedious and some people might take shortcuts.

[o_e_l_e_o]

However, what I don't understand is how actually we can verify that mnemonic phrases, which are being shown upon initial setup, really come from these random numbers.

There is no real way with a hardware wallet to verify the whole process.

The hardware wallet shows you a seed phrase. How do you know that seed phrase wasn't pre-generated and stored on a list of seed phrases on a database somewhere?
So then they show you the entropy, so you can verify that the seed phrase was produced from the entropy displayed. How do you know that entropy wasn't pre-generated and stored on a list of entropy on a database somewhere?
Maybe you generate new entropy 1 million times. How do you know that the generation really is random and not using a deterministic process?

The only way to resolve this is to use a hardware wallet which allows you to enter your own entropy (and then verify externally that the seed phrase your hardware wallet gives you does indeed match the entropy you fed it), or to generate your own seed phrase manually and enter that in to your hardware wallet, such as by flipping a coin 256 times, calculating the checksum, and then encoding the result in to BIP39 words.