Seed Generation in Hardware Wallets

[satscraper]

PS
If anyone notices any mistake in my list please tell me to make a correction.

Please, find some qualification regarding Seed generation in Passport. To reach the highest level of randomness in the course of SEED creation Passport preliminary mixes entropy taken from ADC fed by Avalanche source with those ones from two build-in  RNGs (one of them is the part of MCU, the other one  is in SE):

The relevant  code to manage involved ADC on MCU can be found  here.

[1714275533]

1714275533

[1714275533]

1714275533

[satscraper]

@dkbit98, hi!

I think it is worth to add to the list NGRAVE ZERO, which uses the unique way to generate randomness by combining data taken from internal TRNG, fingerprint scanner and ambient light captured by the build-in  camera. They claim that such procedure  elevates entropy to the next level when compared to all existing hardware wallets.

https://www.ngrave.io/en/academy/post/beyond-mnemonic-phrases-the-path-to-the-ngrave-perfect-key
https://www.ngrave.io/en/blog/why-randomness-is-central-to-crypto-but-so-hard-to-achieve

[o_e_l_e_o]

-snip-

I've read through the links you provided, and while there are some good things about their system, there are some bad things as well.

Combining their RNG with entropy from physical sources is good. Ambient light from a camera is good depending on how they extract the entropy from the picture (although the article does not go in to that). Fingerprints are bad, for the same reasons that all biometrics are bad - they are easily copied and easily faked. The user interaction section is utterly meaningless. Swapping around 8 substrings gives 8! = 40,320 combinations, which could be bruteforced in a second. This part is security theater rather than anything meaningful.

Their justification for their back up system makes a lot of incorrect statements:

Aside from some experimentation with Shamir Secret Sharing, so far, there is no solution that truly overcomes this single-point-of-failure characteristic.

Multi-sig.

Finally, there is an even greater challenge to overcome: what if you lose your backup? You then lose your keys and therefore access to your funds, forever?

You go to your second back up.

And their back up system is even weirder. They use two steel plates, one acting as a decryption key for the other. So if you lose one, you've lost your coins. So no different to a standard back up, except now you've got two separate single points of failure. But then they say if you lose the decryption plate, NGRAVE can recover it for you? And if you want, you can complete KYC and store the data on your other plate with them as well? All in all it is the worst of all systems - single points of failure, zero redundancy, and a trusted third party being involved as well.

[satscraper]

-snip-

I've read through the links you provided, and while there are some good things about their system, there are some bad things as well.

I think there is no ideal approach to achieve 100% randomness using at least one  computational device (in their case TRNG) no matter how to mix entropy coming from various sources.

But,in my view,  the scheme used by  NGRAVE is worth sharing as it is in the tideway of this threat.

No doubts,  your analysis of NGRAVE-technicality is vary valuable addition   and should be taken into account.

[dkbit98]

I think it is worth to add to the list NGRAVE ZERO, which uses the unique way to generate randomness by combining data taken from internal TRNG, fingerprint scanner and ambient light captured by the build-in  camera. They claim that such procedure  elevates entropy to the next level when compared to all existing hardware wallets.

I didn't know about this information, but I will add it in first post.
However, I don't think it's needed to add additional entropy when you are already using TRUE RNG, especially not if you are adding biometrics like fingerprint that is unique piece of information.
You can't have two of the same fingerprints in the world even for twins, but you can duplicate any fingerprints very easily.

And their back up system is even weirder. They use two steel plates, one acting as a decryption key for the other. So if you lose one, you've lost your coins.

That sounds like a single point of failure to me
And let's not forget that Ngrave is maybe of the most expensive hardware wallets in the world right now.

[satscraper]

And their back up system is even weirder. They use two steel plates, one acting as a decryption key for the other. So if you lose one, you've lost your coins.

That sounds like a single point of failure to me

Yeah, but no one is obliged to acquire the whole set that includes those  two steel plates. User is free to buy only single hardware wallet ( too expensive for me though) and use the well-behaved method of storing SEED phrase on stainless washers as  following all recommendations described in this threat.  

As to their TRNG,  the landing page of official site states  that it is based on their patented chip, but I didn't find the relevant patent. Maybe will try once more.

[dkbit98]

Yeah, but no one is obliged to acquire the whole set that includes those  two steel plates. User is free to buy only single hardware wallet ( too expensive for me though) and use the well-behaved method of storing SEED phrase on stainless washers as  following all recommendations described in this threat. 

Sure, but why would anyone give people less secure option with single point of failure anyway, even if it's only optional?
You know for sure that someone will use this since it is available, and most people don't really care about better security until some disasters happens, and than they can blame everyone else.

[satscraper]

Yeah, but no one is obliged to acquire the whole set that includes those  two steel plates. User is free to buy only single hardware wallet ( too expensive for me though) and use the well-behaved method of storing SEED phrase on stainless washers as  following all recommendations described in this threat.  

Sure, but why would anyone give people less secure option with single point of failure anyway, even if it's only optional?
You know for sure that someone will use this since it is available, and most people don't really care about better security until some disasters happens, and than they can blame everyone else.

BTW, those plates  are for the storing BIP 32 root seed (= NGRAVE  "Perfect Key") rather than for the SEED phrase. If user will chose to create wallet with BIP 39 SEED phrase then those plates are useless (at least for storing that phrase itself) and he will search for alternative way (or wiil be in need to take an additional converting). I think they should  add and highlight this in the description of GRAPHENE (=  set of those two plates) product.

[o_e_l_e_o]

As to their TRNG,  the landing page of official site states  that it is based on their patented chip, but I didn't find the relevant patent.

Doesn't really matter, considering they aren't open source: https://github.com/ngraveio/zero-firmware

And given that their secure element and OS are going to remain closed source (https://support.ngrave.io/hc/en-us/articles/4409555395217-Is-the-ZERO-open-source-), then we will just have to take them at their word. Note that their word includes calling their device "100% offline" and "the coldest wallet", but also involves connecting it to a computer via USB in order to update it.

[Meuserna]

most people don't really care about better security until some disasters happens, and than they can blame everyone else.

I hate that you're right, but...  you're right.

I'm of the opinion that we all owe it to the community to keep teaching people how to properly secure their coins.  I've explained passphrases and how to create a strong one more times that I can even remember, but I keep doing it, because it matters.  I've explained the reasons to write a seed down on paper and make a metal backup, and store those two items in two separate locations only you have access to.  I've written about the importance of these things more times than I can remember.  I'm sure many of you have too.  And we have to keep on explaining, and keep on teaching, because so many people still don't understand the basics of security, and because there's a constant influx of newcomers who need to learn these things.

But no matter how hard we try to help...  as you said...  most people don't really care about security until it's too late, and then they blame everyone else.

We have to keep trying anyway, because for every ten idiots who don't listen, if we're lucky there will be one person who does.

In terms of securing a seed: My favorite hardware wallet is an open source project called Krux.  It's fully airgapped and uses SeedQR.  Krux makes it easy to create an encrypted SeedQR, so even if somebody finds the QR code, they can't use it (or even tell what it is).  The encrypted SeedQRs don't even need Krux to be decrypted (so long as you don't lose the decryption key you created, which is basically a password or passphrase).  It's a brilliant system, and the hardware to run it on only costs around $50.

[satscraper]

most people don't really care about better security until some disasters happens, and than they can blame everyone else.

I hate that you're right, but...  you're right.

I'm of the opinion that we all owe it to the community to keep teaching people how to properly secure their coins.  I've explained passphrases and how to create a strong one more times that I can even remember, but I keep doing it, because it matters.  I've explained the reasons to write a seed down on paper and make a metal backup, and store those two items in two separate locations only you have access to.  I've written about the importance of these things more times than I can remember.  I'm sure many of you have too.  And we have to keep on explaining, and keep on teaching, because so many people still don't understand the basics of security, and because there's a constant influx of newcomers who need to learn these things.

But no matter how hard we try to help...  as you said...  most people don't really care about security until it's too late, and then they blame everyone else.

We have to keep trying anyway, because for every ten idiots who don't listen, if we're lucky there will be one person who does.

In terms of securing a seed: My favorite hardware wallet is an open source project called Krux.  It's fully airgapped and uses SeedQR.  Krux makes it easy to create an encrypted SeedQR, so even if somebody finds the QR code, they can't use it (or even tell what it is).  The encrypted SeedQRs don't even need Krux to be decrypted (so long as you don't lose the decryption key you created, which is basically a password or passphrase).  It's a brilliant system, and the hardware to run it on only costs around $50.

All that is good but seems to be fully  off-topic (and pathetic at the same time) .

The core of this thread is to discuss various techniques used by hardware wallets to harvest the randomness while your post said  nothing about this.

Thus. let's resume the natural course.

How would you compare the quality of entropy generated by Krux vs other wallets listed by OP?

[dkbit98]

Doesn't really matter, considering they aren't open source

Exactly.
Old smartphone can work better than Ngrave if you don't care about open source code, and you can also install Graphene OS on Pixel and get device with open source software.
You pay less money for this, and you can always switch back to use it as regular smartphone.
I think newer Pixel devices also have secure space, that is not exactly secure element, but it gives additional security.
Krux app can work on smartphones, but there are other wallets you can use without internet connection.

All that is good but seems to be fully  off-topic (and pathetic at the same time)

It's not off-topic and it's not pathetic.
Seed phrase IS generated on Krux and Krux is DIY hardware wallet, not a banana.

[Meuserna]

How would you compare the quality of entropy generated by Krux vs other wallets listed by OP?

Aside from the standard randomization, Krux has the user take a photo & uses that image as data for additional entropy.

For the record, I'm not involved with Krux in any way.  I watched a review of an earlier version of it by Crypto-Guide on youtube, and since hardware to run it on was under $50, I figured I'd give it a shot.  Of all the hardware wallets I've used, this is the one that impressed me the most thanks to the combination of using the camera for additional entropy, having a large touchscreen for fast & easy text entry, being fully airgapped, using encrypted SeedQR, using passphrase QR, and the UI is so clear & intuitive.  I hope SeedSigner eventually adds these features, because that's another project I really like.

[satscraper]

Krux has the user take a photo & uses that image as data for additional entropy.

Thanks for response.  Could you head me to the proper source of this information? I've sieved their GitHub account but didn't find anything relevant.

 I'm an owner of  Passport 2 and looking for the decent companion to my wallet to use it as a cosigner in multisig.

 Krux might be viewed as candidate  if it would meet my requirements.

[kkdao]

Krux has the user take a photo & uses that image as data for additional entropy.

Thanks for response.  Could you head me to the proper source of this information? I've sieved their GitHub account but didn't find anything relevant.

 I'm an owner of  Passport 2 and looking for the decent companion to my wallet to use it as a cosigner in multisig.

 Krux might be viewed as candidate  if it would meet my requirements.

Which github account were you viewing, this one? https://github.com/selfcustody/krux

[Meuserna]

Krux has the user take a photo & uses that image as data for additional entropy.

Thanks for response.  Could you head me to the proper source of this information?

I've used it.  When creating a seed, it asks you to tap the screen to take a picture for use as entropy.  Then the screen shows the camera view.  Tap.  Captured.  Done.  It's quick & easy.

Here's a full review I wrote & posted in the forum (EDIT: with a lot of pics.  Check it out).

There's tons of info on their Github:

Generating a Mnemonic:
In the case a camera snapshot is used as source, image bytes, which contain pixels data in RGB565 format, will be hashed just like it is done with the dice rolls string.

Krux then takes this hash, runs unhexlify on it to encode it as bytes, and deterministically converts it into a mnemonic according to the BIP-39 Reference Implementation.

Encrypted Mnemonics
https://selfcustody.github.io/krux/getting-started/features/encrypted-mnemonics/

You can pick up hardware to run Krux for under $50, so it's cheap to try.  I like using it on a Maix Amigo because of the large touchscreen, but the M5StickV is another option that is similar in size to a Blockstream Jade.

[dkbit98]

You can pick up hardware to run Krux for under $50, so it's cheap to try.  I like using it on a Maix Amigo because of the large touchscreen, but the M5StickV is another option that is similar in size to a Blockstream Jade.

I can confirm everything works very good with M5StickV, and this is great to have if you like to have smaller size hardware wallet.
Another good thing about M5StickV is that you can run/remove Krux code and add some other firmware on it, for example code for Jade wallet can be added following instructions below:
https://github.com/Blockstream/Jade

That being said, price for Maix Amigo is around $50 and M5StickV has similar price now, so Maix Amigo is much better option overall.
When I purchased M5StickV price was much lower with some discount.