Are dices for generating seed words fair?

[o_e_l_e_o]

the more ways to do something the better.

Disagree. The more ways there are to do something then the more chance that one of those ways is fundamentally flawed, that one of those ways is not secure, that one of those ways is too complex to back up, and so on. Far better to stick to a small number of reviewed, tested, and verified methods, than just coming up with a dozen new ones just for the sake of it.

let's say metal coins went out of circulation and became a rarity.

Flip anything using von Neumann's algorithm, and the bias doesn't matter. Doesn't strictly have to be a coin. A key would be a suitable alternative - robust, heavy enough to easily flip, and most keys have some writing or engraving which is different on each side.

[philipma1957]

If you cannot audit the code, how do you know there isn't some fatal flaw or maliciousness which means it is spitting out one of a very few number of possible results, or it is introducing a heavy bias?

well you don't. simple as that. which is why code audits are important. when looking over deckware, i can see that it doesn't seem to be trying to connect to the internet anywhere in the code. so that's good. obviously though more analysis of its implementation of the lehmer code would be needed to see if it really is working correctly. not saying it's not but i would need to verify. especially since it's not something alot of people use and if there was bugs in it, you might not be able to just "google it".

But why? What do you think you are achieving with this over much simpler and provably secure methods like /dev/urandom or unbiased coin flips?

the more ways to do something the better. let's say metal coins went out of circulation and became a rarity. isn't that almost happening as the world transforms into a digital economy via bitcoin and credit cards and such? people might not have coins to flip. not everyone has coins lying around since why would they? they use digital money. i'd be willing to bet there are people out there who have no coins at all lying around in their possession. probably alot!

Complexity is the enemy of security. Flip a coin, generate seed phrase, write it down. Safe, secure, simple.

the more ways i look into gathering entropy the more I agree with the above statement as far as flipping a coin being the simplest, safest, most secure PHYSICAL method. we can't argue with that.

hmm how about a pair of bingo machines with ping pong balls in it?

the way you described it at first it looks like a good idea but then after i thought a bit more i realize it has a problem.

this methods does allow for repeated words which is okay and

i'm not sure it is ok. unless all words get repeated with the same frequency. but i don't think that's the case so it suffers from BIAS. not all integers have the same number of factorizations.

seems like it will be fun to build this.

even just one bingo cage is fun.   you get to rolling those things around in the cage and its like looking randomness in the face.

Okay 2048 numbers

2048/32 = 64

so machine a with balls 1-32
machine b with balls 1-64


 spin both machines a and b will always be a 1/2048 chance to get a word

as 32x64 = 2048

every word has a 2 ball assignment.

Machine a say 1
Machine b say 1 is the first word on the list    abandon


Machine a say 1
Machine b say 2 is the second word on the list ability


I do not see how it fails to not be a 1/2048 chance every time  since repeats are allowed.

and if real lists do not allow for a repeat simply skip the repeats if they occur.

I seem to recall getting a list that repeated a word but it was years ago.

Code:

abandon
0001) ability = (  bingo a 1) + ( bingo b 1 )
0002) able    = ( bingo a  1) + ( bingo b 2 )
0003) about  = ( bingo a  1) + ( bingo b 3 )
0004) above
0005) absent
absorb
abstract
absurd
abuse
access
accident
account
accuse
achieve
acid
acoustic
acquire
across
act
action
actor
actress
actual
adapt
add
addict
address
adjust
admit
adult
advance
advice
aerobic
affair
afford
afraid
again
age
agent
agree
ahead
aim
air
airport
aisle
alarm
album
alcohol
alert
alien
all
alley
allow
almost
alone
alpha
already
also
alter
always
amateur
amazing
among
0065) amount (bingo a 2) + (bingo b 1)
amused
analyst
anchor
ancient
anger
angle
angry
animal
ankle
announce
annual
another
answer
antenna
antique
anxiety
any
apart
apology
appear
apple
approve
april
arch
arctic
area
arena
argue
arm
armed
armor
army
around
arrange
arrest
arrive
arrow
art
artefact
artist
artwork
ask
aspect
assault
asset
assist
assume
asthma
athlete
atom
attack
attend
attitude
attract
auction
audit
august
aunt
author
auto
autumn
average
avocado
avoid
awake
aware
away
awesome
awful
awkward
axis
baby
bachelor
bacon
badge
bag
balance
balcony
ball
bamboo
banana
banner
bar
barely
bargain
barrel
base
basic
basket
battle
beach
bean
beauty
because
become
beef
before
begin
behave
behind
believe
below
belt
bench
benefit
best
betray
better
between
beyond
bicycle
bid
bike
bind
biology
bird
birth
bitter
black
blade
blame
blanket
blast
bleak
bless
blind
blood
blossom
blouse
blue
blur
blush
board
boat
body
boil
bomb
bone
bonus
book
boost
border
boring
borrow
boss
bottom
bounce
box
boy
bracket
brain
brand
brass
brave
bread
breeze
brick
bridge
brief
bright
bring
brisk
broccoli
broken
bronze
broom
brother
brown
brush
bubble
buddy
budget
buffalo
build
bulb
bulk
bullet
bundle
bunker
burden
burger
burst
bus
business
busy
butter
buyer
buzz
cabbage
cabin
cable
cactus
cage
cake
call
calm
camera
camp
can
canal
cancel
candy
cannon
canoe
canvas
canyon
capable
capital
captain
car
carbon
card
cargo
carpet
carry
cart
case
cash
casino
castle
casual
cat
catalog
catch
category
cattle
caught
cause
caution
cave
ceiling
celery
cement
census
century
cereal
certain
chair
chalk
champion
change
chaos
chapter
charge
chase
chat
cheap
check
cheese
chef
cherry
chest
chicken
chief
child
chimney
choice
choose
chronic
chuckle
chunk
churn
cigar
cinnamon
circle
citizen
city
civil
claim
clap
clarify
claw
clay
clean
clerk
clever
click
client
cliff
climb
clinic
clip
clock
clog
close
cloth
cloud
clown
club
clump
cluster
clutch
coach
coast
coconut
code
coffee
coil
coin
collect
color
column
combine
come
comfort
comic
common
company
concert
conduct
confirm
congress
connect
consider
control
convince
cook
cool
copper
copy
coral
core
corn
correct
cost
cotton
couch
country
couple
course
cousin
cover
coyote
crack
cradle
craft
cram
crane
crash
crater
crawl
crazy
cream
credit
creek
crew
cricket
crime
crisp
critic
crop
cross
crouch
crowd
crucial
cruel
cruise
crumble
crunch
crush
cry
crystal
cube
culture
cup
cupboard
curious
current
curtain
curve
cushion
custom
cute
cycle
dad
damage
damp
dance
danger
daring
dash
daughter
dawn
day
deal
debate
debris
decade
december
decide
decline
decorate
decrease
deer
defense
define
defy
degree
delay
deliver
demand
demise
denial
dentist
deny
depart
depend
deposit
depth
deputy
derive
describe
desert
design
desk
despair
destroy
detail
detect
develop
device
devote
diagram
dial
diamond
diary
dice
diesel
diet
differ
digital
dignity
dilemma
dinner
dinosaur
direct
dirt
disagree
discover
disease
dish
dismiss
disorder
display
distance
divert
divide
divorce
dizzy
doctor
document
dog
doll
dolphin
domain
donate
donkey
donor
door
dose
double
dove
draft
dragon
drama
drastic
draw
dream
dress
drift
drill
drink
drip
drive
drop
drum
dry
duck
dumb
dune
during
dust
dutch
duty
dwarf
dynamic
eager
eagle
early
earn
earth
easily
east
easy
echo
ecology
economy
edge
edit
educate
effort
egg
eight
either
elbow
elder
electric
elegant
element
elephant
elevator
elite
else
embark
embody
embrace
emerge
emotion
employ
empower
empty
enable
enact
end
endless
endorse
enemy
energy
enforce
engage
engine
enhance
enjoy
enlist
enough
enrich
enroll
ensure
enter
entire
entry
envelope
episode
equal
equip
era
erase
erode
erosion
error
erupt
escape
essay
essence
estate
eternal
ethics
evidence
evil
evoke
evolve
exact
example
excess
exchange
excite
exclude
excuse
execute
exercise
exhaust
exhibit
exile
exist
exit
exotic
expand
expect
expire
explain
expose
express
extend
extra
eye
eyebrow
fabric
face
faculty
fade
faint
faith
fall
false
fame
family
famous
fan
fancy
fantasy
farm
fashion
fat
fatal
father
fatigue
fault
favorite
feature
february
federal
fee
feed
feel
female
fence
festival
fetch
fever
few
fiber
fiction
field
figure
file
film
filter
final
find
fine
finger
finish
fire
firm
first
fiscal
fish
fit
fitness
fix
flag
flame
flash
flat
flavor
flee
flight
flip
float
flock
floor
flower
fluid
flush
fly
foam
focus
fog
foil
fold
follow
food
foot
force
forest
forget
fork
fortune
forum
forward
fossil
foster
found
fox
fragile
frame
frequent
fresh
friend
fringe
frog
front
frost
frown
frozen
fruit
fuel
fun
funny
furnace
fury
future
gadget
gain
galaxy
gallery
game
gap
garage
garbage
garden
garlic
garment
gas
gasp
gate
gather
gauge
gaze
general
genius
genre
gentle
genuine
gesture
ghost
giant
gift
giggle
ginger
giraffe
girl
give
glad
glance
glare
glass
glide
glimpse
globe
gloom
glory
glove
glow
glue
goat
goddess
gold
good
goose
gorilla
gospel
gossip
govern
gown
grab
grace
grain
grant
grape
grass
gravity
great
green
grid
grief
grit
grocery
group
grow
grunt
guard
guess
guide
guilt
guitar
gun
gym
habit
hair
half
hammer
hamster
hand
happy
harbor
hard
harsh
harvest
hat
have
hawk
hazard
head
health
heart
heavy
hedgehog
height
hello
helmet
help
hen
hero
hidden
high
hill
hint
hip
hire
history
hobby
hockey
hold
hole
holiday
hollow
home
honey
hood
hope
horn
horror
horse
hospital
host
hotel
hour
hover
hub
huge
human
humble
humor
hundred
hungry
hunt
hurdle
hurry
hurt
husband
hybrid
ice
icon
idea
identify
idle
ignore
ill
illegal
illness
image
imitate
immense
immune
impact
impose
improve
impulse
inch
include
income
increase
index
indicate
indoor
industry
infant
inflict
inform
inhale
inherit
initial
inject
injury
inmate
inner
innocent
input
inquiry
insane
insect
inside
inspire
install
intact
interest
into
invest
invite
involve
iron
island
isolate
issue
item
ivory
jacket
jaguar
jar
jazz
jealous
jeans
jelly
jewel
job
join
joke
journey
joy
judge
juice
jump
jungle
junior
junk
just
kangaroo
keen
keep
ketchup
key
kick
kid
kidney
kind
kingdom
kiss
kit
kitchen
kite
kitten
kiwi
knee
knife
knock
know
lab
label
labor
ladder
lady
lake
lamp
language
laptop
large
later
latin
laugh
laundry
lava
law
lawn
lawsuit
layer
lazy
leader
leaf
learn
leave
lecture
left
leg
legal
legend
leisure
lemon
lend
length
lens
leopard
lesson
letter
level
liar
liberty
library
license
life
lift
light
like
limb
limit
link
lion
liquid
list
little
live
lizard
load
loan
lobster
local
lock
logic
lonely
long
loop
lottery
loud
lounge
love
loyal
lucky
luggage
lumber
lunar
lunch
luxury
lyrics
machine
mad
magic
magnet
maid
mail
main
major
make
mammal
man
manage
mandate
mango
mansion
manual
maple
marble
march
margin
marine
market
marriage
mask
mass
master
match
material
math
matrix
matter
maximum
maze
meadow
mean
measure
meat
mechanic
medal
media
melody
melt
member
memory
mention
menu
mercy
merge
merit
merry
mesh
message
metal
method
middle
midnight
milk
million
mimic
mind
minimum
minor
minute
miracle
mirror
misery
miss
mistake
mix
mixed
mixture
mobile
model
modify
mom
moment
monitor
monkey
monster
month
moon
moral
more
morning
mosquito
mother
motion
motor
mountain
mouse
move
movie
much
muffin
mule
multiply
muscle
museum
mushroom
music
must
mutual
myself
mystery
myth
naive
name
napkin
narrow
nasty
nation
nature
near
neck
need
negative
neglect
neither
nephew
nerve
nest
net
network
neutral
never
news
next
nice
night
noble
noise
nominee
noodle
normal
north
nose
notable
note
nothing
notice
novel
now
nuclear
number
nurse
nut
oak
obey
object
oblige
obscure
observe
obtain
obvious
occur
ocean
october
odor
off
offer
office
often
oil
okay
old
olive
olympic
omit
once
one
onion
online
only
open
opera
opinion
oppose
option
orange
orbit
orchard
order
ordinary
organ
orient
original
orphan
ostrich
other
outdoor
outer
output
outside
oval
oven
over
own
owner
oxygen
oyster
ozone
pact
paddle
page
pair
palace
palm
panda
panel
panic
panther
paper
parade
parent
park
parrot
party
pass
patch
path
patient
patrol
pattern
pause
pave
payment
peace
peanut
pear
peasant
pelican
pen
penalty
pencil
people
pepper
perfect
permit
person
pet
phone
photo
phrase
physical
piano
picnic
picture
piece
pig
pigeon
pill
pilot
pink
pioneer
pipe
pistol
pitch
pizza
place
planet
plastic
plate
play
please
pledge
pluck
plug
plunge
poem
poet
point
polar
pole
police
pond
pony
pool
popular
portion
position
possible
post
potato
pottery
poverty
powder
power
practice
praise
predict
prefer
prepare
present
pretty
prevent
price
pride
primary
print
priority
prison
private
prize
problem
process
produce
profit
program
project
promote
proof
property
prosper
protect
proud
provide
public
pudding
pull
pulp
pulse
pumpkin
punch
pupil
puppy
purchase
purity
purpose
purse
push
put
puzzle
pyramid
quality
quantum
quarter
question
quick
quit
quiz
quote
rabbit
raccoon
race
rack
radar
radio
rail
rain
raise
rally
ramp
ranch
random
range
rapid
rare
rate
rather
raven
raw
razor
ready
real
reason
rebel
rebuild
recall
receive
recipe
record
recycle
reduce
reflect
reform
refuse
region
regret
regular
reject
relax
release
relief
rely
remain
remember
remind
remove
render
renew
rent
reopen
repair
repeat
replace
report
require
rescue
resemble
resist
resource
response
result
retire
retreat
return
reunion
reveal
review
reward
rhythm
rib
ribbon
rice
rich
ride
ridge
rifle
right
rigid
ring
riot
ripple
risk
ritual
rival
river
road
roast
robot
robust
rocket
romance
roof
rookie
room
rose
rotate
rough
round
route
royal
rubber
rude
rug
rule
run
runway
rural
sad
saddle
sadness
safe
sail
salad
salmon
salon
salt
salute
same
sample
sand
satisfy
satoshi
sauce
sausage
save
say
scale
scan
scare
scatter
scene
scheme
school
science
scissors
scorpion
scout
scrap
screen
script
scrub
sea
search
season
seat
second
secret
section
security
seed
seek
segment
select
sell
seminar
senior
sense
sentence
series
service
session
settle
setup
seven
shadow
shaft
shallow
share
shed
shell
sheriff
shield
shift
shine
ship
shiver
shock
shoe
shoot
shop
short
shoulder
shove
shrimp
shrug
shuffle
shy
sibling
sick
side
siege
sight
sign
silent
silk
silly
silver
similar
simple
since
sing
siren
sister
situate
six
size
skate
sketch
ski
skill
skin
skirt
skull
slab
slam
sleep
slender
slice
slide
slight
slim
slogan
slot
slow
slush
small
smart
smile
smoke
smooth
snack
snake
snap
sniff
snow
soap
soccer
social
sock
soda
soft
solar
soldier
solid
solution
solve
someone
song
soon
sorry
sort
soul
sound
soup
source
south
space
spare
spatial
spawn
speak
special
speed
spell
spend
sphere
spice
spider
spike
spin
spirit
split
spoil
sponsor
spoon
sport
spot
spray
spread
spring
spy
square
squeeze
squirrel
stable
stadium
staff
stage
stairs
stamp
stand
start
state
stay
steak
steel
stem
step
stereo
stick
still
sting
stock
stomach
stone
stool
story
stove
strategy
street
strike
strong
struggle
student
stuff
stumble
style
subject
submit
subway
success
such
sudden
suffer
sugar
suggest
suit
summer
sun
sunny
sunset
super
supply
supreme
sure
surface
surge
surprise
surround
survey
suspect
sustain
swallow
swamp
swap
swarm
swear
sweet
swift
swim
swing
switch
sword
symbol
symptom
syrup
system
table
tackle
tag
tail
talent
talk
tank
tape
target
task
taste
tattoo
taxi
teach
team
tell
ten
tenant
tennis
tent
term
test
text
thank
that
theme
then
theory
there
they
thing
this
thought
three
thrive
throw
thumb
thunder
ticket
tide
tiger
tilt
timber
time
tiny
tip
tired
tissue
title
toast
tobacco
today
toddler
toe
together
toilet
token
tomato
tomorrow
tone
tongue
tonight
tool
tooth
top
topic
topple
torch
tornado
tortoise
toss
total
tourist
toward
tower
town
toy
track
trade
traffic
tragic
train
transfer
trap
trash
travel
tray
treat
tree
trend
trial
tribe
trick
trigger
trim
trip
trophy
trouble
truck
true
truly
trumpet
trust
truth
try
tube
tuition
tumble
tuna
tunnel
turkey
turn
turtle
twelve
twenty
twice
twin
twist
two
type
typical
ugly
umbrella
unable
unaware
uncle
uncover
under
undo
unfair
unfold
unhappy
uniform
unique
unit
universe
unknown
unlock
until
unusual
unveil
update
upgrade
uphold
upon
upper
upset
urban
urge
usage
use
used
useful
useless
usual
utility
vacant
vacuum
vague
valid
valley
valve
van
vanish
vapor
various
vast
vault
vehicle
velvet
vendor
venture
venue
verb
verify
version
very
vessel
veteran
viable
vibrant
vicious
victory
video
view
village
vintage
violin
virtual
virus
visa
visit
visual
vital
vivid
vocal
voice
void
volcano
volume
vote
voyage
wage
wagon
wait
walk
wall
walnut
want
warfare
warm
warrior
wash
wasp
waste
water
wave
way
wealth
weapon
wear
weasel
weather
web
wedding
weekend
weird
welcome
west
wet
whale
what
wheat
wheel
when
where
whip
whisper
wide
width
wife
wild
will
win
window
wine
wing
wink
winner
winter
wire
wisdom
wise
wish
witness
wolf
woman
wonder
wood
wool
word
work
world
worry
worth
wrap
wreck
wrestle
wrist
write
wrong
yard
year
yellow
you
young
youth
zebra
zero
zone
zoo

[o_e_l_e_o]

I do not see how it fails to not be a 1/2048 chance every time  since repeats are allowed.

No, you are right. Each word in this set up has exactly one combination which will generate it, so provided all your balls have an exactly equal chance of being drawn, then this would work. However, the tests required to ensure no bias in this set up are significantly longer and more complex than those for flipping a coin, which as I pointed out earlier in this thread would still require ~16,000 flips to even begin to approach being comfortable that the bias was small enough to not significantly reduce the security of your entropy. So again, this is yet another method I would not recommend.

I seem to recall getting a list that repeated a word but it was years ago.

Yes, words can repeat in seed phrases. There is around a 1 in 31 chance of this happening in 12 word seed phrases, and around a 1 in 8 chance in 24 word seed phrases.

[philipma1957]

I do not see how it fails to not be a 1/2048 chance every time  since repeats are allowed.

No, you are right. Each word in this set up has exactly one combination which will generate it, so provided all your balls have an exactly equal chance of being drawn, then this would work. However, the tests required to ensure no bias in this set up are significantly longer and more complex than those for flipping a coin, which as I pointed out earlier in this thread would still require ~16,000 flips to even being to approach being comfortable that the bias was small enough to be irrelevant. So again, this is yet another method I would not recommend.

I seem to recall getting a list that repeated a word but it was years ago.

Yes, words can repeat in seed phrases. There is around a 1 in 31 chance of this happening in 12 word seed phrases, and around a 1 in 8 chance in 24 word seed phrases.

Yeah I suppose the balls do not have exactly equal shape and size and weight. So in theory B1 in the 32 ball setup could be 1 in 30 not 1 in 32 due to an uneven shape/size/weight

and or B1 in the 64 ball setup could be a 1 in 61 not 1 in 64 due to an uneven shape/size/weight

But knowing dice and coins  are often bias I guess perfect randomness is hard to insure.

[larry_vw_1955]

Disagree. The more ways there are to do something then the more chance that one of those ways is fundamentally flawed, that one of those ways is not secure, that one of those ways is too complex to back up, and so on. Far better to stick to a small number of reviewed, tested, and verified methods, than just coming up with a dozen new ones just for the sake of it.

all I'm saying is this bingo cage method seems pretty solid to me. is this bingo cage method for everyone? absolutely not. its probably not for anyone unless they are willing to learn how to convert permutations into numbers using some programming language. and all that that entails. but when did some trial runs of my bingo cage and drew the numbers out one by one, I felt like it was producing some high quality randomness. so of course that made me motivated to see it to its full conclusion. it took about 10 to 15 minutes to generate the full sequence of numbers. and then a few minutes to record them onto a piece of paper.

there's something about generating entropy in a physical fashion that beats doing it on a computer. I've done it using /dev/random on linux. done it using dice. the physical way though just feels like it's more secure.

let's say metal coins went out of circulation and became a rarity.

Flip anything using von Neumann's algorithm, and the bias doesn't matter. Doesn't strictly have to be a coin. A key would be a suitable alternative - robust, heavy enough to easily flip, and most keys have some writing or engraving which is different on each side.

so one of my things on my todo list is flipping a coin 256 times. i'm not sure if i'll use the von neumann method on it but i would like to just do the coin flipping thing to see how that feels. a random coin shoudn't really contain much bias anyway i wouldn't think. so for just a one-off trial run, i should be ok doing it that way to start.

I do not see how it fails to not be a 1/2048 chance every time  since repeats are allowed.

ok well maybe i misunderstood how it worked so yeah maybe you're right. if one doesn't mind doing alot of spinning of the bingo cages i guess it works but i would be concerned that when i replace the ball after it comes out, am i spinning the cage enough to give it the proper chance to be selected again on the next draw. or maybe if i don't spin the cage enough the chances of that ball getting selected again are lower or higher than they really should be. i don't know.

[o_e_l_e_o]

this bingo cage method seems pretty solid to me
I felt like it was producing some high quality randomness
the physical way though just feels like it's more secure

Forgive me for butchering your quote and adding emphasis, but this seems to be where we fundamentally disagree. Something feeling secure and something being secure are not the same thing. We have seen countless examples on this forum of people who have come up with their own methods for generating private keys or backing up wallets which they think are safe and secure, and the end up with all their coins being stolen or their wallets being irretrievably lost. People think they are good at being random and picking passwords, for example, when we know that human generated passwords are usually the weakest there are.

I'm not interested in how secure something feels. I'm interested in hard data which proves it is secure. And the fact is that to prove to a reasonable certainty that there is no bias in this kind of bingo system takes complex math and hundreds of thousands of trial runs, which no one will ever do. Therefore you shouldn't use this system.

[LoyceV]

I'm not interested in how secure something feels. I'm interested in hard data which proves it is secure.

I like to think I'm in the same boat, but many (if not most) people are the opposite, because risk isn't something you understand intuitively.

[larry_vw_1955]

this bingo cage method seems pretty solid to me
I felt like it was producing some high quality randomness
the physical way though just feels like it's more secure

Forgive me for butchering your quote and adding emphasis, but this seems to be where we fundamentally disagree. Something feeling secure and something being secure are not the same thing.

I'm not interested in how secure something feels. I'm interested in hard data which proves it is secure. And the fact is that to prove to a reasonable certainty that there is no bias in this kind of bingo system takes complex math and hundreds of thousands of trial runs, which no one will ever do. Therefore you shouldn't use this system.

i think we can say that if lotteries use variants of the bingo cage system (they blow air into the balls and let one ball come through a tube at a time) if it's good enough for handing out 500 million dollars to someone that can pick the winning balls then i think it's good enough to secure my bitcoin or whatever crypto i'm trying to store. now is that what makes me think my bingo cage is producing high quality entropy otherwise i wouldn't really feel confident? of course not. some things are just obvious. like radioactive decay being random. can you prove that? do you demand proof of it before you would accept it? probably not. in fact, you can't prove it. all you can do is say based on observations so far it seems to....

We have seen countless examples on this forum of people who have come up with their own methods for generating private keys or backing up wallets which they think are safe and secure, and the end up with all their coins being stolen or their wallets being irretrievably lost.

yeah, well I don't know what examples you're talking about but i doubt they have anything to do with with this bingo cage method. if they would have used it instead they probably wouldn't have lost their coins. and when I say used it i mean used it responsibly and correctly. which means you get your entropy and then seed and then backup the seed in a correct way.

trying to be clever by backing things up in a non-standard way though is an ideal way to lose your bitcoin, i would agree 

People think they are good at being random and picking passwords, for example, when we know that human generated passwords are usually the weakest there are.

who said anything about trying to pick passwords out of my head? i'm not trying to do that at all

[philipma1957]

this bingo cage method seems pretty solid to me
I felt like it was producing some high quality randomness
the physical way though just feels like it's more secure

Forgive me for butchering your quote and adding emphasis, but this seems to be where we fundamentally disagree. Something feeling secure and something being secure are not the same thing. We have seen countless examples on this forum of people who have come up with their own methods for generating private keys or backing up wallets which they think are safe and secure, and the end up with all their coins being stolen or their wallets being irretrievably lost. People think they are good at being random and picking passwords, for example, when we know that human generated passwords are usually the weakest there are.

I'm not interested in how secure something feels. I'm interested in hard data which proves it is secure. And the fact is that to prove to a reasonable certainty that there is no bias in this kind of bingo system takes complex math and hundreds of thousands of trial runs, which no one will ever do. Therefore you shouldn't use this system.

I beg to differ for a lot of reasons,but I do agree that the 1/2048 for every word is more likely to be in a range of 1/2000 to 1/2100 for each word on the list.

than it is to be a perfect 1/2048


but no one will have tested and found out which is 1/2000 or 1/2100.  since testing this is actually not possible.

reason being wear and tear on the equipment will shift the odds.

So the ability to know what the true likely of the 2048 combos is makes it another kind of randomness.

Lets say I am a magical person or lets say in an imaginary situation the range is from 1/2000 to 1/2100

only the magical person would know which combo is bias to 1/2000 and even if the magical person perfectly  
determines the true bias of each and every number  1/2000 to the 24th power is almost as big as 1/2048 to the 24th power in terms of the likely hood of cracking the bingo code.

I would think the mechanical bingo method is good enough if you do a 24 word key.


oh make it more fun spin the bingo blind folded and use a 60 second timer

get your  1 to 32

walk to next machine spin it blind folded with a 60 second timer bell . when it rings get your number

granted if you do 24 words it is two spins a word. so at least 48 minutes but it is pretty fucking random.


just not exactly 1/2048 to the 24 power random.

I kind of like the non exact randomness on a conceptual level.

[o_e_l_e_o]

i think we can say that if lotteries use variants of the bingo cage system (they blow air into the balls and let one ball come through a tube at a time) if it's good enough for handing out 500 million dollars to someone that can pick the winning balls then i think it's good enough to secure my bitcoin or whatever crypto i'm trying to store.

And do you have a high grade, thoroughly tested, independently audited, state or national level lottery machine in your house? Or do you have some kids toy you bought for 20 bucks? They are not comparable.

like radioactive decay being random. can you prove that? do you demand proof of it before you would accept it? probably not. in fact, you can't prove it. all you can do is say based on observations so far it seems to....

That's pretty much how all of science works. We have mountains of data from hundreds of years of global study that says that radioactive decay is random. How much data do you have on your little bingo machine at home?

This is again my point. I don't want entropy I think is random. I want entropy which has been proven to be random.

I would think the mechanical bingo method is good enough if you do a 24 word key.

There we go again. "I would think". What you are proposing may well be safe enough, but we don't know that. And the amount of time and complexity required to exclude bias from a bingo machine is out of reach of the average Joe.

[larry_vw_1955]

And do you have a high grade, thoroughly tested, independently audited, state or national level lottery machine in your house? Or do you have some kids toy you bought for 20 bucks? They are not comparable.

Just a kids toy. That's why it was made anyway.

That's pretty much how all of science works. We have mountains of data from hundreds of years of global study that says that radioactive decay is random. How much data do you have on your little bingo machine at home?

I have about 7 full test runs completed. Where i drew out all the balls one by one in each test run and recorded the order in which they came out. I was careful to not store the sequences of numbers online. As I'm not wasting all that time for nothing. Except for one of them I did store it online as a test vector for further processing purposes later on. (conversion to a mnemonic phrase).

This is again my point. I don't want entropy I think is random. I want entropy which has been proven to be random.

I doubt you will find any research papers of people trying to assess the entropy quality of bingo machines. There doesn't seem to be much interest in the topic. Although there surely is with dice.

[philipma1957]

i think we can say that if lotteries use variants of the bingo cage system (they blow air into the balls and let one ball come through a tube at a time) if it's good enough for handing out 500 million dollars to someone that can pick the winning balls then i think it's good enough to secure my bitcoin or whatever crypto i'm trying to store.

And do you have a high grade, thoroughly tested, independently audited, state or national level lottery machine in your house? Or do you have some kids toy you bought for 20 bucks? They are not comparable.

like radioactive decay being random. can you prove that? do you demand proof of it before you would accept it? probably not. in fact, you can't prove it. all you can do is say based on observations so far it seems to....

That's pretty much how all of science works. We have mountains of data from hundreds of years of global study that says that radioactive decay is random. How much data do you have on your little bingo machine at home?

This is again my point. I don't want entropy I think is random. I want entropy which has been proven to be random.

I would think the mechanical bingo method is good enough if you do a 24 word key.

There we go again. "I would think". What you are proposing may well be safe enough, but we don't know that. And the amount of time and complexity required to exclude bias from a bingo machine is out of reach of the average Joe.

No one can perfectly determine the bias on a bingo machine.

First weigh every ball
Second do dozens of diameter and circumference measurements.

If you do this put the balls in and rotate machine for a minute the very act of rotation will alter the balls at they hit each other and even if they were not bias at the beginning of the roll they will be be the end of the roll.

What you are missing is that the bias created by rotating the machine and bouncing the balls would be random.

What you are missing is 2 machines 32 balls in machine one always change their bias with each and every roll

What you are missing is second machine with 64 balls changes the bias a tiny bit with every section.

compound an unknown bias which changes with every roll by 24 + 24 rolls it is random actually more random then is measurable by any mechanical means.  

It is perfectly random" No it is randomly random. Nuff said

as I won't be able to convince you that buying a pair of 100 usd dollar bingo machines is pretty much mechanical perfection

with 2 givens just weigh the balls and measure the circumference of them.

If the balls are within 0.001 grams and 0.001mm my guess is it is far better than any other method.

Obviously if a ball is too big it may never be picked very easy to see if the balls are far too big or too small. Simply have a few precise holes

say
1 and 1/64 inch
1 inch
63/64 inch
31/32 inch

see at what point the ball fits if they are within 1/64 of an inch the bias won't do much.

if they should weigh 10 grams allow 9.99 to 10.01 grams

those would not greatly alter the bias.

who cares if it is not random but has an unknown bias to:

 pick  abandon  1001 out of 2,048,000 picks
 pick  zoo           999 out of 2,048,000 picks

the reality is no one will spin the machines enough to get a true number and the next spin can alter the math as the balls get worn.

so math would say it is not provable that it is random.  which is what you are doing.

I agree it it not provable.  In fact it is unlikely to be truly random, but it is not predictable via measuring techniques that we have.

so first word you got was a 1/2047 as predicted be a being with magical skill
second word you got was a 1/2048
third word you got was a 1/2049
fourth word you got was a 1/2047

so 24 words all picked and all very likely to be in the range of 1/2000 to 1/2100

vs a perfect 1/2048 pretty much is good enough in this world as it is cheap and easy to do.

vs dice which are easy to load
vs coins which are easy to load

vs random generators which are very hard to program truly random.

just saying if I need to make a list of 24 words for storing 1 million bucks.

 I would prefer that I used the 2 bingo machines to pick the 24 words.

[o_e_l_e_o]

No one can perfectly determine the bias on a bingo machine.

So why use it at all, when you can use a von Neumann approach to flipping a coin to have a system which provably has zero bias? Not to mention simpler and quicker as well.

First weigh every ball
Second do dozens of diameter and circumference measurements.

Obviously almost no one would actually do this, which means all your assumptions which follow of the bias being too small to make a difference are flawed. It you don't test what your bias is, then you have no idea if it is too small to make a difference.

[philipma1957]

No one can perfectly determine the bias on a bingo machine.

So why use it at all, when you can use a von Neumann approach to flipping a coin to have a system which provably has zero bias? Not to mention simpler and quicker as well.

First weigh every ball
Second do dozens of diameter and circumference measurements.

Obviously almost no one would actually do this, which means all your assumptions which follow of the bias being too small to make a difference are flawed. It you don't test what your bias is, then you have no idea if it is too small to make a difference.

so reading Neumann method for an unknown coin bias.

to get a bit of 0 or 1 means a minimum of 2 tosses of a coin

so to randomly pick from 1 to 2048 means many coin tosses . x 24

lets see if you were perfectly or magically lucky and did 2 tosses per bit

the fastest you could get a word is

24 coin flips

as

100000000000 is 2048

so it is a 12 bit number and you need at least 2 tosses to get a bit

of course you could get lots of h+h or t+t maybe it takes about 96 tosses per word.

or close to 2400 tosses but technically it would give you 1/2048 to the 24th power.

I am thinking that rolling my bingo machines a and b takes 48 minutes.

fairly easy to chart. and yeah it wont likely be 1/2048 to the 24th power but it is easier to do and while I won’t  be  as sure as tossing the unknown  coin 600 to 2400 tosses it is likely good enough.

more fun to do. and easier.

since I wont have 1000000 usd in btc anytime soon I wont worry.  and if I ever do get that much maybe i will do both just for fun.

[larry_vw_1955]

since I wont have 1000000 usd in btc anytime soon I wont worry. 

i would be more worried if i generated entropy using a computer and put that much money into the wallet then if i did it with a bingo machine...that's just me though. i'm sure your bingo machine method is solid enough to handle that type of cash.

[o_e_l_e_o]

of course you could get lots of h+h or t+t maybe it takes about 96 tosses per word.

You don't do it per word - you do it per bit. 2 tosses per bit, and assuming a close to 50% rejection rate for a minimally biased coin, then you need on average 512 flips for a 128 bit number encoding a 12 word seed phrase.

Quicker, simpler, more secure, and provably unbiased, when compared to the bingo machine suggestion (or any other physical entropy suggestion, for that matter).

[Jon_Hodl]

I recently saw an interesting discussion about casino dice that are being used for generating seed words for Bitcoin, and someone asked a question can you really trust dice?

I had this exact same thought and until recently, I didn't really understand how dice rolls translate into a private key. After doing some research, I think I understand.

I was using both ColdCard and SeedSigner with 99 dice rolls to generate seed phrases but it just take so long to roll dice 99 times, write them all down, and enter them into both devices to verify that I get the same exact seed phrase on both devices and then write down the seed phrase.

Recently, I came across SeedSticks (https://seedsticks.org/) and that seemed like the best solution for me to be able to generate truly random seed phrases in a lot less time.

Dice are cheap and readily available and so are playing cards but I like how simple it is to just randomly pick 23 words out of a bag, calculate the final checksum word with my SeedSigner, and then have a 24-word seed phrase with all 256 bits of entropy.

I don't think I can find a faster way to securely generate a seed phrase.

[BlackHatCoiner]

I don't think I can find a faster way to securely generate a seed phrase.

I disagree. Rolling a fair dice is a tested, and peer-reviewed way of generating entropy securely. To spend less time on fairness, toss a coin, preferably using Von Neumann's trick.

On the other hand, SeedSticks is not tested nor reputable, requires you to spend an extra $120, wait for it to arrive, verify that the words you've received are the same as in BIP39 wordlist, and in the end, it introduces bias parameters such as the manner you'll pick words from the bag.

[Jon_Hodl]

I don't think I can find a faster way to securely generate a seed phrase.

I disagree. Rolling a fair dice is a tested, and peer-reviewed way of generating entropy securely. To spend less time on fairness, toss a coin, preferably using Von Neumann's trick.

Von Neumann's trick is interesting. I'll have to experiment with that. What would be required for SeedSticks to be tested and peer-reviewed?

On the other hand, SeedSticks is not tested nor reputable, requires you to spend an extra $120, wait for it to arrive, verify that the words you've received are the same as in BIP39 wordlist, and in the end, it introduces bias parameters such as the manner you'll pick words from the bag.

What makes something tested and reputable? I checked all of the words I received against the BIP 39 seed list and it's a perfect match.

I hear you on the bias but isn't there a bias with how I roll dice? Is there a Von Neumann's trick for rolling dice?

[o_e_l_e_o]

Of all the physical methods other than flipping a coin, I actually dislike this one the least. It's still not perfect, but there is far less that can go wrong with blindly picking individual words from the full list of 2048 when compared to rolling dice or shuffling cards and trying to apply conversions and entropy extraction algorithms on your output to generate secure entropy.

The biggest problems here will be human error and bias, rather than any failure of the system itself. Not shuffling well between drawing words, not returning used words to the bag, or more likely, discarding words and trying again to get something "more" random. If someone draws the same word twice in the same seed phrase, they might decide that's not random and choose a different word. Or if they draw "boss" followed by "box", again, they might decide that's not random enough. To be completely sure there is no bias you would need to weigh every single individual tile on scales accurate enough to detect milligrams (which most people don't have). And finally the cost is another issue, and $120 for something you can do for free with a coin seems unnecessary.

So not the worst solution out there, but I would still stick to flipping a coin.

I hear you on the bias but isn't there a bias with how I roll dice? Is there a Von Neumann's trick for rolling dice?

Yes, but it is significantly more complicated than when applied to a coin (and adds a significant length of time to your generation process). I've outlined it in a previous post here: https://bitcointalk.org/index.php?topic=5395587.msg61126349#msg61126349. But having said that, I think dice are a poor choice anyway (exactly because it is difficult to detect any bias), so I wouldn't recommend using this over simply flipping a coin.