Are dices for generating seed words fair?

[larry_vw_1955]

Of all the physical methods other than flipping a coin, I actually dislike this one the least.

you're never going to budge off the coin flipping method. i'm surprised you even conceded this much to the seed stick method which i never heard of before but it does look quite simple.

The biggest problems here will be human error and bias, rather than any failure of the system itself. Not shuffling well between drawing words, not returning used words to the bag, or more likely, discarding words and trying again to get something "more" random.

define "shuffling well" for seedsticks

If someone draws the same word twice in the same seed phrase, they might decide that's not random and choose a different word. Or if they draw "boss" followed by "box", again, they might decide that's not random enough. To be completely sure there is no bias you would need to weigh every single individual tile on scales accurate enough to detect milligrams (which most people don't have).

that's probably going to be a problem then as most digital scales for weighing food and things might have a resolution of a single gram. but defintelyl not 1/1000th of a gram. that would probably cost you alot more than the seedsticks. 

And finally the cost is another issue, and $120 for something you can do for free with a coin seems unnecessary.

in theory you could make your own seedsticks. all they are is small pieces of plastic. with words on them.

So not the worst solution out there, but I would still stick to flipping a coin.

yeah but that requires more technical expertise i would think. they have to know how to convert their entropy into a seed phrase. seed sticks do that for you. it's like the difference between getting fast food and going to the store and shopping for ingredients to prepare a meal.  i guess to each their own.

[1714058293]

1714058293

[o_e_l_e_o]

you're never going to budge off the coin flipping method.

Because flipping a coin and using von Neumann's debiasing approach is the only physical method I can convince myself is both provably random and free from bias, as well as requiring no transformation or randomness extraction on the final result which could introduce new weaknesses. It is also simple and quick.

define "shuffling well" for seedsticks

Exactly. Difficult to do, and therefore difficult to ensure is not biased.

yeah but that requires more technical expertise i would think. they have to know how to convert their entropy into a seed phrase.

It's a simple look up table from number to word. The complicated bit is calculating the checksum, but that is the same for any physical method, seedsticks included.

[larry_vw_1955]

you're never going to budge off the coin flipping method.

Because flipping a coin and using von Neumann's debiasing approach is the only physical method I can convince myself is both provably random and free from bias, as well as requiring no transformation or randomness extraction on the final result which could introduce new weaknesses.

you've updated your boilerplate statement to indict some of the other forms of generating a seed phrase mechanically. you do that when you throw in the term "requiring no transformation or randomness extraction". using sha256 to extract randomness from a card deck is one thing but when you have something more pure than that then that's another.

It is also simple and quick.

In concept it is very simple. The simplest way there is to generate a 256-bit number. The problem is, it is not quick. Even if you don't use the von Neumann trick. It still is flipping a coin 256 times. that's not quick. Only geeks and nerds probably ever did that.   Everyone else just uses an app.

Can it be made quicker? Sure. Get 256 coins and flip them all at the same time. But you still have to record every single one of them. that's what takes the most time no matter which way you do it. But I know you would never agree to doing it this way. not ever.

define "shuffling well" for seedsticks

Exactly. Difficult to do, and therefore difficult to ensure is not biased.

but don't you think that method has merits? for people that can't use a computer it's the only way.

It's a simple look up table from number to word.

From decimal number to word. somehow you have to convert your 11-bit numbers into decimal though. that seems like a potential source for errors to happen.

The complicated bit is calculating the checksum, but that is the same for any physical method, seedsticks included.

yeah but it's simpler than trying to convert 11-bit binary numbers into decimal so you can then look them up on the word list.

Also, i'm sure you're going to say there are bip39 wordlists that convert binary 11-bit numbers into words. maybe there are but even that is fraught with potential errors since you have to compare 11 bits very carefully. chances of error are high when you go to try and match things up. thus seedsticks.  

now if you can come up with a mechanical way to get the final checksum word then you are good to go.

[LoyceV]

Can it be made quicker? Sure. Get 256 coins and flip them all at the same time.

That doesn't work, it makes the order in which you pick the coins up a factor that can be biased.
Also: who has 256 coins nowadays?

[o_e_l_e_o]

you've updated your boilerplate statement to indict some of the other forms of generating a seed phrase mechanically. you do that when you throw in the term "requiring no transformation or randomness extraction".

I've not change my stanced and I've been pretty explicit since the first page of this thread on this topic:

How can you be sure whatever randomness extraction algorithm you choose won't amplify your weak entropy?

Taking a non-binary output (such as dice rolls or the order of a deck of cards) and transforming it in to a binary string to use as a private key is not a benign process. And as I've also said before in this thread, there is a whole field of study on randomness extraction, on which I am by no means an expert, but I know enough to know that someone who does not understand it will almost certainly mess up in a way they don't even comprehend. Therefore, it is a bad choice.

The problem is, it is not quick.

Can be done in half an hour. That's pretty quick in the grand scheme of things. How many hours have we spent discussing it?

But I know you would never agree to doing it this way. not ever.

Correct. Because it is biased.

Also, i'm sure you're going to say there are bip39 wordlists that convert binary 11-bit numbers into words.

Correct. https://github.com/hatgit/BIP39-wordlist-printable-en. Bonus with this one is that it includes decimal as well. So you can convert your binary to decimal, look up the decimal word, and then check the binary decoding against your original binary to ensure you have not made any mistakes.

[larry_vw_1955]

Can it be made quicker? Sure. Get 256 coins and flip them all at the same time.

That doesn't work, it makes the order in which you pick the coins up a factor that can be biased.

who said anything about picking them up?

Also: who has 256 coins nowadays?

who has 50 dice?

I've not change my stanced and I've been pretty explicit since the first page of this thread on this topic:

How can you be sure whatever randomness extraction algorithm you choose won't amplify your weak entropy?

ok fair enough, i went back and saw you were talking about that before we got into talking about the bingo machine method.

Taking a non-binary output (such as dice rolls or the order of a deck of cards) and transforming it in to a binary string to use as a private key is not a benign process.

i would say that's a vast generalization to make based on just one particular "transformation" which apparently you are referring to using SHA-256 as the transformation in that thread. Well, no one understands how well sha-256 works as a transformation to extract entropy. That's kind of one of those things where you "hope and pray" it does well enough. there's no reason to think that it wouldn't though. but from a purist perspective or a cryptographer's perspective, it probably would not past muster.

And as I've also said before in this thread[/url], there is a whole field of study on randomness extraction, on which I am by no means an expert, but I know enough to know that someone who does not understand it will almost certainly mess up in a way they don't even comprehend. Therefore, it is a bad choice.

For me, if I understand the mathematics behind how something works, I don't feel that I need a rubber stamp of approval from some so-called expert in the field. They aren't going to understand anymore about it than I do, most likely. Since if I took the time to study it and program it and understand how it works from the bottom up, they haven't even taken the time to do that, why would I need to listen to someone like that? I'm very capable of forming my own conclusions about the security of the particular transformation.

Now, I don't mess with things I don't fully understand though. Thus why I shy away from using something such as SHA256 to extract entropy. There is something better. I don't make conclusions about things I don't understand.

 

[BlackHatCoiner]

Can it be made quicker? Sure. Get 256 coins and flip them all at the same time.

How can you flip 256 coins at the same time? And why?

Only geeks and nerds probably ever did that.

The topic of this discussion isn't to whom these methods address to. It's to which are the tradeoffs. For the average Joe who wants self-custody and has no technical competence of the field, maybe his best course is to just buy a hardware wallet.

[larry_vw_1955]

How can you flip 256 coins at the same time? And why?

I'll answer the 2nd question for you. to save time.

[o_e_l_e_o]

who said anything about picking them up?

Or the order you read them and record the result. Same result - you introduce a bias.

Well, no one understands how well sha-256 works as a transformation to extract entropy. That's kind of one of those things where you "hope and pray" it does well enough.

I'm sure there are people out there who do, but I am not one of them. And I'm afraid I'm not willing to risk the security of my coins on a hope and a prayer.

I have methods which I know are secure. Why on Earth would I use something I hope is secure instead?

[larry_vw_1955]

who said anything about picking them up?

Or the order you read them and record the result. Same result - you introduce a bias.

well if you take 50 die, and arrange them in a 5x10 rectangle, you don't have to visually look at them to do that necessarily. but i know you're still going to argue that there is bias and some dies might go into a certain position more often than they go into other positions. you got me in a unwinning situation there. 

I'm sure there are people out there who do, but I am not one of them. And I'm afraid I'm not willing to risk the security of my coins on a hope and a prayer.

I have methods which I know are secure. Why on Earth would I use something I hope is secure instead?

that's why i wouldn't want to use sha-256 to get the entropy out of a deck of cards. if sha-256 is a one-to-one function then i would say it is probably a suitable thing to use for entropy extraction of a deck of cards. if it's not a one-to-one function then it probably is not ideal and i would prefer instead to use something that is one-to-one. when we talk about one-to-one, obviously it is not one-to-one for an unlimited domain size but if we restrict to say a set of size 52! = 80658175170943878571660636856403766975289505440883277824000000000000 then it is an open question. so maybe not the best way of extracting or transforming entropy. and for that matter as i think you may have pointed out in the past, 52! is rather small in comparison to the entire universe of possible bitcoin private keys so there's that too, but that can be overcome i believe. 

[o_e_l_e_o]

and arrange them in a 5x10 rectangle, you don't have to visually look at them to do that necessarily.

But as you correctly predicted, I'll point out that it requires you to manually arrange them, which will not be a random process, regardless of how random you think you are being. Anything which introduces a human choice introduces a subconscious bias.

obviously it is not one-to-one for an unlimited domain size

Just to be pedantic, but the domain isn't quite unlimited - it is any string up to length 2⁶⁴ - 1 bits, which is any string up to 2 million terabytes in length.

but if we restrict to say a set of size 52! = 80658175170943878571660636856403766975289505440883277824000000000000 then it is an open question.

And impossible to answer without cycling through the entire set of possible inputs, which is similarly impossible.

[larry_vw_1955]

But as you correctly predicted, I'll point out that it requires you to manually arrange them, which will not be a random process, regardless of how random you think you are being. Anything which introduces a human choice introduces a subconscious bias.

i would think the arrangement of them is similar to shuffling a card deck but if you don't think its possible to shuffle a card deck by hand then I don't guess I could convince you it is possible with dice either. but i've done it and it seemed pretty random to me.  me personally i'm not concerned that there is some large bias that would cause an issue in that process, having done it quite a large number of times in fact in the past. but i know that doesn't convince you of anything...

Just to be pedantic, but the domain isn't quite unlimited - it is any string up to length 2⁶⁴ - 1 bits, which is any string up to 2 million terabytes in length.

right. the number of possible strings like that is mind boggling.

And impossible to answer without cycling through the entire set of possible inputs, which is similarly impossible.

we don't have to worry about that answer if we avoid using SHA-256 to extract the entropy from some permuation of objects such as a card deck. SHA-256 is a really complicated way of doing something simple in that instance...

[o_e_l_e_o]

i would think the arrangement of them is similar to shuffling a card deck but if you don't think its possible to shuffle a card deck by hand then I don't guess I could convince you it is possible with dice either.

It is of course possible to shuffle a deck of cards by hand, but the difference here is that you aren't looking at the cards as you do it. Once you've already rolled the dice and can see the results, then ordering them manually can introduce bias. Maybe you don't arrange four 5s in a row because that isn't random enough.

SHA-256 is a really complicated way of doing something simple in that instance...

That's the point I'm making though - turning an arrangement of a deck of cards in to a binary string is not something that is trivial. It is very possible that your method of randomness extraction does not result in a completely secure result.

[larry_vw_1955]

It is of course possible to shuffle a deck of cards by hand, but the difference here is that you aren't looking at the cards as you do it.

I'm not looking at each individual die either while I'm arranging them into the grid.

Once you've already rolled the dice and can see the results, then ordering them manually can introduce bias.

i don't inspect the results. i only inspect them after they are already in the grid. and i don't make any changes. no matter what.

Maybe you don't arrange four 5s in a row because that isn't random enough.

not how it works.  

That's the point I'm making though - turning an arrangement of a deck of cards in to a binary string is not something that is trivial.

it is a solved problem. and easily understandable. it's way simpler than converting a bitcoin private key into a public key. just for comparison's sake.

It is very possible that your method of randomness extraction does not result in a completely secure result.

it's not rocket science. it's pretty much just basic math. anyone can understand it who wants to. for the purposes of analyzing the "security" as you seem to be so worried about, I would submit that one does not  even need to know anything about how the one-to-one function works (i.e., its internals). So if you don't like my particular one-to-one function that I'm using you can invent your own. And yours will be just as strong as mine. Same security guarantee. It is secure simply by that fact that it is one-to-one on a large enough set aka 52! or even higher if you like. A set which cannot be brute forced through. And that's the end of that story.

[o_e_l_e_o]

Maybe if you were to wear a blindfold when arranging the dice in the grid you could convince me you have not introduced a bias, but otherwise you have. You may think you haven't, you may think you aren't paying attention to the numbers on the dice, you may think you are being totally random, but you aren't, because humans can't be. And we both know that many people if told to wear a blindfold to arrange the dice would just skip that step, thinking it was a waste of time because they are sure they are being random (just as you are), when they aren't.

I would submit that one does not  even need to know anything about how the one-to-one function works (i.e., its internals).

And I would counter that there is no way I personally will be using a process I know nothing about to generate my private keys. But YMMV.

So if you don't like my particular one-to-one function that I'm using you can invent your own.

I already have a perfect one - flipping a coin. The outcomes of 256 fair flips are perfectly and provably matched one-to-one with the set of 256 bit numbers.

[larry_vw_1955]

Maybe if you were to wear a blindfold when arranging the dice in the grid you could convince me you have not introduced a bias, but otherwise you have.

ok well i know i can do it wearing a blindfold. the grid might not be 5x10 it might be some other size to make it easier to do but i know i don't need to look at them.
 

You may think you haven't, you may think you aren't paying attention to the numbers on the dice, you may think you are being totally random, but you aren't, because humans can't be.

for my process, it happens very fast. the entire procedure is only about maybe 15 seconds so there's really no way to be examining each individual number on each die. maybe i see 3 or 4 of them and put them into place manually but that's about it.

And we both know that many people if told to wear a blindfold to arrange the dice would just skip that step, thinking it was a waste of time because they are sure they are being random (just as you are), when they aren't.

i think it's a waste of time but i'm willing to do it anyway once just so i can see if it makes any difference but i know it won't. because i'm already close to being at that point anyway.

And I would counter that there is no way I personally will be using a process I know nothing about to generate my private keys.

i told you some good news though. you don't need to understand how a one-to-one function works to have a security guarantee from it. that's good news right?  

But YMMV.

you think my mileage varies in that regard? that's disappointing to me. because i'm really particular about what kind of tool i would trust. hint: it needs to be something i created or programmed or whatnot. not just gonna go and generate a private key on my android phone and throw some bitcoin in it.

I already have a perfect one - flipping a coin. The outcomes of 256 fair flips are perfectly and provably matched one-to-one with the set of 256 bit numbers.

yes you do have a perfect one-to-one functon there. the problem is it can't work with the type of things mine does. like bingo balls or card decks or anything where you have a set of objects which you are permuting. mine on the other hand is transferrable over to being able to map flips of a coin 256 times into bitcoin private keys. (not that i would be particularly interested in using it for that but i could!) actually i'm not sure about that last statement. i'll have to think about how i would go about that process...

the point being though that permuting a group of objects is fast while flipping coins is slow. the tech to convert each process's raw entropy into a private key is different. i would say the former is more powerful. but indeed as you have mentioned if you want to guarantee no bias then yours is the gold standard. maybe we can leave it at that.

[o_e_l_e_o]

maybe we can leave it at that.

Yeah, I think we are going to have to simply agree to disagree on this one. You will never convince me that any process which requires human selection or ordering will generate truly random entropy (because humans cannot be truly random), and I will never advocate using a system like bingo balls which has an unmeasured bias and requires unnecessary transformation of the final result. If you want to use a physical method to generate a seed phrase or private key, flip a coin. If you don't, use /dev/urandom. Making it more complicated than this is just introducing errors and biases which don't need to be there.

[TalkativeCoin]

I would say that using dice to generate seed words can be considered fair, as long as the dice are rolled properly and the numbers are generated randomly. However, it is important to note that the quality of the randomness of the seed words will ultimately depend on the quality of the random number generator that is used. Therefore, I always recommend at least using a high-quality random number generator in order to ensure the security of your seed words.

[BlackHatCoiner]

[...]

Topic asides, but answer me this question of mine: why do you want to mess with unreliable, untested, and hard to test methods for generating entropy, when there are already tested, reviewed and comparably faster methods to do it already? I mean, let me emphasize: this number you're generating isn't going to keep some conversation with your friends, or perhaps even some nude photos secret. We're talking about property here. Real, hard money. Why do you want to play with the security of your property?

It's like making up your own door with your own lock, because you think you've thought of something that lock experts (which have spent about decades of studying more than you), haven't thought before. And it's even worse, because we all know that stuff such as math, cryptography etc. are more abstract, and require more dedication than a lock design.

[larry_vw_1955]

Yeah, I think we are going to have to simply agree to disagree on this one. You will never convince me that any process which requires human selection or ordering will generate truly random entropy (because humans cannot be truly random), and I will never advocate using a system like bingo balls which has an unmeasured bias and requires unnecessary transformation of the final result.

we measure the bias every time we do another trial run and compare the output to previous ones. is it a long and arduous, tedious process? yes. is it worth it? sure. it's always worth it to do something no one else has ever done. you make some valid points but you're very pessimistic about my method. don't you think that it is not unreasonable to want to be able to extract entropy from a set of identical objects (aka, bingo balls or cards in a card deck) when they are ordered in a randomized fashion without having to resort to a function like sha-256 which is not known to be 1-1? please answer yes. but i know you won't.

If you want to use a physical method to generate a seed phrase or private key, flip a coin. If you don't, use /dev/urandom. Making it more complicated than this is just introducing errors and biases which don't need to be there.

I don't want to do things other people have already done necessarily. I mean not that I haven't done them, because I have. But I wanted to do something more than that. Something no one ever did. So I treated it like a challenge. Something to overcome if I ran into any obstacles. I embrace those kinds of challanges though. For example, a bingo ball cage is 75 balls. 75! is way bigger than the number of bitcoin private keys. How do we deal with that issue? How do we ensure when dealing with that issue that we aren't introducing any significant bias? You don't think I've considered these questions? Well let me tell you, I have. I'm not just some idiot that doesn't think things through and trusts what other people say. I trust what I can prove.

Topic asides, but answer me this question of mine: why do you want to mess with unreliable, untested, and hard to test methods for generating entropy, when there are already tested, reviewed and comparably faster methods to do it already? I mean, let me emphasize: this number you're generating isn't going to keep some conversation with your friends, or perhaps even some nude photos secret. We're talking about property here. Real, hard money. Why do you want to play with the security of your property?

It's like making up your own door with your own lock, because you think you've thought of something that lock experts (which have spent about decades of studying more than you), haven't thought before. And it's even worse, because we all know that stuff such as math, cryptography etc. are more abstract, and require more dedication than a lock design

i didn't invent the technology but i applied it to a bingo ball machine.