Are dices for generating seed words fair?

[Medusah]

I do not know about you, but I believe anyone compromising these levels of randomness deserves the bitcoin.

[1714300130]

1714300130

[1714300130]

1714300130

[o_e_l_e_o]

Or is there some structure behind it on the quantum level that we just don't understand yet?

We can never prove there isn't, because you obviously cannot prove a negative. I cannot prove that all radioactive decay is not actually caused by a sentient and ominpotent Russell's teapot choosing individual atoms to decay at an instant of its choice. What we do know is that there are no experiments or indeed even mainstream interpretations of quantum physics which say that radioactive decay is anything other than random chance (bound by the half life of the particular isotope in question).

And if all of science can't predict the decay any better than random chance, then someone trying to hack in to your wallet couldn't either.

[ABCbits]

If we are collectively going to be this ridiculous about flipping a coin, then you might as well just get a Geiger counter and point it at the banana you have in your kitchen, given that radioactive decay is a truly random process.

I'd suggest using few lava lamps instead for these reasons,
1. You don't have to worry about spoiled banana.
2. Lava lamp is nice decoration for your guest room.
3. You can use your phone camera if you don't want to buy CCTV/security camera.
4. Big company such as CloudFlare already do that, https://blog.cloudflare.com/lavarand-in-production-the-nitty-gritty-technical-details/.

But on serious side, /dev/urandom is more than enough.

[larry_vw_1955]

I'd suggest using few lava lamps instead for these reasons,
1. You don't have to worry about spoiled banana.
2. Lava lamp is nice decoration for your guest room.
3. You can use your phone camera if you don't want to buy CCTV/security camera.
4. Big company such as CloudFlare already do that, https://blog.cloudflare.com/lavarand-in-production-the-nitty-gritty-technical-details/.

hmm i saw this story a few years ago and it didn't make any sense at all. what's so special about lava lamps? do they have some type of usb port where they're spitting our random numbers? you could literally set up a video camera at a mall and take snapshots every 10 seconds and guaranteed the images will have different hashes. same thing.

i thought maybe they were doing something more exciting with lava lamps like they had some electronic eye that counted how many blobs were in it every 20 seconds or something but no. nothing like that...

[o_e_l_e_o]

I'd suggest using few lava lamps instead for these reasons,

You don't even need to do any of that. As I discussed way back on page 2 of this thread, pointing your phone at a light source is enough to capture the shot noise, which is another truly random process and will produce truly random numbers. Here's a paper describing the process: https://arxiv.org/pdf/1405.0435.pdf

what's so special about lava lamps?

Nothing. They simple produce an ever changing picture which is impossible to predict.

[dkbit98]

I suggest everyone to watch this video made by Crypto Guide, it is very much related with this topic.
He explains how some unsecure hardware wallets (read Coldcard) are allowing owners to use weak dice method of generating seed phrases, that resulted in people losing coins.
Video is less than 10 minutes long:
https://www.youtube.com/watch?v=oj_W3xOlt6U

This doesn't mean we shouldn't use dices anymore, but we need to use them properly with high enough entropy.

[larry_vw_1955]

what's so special about lava lamps?

Nothing. They simple produce an ever changing picture which is impossible to predict.

yeah but the way of gathering entropy is kind of like cave man style. as you pointed out, just taking periodic pictures of almost ANYTHING even if nothing moves would still result in a different hash of the image. which is all they are doing anyway. if the lava lamp had some type of electronics that counted blobs per unit time and measured their sizes and velocities and turned that raw data into a binary sequence then that would be worth writing a story about. but not if they are just using lava lamps for publicity when they aren't really even needed. and they aren't as you already admitted.

[BlackHatCoiner]

Video is less than 10 minutes long:
https://www.youtube.com/watch?v=oj_W3xOlt6U

Good watch. Coldcard shouldn't allow anyone to create a wallet with just a dice roll. Or, if they really felt they want to give the option for the user to test dangerous stuff, then maybe create a security option defaulted to true. Or maybe just show a proper warning -- "Your funds aren't safe with x dice rolls, are you sure you want to continue?". Anything below 50 is insecure, because even for a completely unbiased dice, 49 rolls give less than 128 bits.

But on serious side, /dev/urandom is more than enough.

It might be more than enough in terms of entropy, but it is horrible in terms of verifiability.

[LoyceV]

It might be more than enough in terms of entropy, but it is horrible in terms of verifiability.

You can have both: just add two random numbers (and wrap around the maximum). That way you have both: one part that's more than good enough on a cryptographic level, and one part that you can verify and do whatever you want with.

Example: I want a random number from 1 to 256. I use random.org to generate 159. I flip a coin 8 times: 10111001. That's 185. Add them, and subtract 256: I get 88. As long as at least one of my 2 inputs is random, my end result is random too.

[BlackHatCoiner]

You can have both: just add two random numbers (and wrap around the maximum).

You can do a host variety of things if you're creative, but it'd be an overdose. Just toss the coin, simple and tested.

[BlackHatCoiner]

Linux kernel is open source, people with sufficient skill and time can verify /dev/urandom. Although if you mean directly check or inspect how specific data is generated while knowing exact input was used, AFAIK it's very difficult task.

I meant that you cannot be 100% certain you don't use malicious / backdoored hardware. And even if you do, it's much more difficult task than tossing a coin.

[LoyceV]

Linux kernel is open source, people with sufficient skill and time can verify /dev/urandom.

Let's be realistic: how many people actually do that? And even if you do, there's far too much software to be able to check everything.

[o_e_l_e_o]

You can have both: just add two random numbers (and wrap around the maximum).

You have to be very careful with such an approach not to introduce a modulo bias. And given most people probably don't even know what this is, I wouldn't recommend this method. A better approach would be to take two bit strings the same length as your entropy and XOR them.

But again, this is all adding needless complexity which simply increases the risk of the user doing something wrong and ending up with an insecure wallet. Just use dev/urandom. If you can't verify it and don't trust it, then flip a coin with von Neumann's. Done.

[albert0bsd]

Linux kernel is open source, people with sufficient skill and time can verify /dev/urandom.

I did it for the FreeBSD kernel and I can tell you guys that the urandom device on that system is very secure, unless you can broke any AES256 cypher text

I post something about that on twitter: https://twitter.com/albertobsd/status/918201595921403904

I haven't done that for the Linux Urandom for i think that it is very similar.

About the Linux urandom you should read this link: https://www.2uo.de/myths-about-urandom/

And here is my password generator snippet for bash

Code:

</dev/urandom tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' | head -c 40 ; echo

Here is a privatekey generator:

Code:

</dev/urandom tr -dc 'A-F0-9' | head -c 64  ; echo

Example:

[o_e_l_e_o]

And here is my password generator snippet for bash

Nice. That's almost the exact same command that I use: https://bitcointalk.org/index.php?topic=5470444.msg63006181#msg63006181

Instead of listing all the characters, you can just use [:print:] for the set of 95 printable ASCII characters, or [:graph:] to exclude space. And with a character set of either 95 or 94, then a length of 20 characters still provides more than 128 bits of entropy.

[albert0bsd]

Wow, nice to know  thank you they look more clean i am going to start to using them.

In any case it need the extra echo command to add a carriage return

A password

Code:

< /dev/urandom tr -cd "[:graph:]" | head -c 20 ; echo

A privatekey (hex upppercase)

Code:

< /dev/urandom tr -cd "A-F0-9" | head -c 64 ; echo

A privatekey (hex lowercase)

Code:

< /dev/urandom tr -cd "a-f0-9" | head -c 64 ; echo

About the amount of entropy you are right 20 characters are enough for more than 128 bits, Check:

Code:

>>> 94**20
2901062411314618233730627546741369470976
>>> 2**128
340282366920938463463374607431768211456
>>> 94**20 > 8* 2**128
True
>>> 94**20 > 9* 2**128
False

Actully  it is 8 times more than 128 bits

[BlackHatCoiner]

A privatekey

Code:

< /dev/urandom tr -cd "[:xdigit:]" | head -c 64 ; echo

Two things to be noted in here, for educational purposes.

• The maximum value for a Bitcoin private key is a little less than 2^256-1, which is the maximum number this Unix command can return. Generating a private key using a regular Unix command isn't advisable.
• This particular command can generate uppercase and lowercase hexadecimal characters. You wouldn't want to do that. You should replace "[:xdigit:]" with "0-9a-f".

[LoyceV]

A password

Code:

< /dev/urandom tr -cd "[:graph:]" | head -c 40 ; echo

Bookmarked (and edited to 40 characters in my quote). This is faster than my password manager, although I'd still need that to store it. I like shell commands

[albert0bsd]

This particular command can generate uppercase and lowercase hexadecimal characters. You wouldn't want to do that. You should replace "[:xdigit:]" with "0-9a-f".

Thank you, yes it seems a little weird, i already edited that post to add two varians "a-f0-9" lowercase and "A-F0-9" personally I preffer uppercase.

Bookmarked (and edited to 40 characters in my quote).

Yep 40 characters is my personal choice too, i never did the calculation before this post, but 40 characers are more than 256 bits, actually it is 262 bits

Code:

>>> 94**40
8416163114342587184481256383580844806830463920246539841882654902287234106392576
>>> 2**256
115792089237316195423570985008687907853269984665640564039457584007913129639936
>>> 94**40 > (2**262)
True
>>> 94**40 > (2**263)
False

[testingelcrypto]

i couldnt read all the answers and from what i read i cant still say if rolling dices is safe.

Seedsigner has that feature do you think someone who uses that for a 24 word seed with 5 dices and 1 coin like this protocol says : https://bitbox.swiss/blog/roll-the-dice-generate-your-own-seed/ gets a seed impossible to crack?