How can you verify the randomness that's coming from a hardware?

[alexeyneu]

we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it. At best you'll get random_num + your_num

[1714292328]

1714292328

[1714292328]

1714292328

[1714292328]

1714292328

[1714292328]

1714292328

[1714292328]

1714292328

[1714292328]

1714292328

[n0nce]

All the information is laid out nicely here: https://betrusted.io/avalanche-noise.html

yes it is but that's a really complicated process and i wouldn't recommend anyone to try it. they might end up with something that doesn't even work right and has low entropy! 

Actually it's not complicated at all. Of course your average Joe won't build his own avalanche noise PCB, but someone with electrical engineering skills should be able to whip a circuit up and order a PCB within an afternoon. It's honestly a simple circuit.

I just made a quick web search and seriously surprised that there's no ready-made PCB / DIY kit or similar, that you can plug in and get randomness e.g. through cat /dev/tty.usbrandomdevice.

probably because it is a real pain to make them and they would have to charge so much that no one would buy it they would just buy something like this: https://www.amazon.com/TrueRNG-V3-Hardware-Random-Generator/dp/B01KR2JHTA

Trust me, it's not a pain. Foundation Devices have such circuits in their hardware wallets and the USB RNG you linked to, may have the exact same thing inside it, as well.

I appreciate the open-source and verifiable avalanche noise source (actual circuit from few simple components) on the Passport hardware wallet.
And obviously the ability to import your own custom seed phrase. This allows you to generate it with dice or whatever you deem secure.

But again; these avalanche noise circuits are amazing. You can literally see them on the PCB, take an oscilloscope to it and verify that it does what it's supposed to and that there's no deterministic bullshit going on.

i heard someone made one using a geiger counter and detecting radiation. not sure how hard that is to diy. but maybe it's simpler than this zener diode thing.

Sampling radiation measurements won't be much simpler than sampling the avalanche noise source, and you'll need specialized components.

Here's actually a project of someone building a Geiger based RNG, DIY, not cheap, though. And I wouldn't vouch for its entropy; there are many steps that can go wrong and introduce bias, e.g. in the ADC.
https://www.instructables.com/Arduino-True-Random-Number-Generator/

[alexeyneu]

24bit temp chip is on sale for $6

[larry_vw_1955]

Actually it's not complicated at all. Of course your average Joe won't build his own avalanche noise PCB, but someone with electrical engineering skills should be able to whip a circuit up and order a PCB within an afternoon. It's honestly a simple circuit.

I mean as far as general electronics circuits go, I guess it is simple if you compare it to something like a computer motherboard but that doesn't mean it is simple to understand how it works. And why it needs so many components to work. I didnt count them all but it looks like around 50 discrete components. I don't understand why it needs that many. I thought just one single zener diode is all you need.

Trust me, it's not a pain. Foundation Devices have such circuits in their hardware wallets and the USB RNG you linked to, may have the exact same thing inside it, as well.

I think it does:

The TrueRNG Hardware Random Number Generator uses the avalanche effect in a semiconductor junction to generate true random numbers. The avalanche effect has long been used for generation of random number / noise and is a time-tested and proven random noise source.


The cost to buy theirs would probably be less than the cost to try and make one yourself. Not only monetary cost but time costs. Thing I don't like about any of these though is how they use "whitening".

The new TrueRNG v3 algorithm uses a more advanced whitening technique to reduce the bias below levels where it can be measured reliably.

If something is truly random then it doesn't need any type of post-processing. Shouldn't need. But you don't get a choice if you use their device...

Sampling radiation measurements won't be much simpler than sampling the avalanche noise source, and you'll need specialized components.

Here's actually a project of someone building a Geiger based RNG, DIY, not cheap, though. And I wouldn't vouch for its entropy; there are many steps that can go wrong and introduce bias, e.g. in the ADC.
https://www.instructables.com/Arduino-True-Random-Number-Generator/

Low bit rate, kind of pricey setup but the theory of its operation as explained in that instructable is much simpler to understand. you don't even need uranium. just a banana or two might suffice. 

[LoyceV]

we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.

Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.

[n0nce]

Actually it's not complicated at all. Of course your average Joe won't build his own avalanche noise PCB, but someone with electrical engineering skills should be able to whip a circuit up and order a PCB within an afternoon. It's honestly a simple circuit.

I mean as far as general electronics circuits go, I guess it is simple if you compare it to something like a computer motherboard but that doesn't mean it is simple to understand how it works.

It's not that easy to understand from just a PCB picture, but combining it with the schematic, it gets a lot simpler. A true open-source-hardware device provides all of those files, just like here:
https://github.com/Foundation-Devices/passport-electronics/blob/master/Main%20Board/Documentation/Schematic%20Print/SCH_FD-JL-PCB-MB_E1.PDF

And why it needs so many components to work. I didnt count them all but it looks like around 50 discrete components. I don't understand why it needs that many. I thought just one single zener diode is all you need.

Well, the zener is the core component, but you need a driver and sampling circuit around it. Did you count the components or the pads? I count roundabout 20 components (~40 pads). The design by betrusted.io even manages to work with 14 components; look how tiny it is.

Again, if you check the schematic, it's definitely much easier to understand what it's doing, especially if you have such good resources online that help you understand it as well.

Trust me, it's not a pain. Foundation Devices have such circuits in their hardware wallets and the USB RNG you linked to, may have the exact same thing inside it, as well.

I think it does:
The TrueRNG Hardware Random Number Generator uses the avalanche effect in a semiconductor junction to generate true random numbers. The avalanche effect has long been used for generation of random number / noise and is a time-tested and proven random noise source.

The cost to buy theirs would probably be less than the cost to try and make one yourself. Not only monetary cost but time costs.

That just confirms that this is a good circuit. I just wasn't aware that they're sold under the simple term 'TRNG', as I couldn't find anything when looking for 'avalanche noise circuit PCB'.
It would be good if these devices came with schematics and board files to verify the circuit more easily.
(1) Compare product to PCB files
(2) Compare PCB files to schematics
(3) Check schematics to understand what the circuit does and verify that it's what you want it to do

we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.

Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.

I believe the biggest issue with temperature is that it typically increases / decreases gradually; the sequence of numbers coming from the sensor is going to have some inherent bias because of this.

[alexeyneu]

we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.

Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.

if $6 chip claims it has this resolution means there's one that really has.

I believe the biggest issue with temperature is that it typically increases / decreases gradually; the sequence of numbers coming from the sensor is going to have some inherent bias because of this.

this thing wraps back and forth like 8bit uint . it will do so with and without this gradually thing. it sould not have impact here but i can't say for sure without research

[NotATether]

we'll grab it as 23.548753℃ . what i offer is to use this 0.008753℃ . you can't predict it in any way . and you can't exploit it.

Just because a sensor outputs 6 decimals, doesn't mean it accurately measures them. The last 5 digits could just as well be made up, and thus be predictable.

I don't know of any temperature sensor driver that exposes the temperature in fractions of a degree.

That is to say, one degree is usually the highest granularity you'll get with tools like lm-sensors and HWinfo/CPU-Z.

[larry_vw_1955]

Well, the zener is the core component, but you need a driver and sampling circuit around it. Did you count the components or the pads? I count roundabout 20 components (~40 pads). The design by betrusted.io even manages to work with 14 components; look how tiny it is.

yeah that one is tiny but i'm sure if I tried to build something like that it's going to be way bigger. think breadboard size. because that's how you would have to get started is by breadboarding it up and seeing if what you constructed works and then once that passes muster, you can solder everything up. gonna be the size of 2.5 inch ssd most likely before you over and done with it. nothing wrong with that though i guess. bonus points if i dont have to actually understand how the thing works to build it...

That just confirms that this is a good circuit.

I would imagine all such usb devices use that technology in some way. They're definitely not sampling radioactive decay or something right?

I just wasn't aware that they're sold under the simple term 'TRNG', as I couldn't find anything when looking for 'avalanche noise circuit PCB'.

Because they want to be a bit cryptic about how exactly their device works. They don't want people to build one themself necessarily.

It would be good if these devices came with schematics and board files to verify the circuit more easily.

yeah there's no way that's happening with something like TrueRNG.

(1) Compare product to PCB files
(2) Compare PCB files to schematics
(3) Check schematics to understand what the circuit does and verify that it's what you want it to do

They don't want you doing that. No one want someone doing that to their product? The reason is simple. if you could do that, you could just build the thing yourself. and don't need to buy it from THEM.

Plus, presumably they've put in some R and D on the thing with some tweaks to make it better than the old off the shelf github circuit to give their product a competitive advantage in the marketplace.

[btc-room101]

Been running rng on my bitcoin hacking racks for +2 years now, works great

Increased my find of lost bitcoins 2x by using real random numbers and random seeds

https://github.com/room101-dev/Grand-Ultimate-BTC-Hacker

ONERNG I paid $40 usd ebay from czech, but two years ago, but like people here are showing you can roll your own, but unless your an electronic genius, I would spend the $40, and I'm an hw/sw scientist, so $40 is nothing

Couldn't one of all these hardware wallet companies implement something like that and steal millions of dollars worth of BTC, in just one moment? It would probably be the worst scandal of the crypto space.

Technically could, although there would be no way to prove this as far as I'm aware, so there isn't a way to verify it either. It would be a pretty sophisticated attack though, it reminds me how computer forensics would freeze computers in the past, specifically the ram in order to extract data. Also, I do believe that some programs in the past, which I can't recall right now would give you supposedly random data, i.e a password generation based on the temperature of the device, and various other things.

I'm not sure how plausible this kind of attack would be though.

In general I would always generate my own keys and NEVER use 3rd party sw, its just too easy on linux on one command line to generate a real good key that your certain that nobody on earth knows other than you.

But, HW random number generators have better uses than generating private keys for new wallets, the best use is as seed generators for finding ( hacking ) lost bitcoins

There are 300M used bitcoin addresses,  you put them into a 8gb bloom filter and on a GPU card you can do 1 billion cycles per second,, so that 8* 10**18 , so you want to make sure your seed is really random while on the hunt; now that is a use for hw random generators such as these devices

I'm fond of RNGONE from czech found on ebay and/or amazon back pre-CONVID

https://github.com/room101-dev/Grand-Ultimate-BTC-Hacker

[moderator's note: consecutive posts merged]

[n0nce]

That just confirms that this is a good circuit.

I would imagine all such usb devices use that technology in some way. They're definitely not sampling radioactive decay or something right?

When ordering from Amazon, there is a lot of trash to be honest. It's possible that you get a device that just uses a rand() C function on a microcontroller or something.
Worst-case even just spitting out numbers deterministically and not uniformly random.

That's why I'd prefer to buy a device with open-source hardware.

I just wasn't aware that they're sold under the simple term 'TRNG', as I couldn't find anything when looking for 'avalanche noise circuit PCB'.

Because they want to be a bit cryptic about how exactly their device works. They don't want people to build one themself necessarily.

You'd pay for the convenience of not spending hours on a new project and probably having to debug it as well.
Trezor and Foundation Devices have shown that open-source hardware is possible without your business going down due to the bad bad DIY scene.

It would be good if these devices came with schematics and board files to verify the circuit more easily.

yeah there's no way that's happening with something like TrueRNG.

(1) Compare product to PCB files
(2) Compare PCB files to schematics
(3) Check schematics to understand what the circuit does and verify that it's what you want it to do

They don't want you doing that. No one want someone doing that to their product? The reason is simple. if you could do that, you could just build the thing yourself. and don't need to buy it from THEM.

See my comment above.

[bkelly13]

Referring to the OP and writing from a smidgen of mathematics knowledge:
In here, talking about random, usually means a private key, 256 random bits.  Now think of them as a pattern.  a 256 bit long pattern.

Some, even many, patterns can be proven to not be random.  For example, if the bits make up the ASCII sequence "this is random" it definitely is not random.
But, it is almost impossible to prove randomness.  There may always be one more way to look at the number to find it not random.

So: As has been said, you must understand the hardware and software used to produce the number.  A difficult task.  Many have written words to the effect:  Don't try to generate a random number on your own.  It is extremely difficult.  When your number is not random, you won't know it until your coins are gone.

[larry_vw_1955]

When ordering from Amazon, there is a lot of trash to be honest. It's possible that you get a device that just uses a rand() C function on a microcontroller or something.
Worst-case even just spitting out numbers deterministically and not uniformly random.

Well, to be fair, I was talking about legitimate usb devices. Unlike say the flash drive market where fakes are all over the place I don't think that's the case for this type of device and the reason is simple. The market is small.

That's why I'd prefer to buy a device with open-source hardware.

then why not get the onerng. https://onerng.info/ you got something against it? seem like it checks off all your boxes. i doubt anything else comes close.

Trezor and Foundation Devices have shown that open-source hardware is possible without your business going down due to the bad bad DIY scene.

never heard of foundation devices before you mentioned them. but i'd say these are the exception rather than the rule. then you have to ask yourself, why.

So: As has been said, you must understand the hardware and software used to produce the number.  A difficult task.  Many have written words to the effect:  Don't try to generate a random number on your own.  It is extremely difficult.  When your number is not random, you won't know it until your coins are gone.

why would it be "extremely difficult"? give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.

[o_e_l_e_o]

give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.

Maybe not, but that doesn't mean the string you produce will be random. Studies have consistently and repeatedly shown that humans are bad at both generating and perceiving randomness. If you say to pick a number between 1 and 10, 7 is by far the most common. If you say to write down a random series of coin flips (which is the same as writing down a binary number), we consistently avoid runs of the same result (HHH/TTT/111/000) since these are perceived as being "less likely".

A unique string is not necessarily a random string, nor is a unique string necessarily a secure string. I could generate a brain wallet using the first line of text from a Shakespearean play which had never been used before. My brain wallet might be unique, but any coins I deposit on it would likely be stolen.

[BlackHatCoiner]

why would it be "extremely difficult"?

Because, humans aren't random number generators. What is randomness? Complete lack of determinism. If something can be accurately predicted, it's not random. A cryptographically secure random number generator comes with more unknown variables to predict, in comparison with a human brain.

give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.

Begin writing. What's the first binary value, and why? You might think there isn't a reason you chose 0 (e.g.) but there is quite likely a reason you don't know.

[larry_vw_1955]

give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.

Maybe not, but that doesn't mean the string you produce will be random.

it's not like a book where you just take out some sentence from it and hash it. just waiting to be discovered.

Studies have consistently and repeatedly shown that humans are bad at both generating and perceiving randomness. If you say to pick a number between 1 and 10, 7 is by far the most common.

Asking someone to pick a random number between 1 and 115792089237316195423570985008687907852837564279074904382605163141518161494337 is different than telling them to pick a number in that range that no one else would ever guess. Or be able to find. And if they did, they would lose all their money. They're going to think a bit about it before just blurting out "777777777777777777777777777777".

If you say to write down a random series of coin flips (which is the same as writing down a binary number), we consistently avoid runs of the same result (HHH/TTT/111/000) since these are perceived as being "less likely".

They are certainly less likely than HH or TT but the thing is, in some random bitcoin private key you're going to see 00000 and 11111 you might even see larger length repeats. So think about that. 000 and 111 will happen alot.

Example (I dont know how this bitcoin private key was generated but I'm sure it was probably done using software, as most of them are):

1011100000111010000010110010011011011000111110111100001001100011101000011110011010101000001111111110101101110100111100110011010101001000011010000110100001011011110101010010000100 1100000101100110000100100111000110100010010111110111011010111011010001001100

So obviously one needs to understand a little about what is the norm. Then go from there.

A unique string is not necessarily a random string, nor is a unique string necessarily a secure string. I could generate a brain wallet using the first line of text from a Shakespearean play which had never been used before. My brain wallet might be unique, but any coins I deposit on it would likely be stolen.

But there's a difference. your unique string has been published so that anyone in the world can get a copy of it. mine wouldn't have since I just generated it out of my head.

Because, humans aren't random number generators. What is randomness? Complete lack of determinism. If something can be accurately predicted, it's not random. A cryptographically secure random number generator comes with more unknown variables to predict, in comparison with a human brain.

If humans did not behave randomly (and unpredictably) then the stock market would be a science. Even with bitcoin, no one knows what the price is going to do. Why is that? because we don't know what people are going to do. their behavior is random. completely random. some of them buy, some sell. the overall result of that is anyone's guess.

Begin writing. What's the first binary value, and why? You might think there isn't a reason you chose 0 (e.g.) but there is quite likely a reason you don't know.

Well I wouldn't be able to tell you "why". There is no justification of why. it is just what I wanted it to be. At the particular moment in time. Just like all the  remaining 255 bits. There doesn't have to be a reason why. There is no way to say why. With that said, I have actually done this procedure of writing down a private key but in hex not binary. I would be confident enough to use it. Enough said.

[LoyceV]

For example, if the bits make up the ASCII sequence "this is random" it definitely is not random.

If you generate enough random 14-character sequences, you'll find it eventually

If you say to pick a number between 1 and 10, 7 is by far the most common.

These sources says 3 or 7. The interesting part is they're both prime numbers. Reddit shows 7 as a clear winner (28%).

While eating Zwartwitjes with the kids, I thought of a way to create random numbers:

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring

[o_e_l_e_o]

They're going to think a bit about it before just blurting out "777777777777777777777777777777".

I am making analogies, not literal comparisons, which you seem to be misunderstanding.

The point of these analogies is that human behavior is not random. You might think you are being random, but you aren't. Not truly. This has been studied and proven.

So think about that. 000 and 111 will happen alot.
So obviously one needs to understand a little about what is the norm. Then go from there.

Which makes thing even less random. Now you are thinking "I know that statistically I "should" have a run of 5 of the same at some point. I've not done that yet, so lets put that in now. Ok. Now we'll do a few much shorter runs of just 1 or 2 the same, because you probably wouldn't have 5 the same immediately followed by another 5 the same. Ok. What next?" And so on and so forth. This is not random. Not even close to it.

But there's a difference. your unique string has been published so that anyone in the world can get a copy of it. mine wouldn't have since I just generated it out of my head.

Another analogy. I'm simply saying that although you might generate a unique string that no one has generated before, it doesn't mean that string is safe or secure.

If humans did not behave randomly (and unpredictably) then the stock market would be a science. Even with bitcoin, no one knows what the price is going to do. Why is that? because we don't know what people are going to do. their behavior is random. completely random. some of them buy, some sell. the overall result of that is anyone's guess.

The final collective result of the behavior of a group of distinct and disconnected individuals is in no way comparable to a single person picking 0s and 1s.

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring

But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system.

[FatFork]

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring

But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system.

Yeah. From the looks of it, whites appear to outnumber blacks significantly - so it wouldn't be an effective entropy source at all.  
I do agree with the "less boring" part, though.

[n0nce]

That's why I'd prefer to buy a device with open-source hardware.

then why not get the onerng. https://onerng.info/ you got something against it? seem like it checks off all your boxes. i doubt anything else comes close.

That looks very good, indeed! I wasn't aware of it; might even pick one up (even though I don't need a secure RNG right now).

Trezor and Foundation Devices have shown that open-source hardware is possible without your business going down due to the bad bad DIY scene.

never heard of foundation devices before you mentioned them. but i'd say these are the exception rather than the rule. then you have to ask yourself, why.

It might be easier to make money off a closed source product in the current market, where most things are closed, too.

Fortunately, open source licenses have this clause that usually requires derivatives to be open, as well. This means if you want to use Trezor's tried and tested, ancient Bitcoin crypto library, your product (firmware at least) must be open-source too, allowing Trezor and anyone else to profit from your additions and innovations, to then further innovate themselves.

If you've never heard of Foundation Devices, you may be interested in my review of their first device; review for the latest generation is going to be posted very very soon, as well in the Hardware Wallet section.

I'd like to also mention https://betrusted.io/; they built the fully open-source Precursor so far.
Completely open-source to the very last detail.

why would it be "extremely difficult"? give me a pen and paper, i'll write down a string of 1s and 0s of length 256. i bet no one ever came up with that private key before.

Your brain won't select those 0s and 1s fully at random. It will unknowingly introduce patterns that decrease the entropy, i.e. how random your randomness really is.

Get one, write down a B or a W, eat it, get the next one. Repeat until nauseous. It's much faster than flipping a coin, and less boring

But of course there probably isn't an even number of blacks and whites in the bag, and with each one you eat you reduce the odds of that color appearing again. So overall a bad system.

You can significantly improve Loyce's system by counting and verifying an equal number of both colors (adjusting if necessary). You should also put the candies back into the bag after randomly drawing them and writing down B / W.