SeedSigner: Review

[n0nce]

I can change it whenever I want, but I don't want to wait 2+ weeks again nor to pay 20+ EUR for a case. The one I have does the job nevertheless. No, I don't have a 3D printer.

Dude, you can print the case anywhere you want in your local area for few bucks 
I am sure you can find bunch of ads from people and services who are offering 3d printing services, most I know are 3d designers or just owners of 3d printers.
They don't even know what they are printing when I order it from them, it's dirt cheap and I don't have to wait more than few hours or a day for delivery.

BlackHatCoiner, I don't know where you're located, but I can print something like this for free for you mate.

Even made a topic about this after joining the forum. I don't operate the machines anymore lately, but I can fire them up if needed.

[...]

It's simple math, and if you are not mathematician you can't understand it easily.
Companies wouldn't waste millions of dollars to achieve true randomness if gameboy, nintendo or raspberry pi was able to achieve this.
Research this subject deeper to understand it better, key point is if something can be reproduced or not.

Actually it seems he did his research and apparently the Linux kernel does use external sources of entropy nowadays; which would mean the gap between PRNG and TRNG is closing a bit.

But when you get into very large or very small numbers (or probabilities in this case), they get extremely hard to imagine.
I like these types of videos to better envision them:
https://www.youtube.com/watch?v=tnIFQIu3tZ0

A little off-topic, but this one is about the security of 256-bit:
https://www.youtube.com/watch?v=S9JGmA5_unY

And of course the well-known dyson sphere infographic:


What I'm trying to say is that in the field of such large / small numbers, even pretty large factors may not make a large practical difference.
For example, an entropy multiple orders of magnitude worse than another one, can be practically just as secure, while mathematically and information-theoretically being a lot worse.

That's why sometimes (also in this thread) statements are made about software randomness being 'very bad entropy' or similar, even though it may still be totally viable for many applications. It's just 'terrible' in information theory / maths realms.

[1714262041]

1714262041

[1714262041]

1714262041

[1714262041]

1714262041

[1714262041]

1714262041

[1714262041]

1714262041

[BlackHatCoiner]

BlackHatCoiner, I don't know where you're located, but I can print something like this for free for you mate.

Dear lord, I had forgotten to respond to this kind offer... I've already used to the orange pill now, but thanks! 


So, apparently, the dice results aren't calculated as I thought, with 1.66 bits in each roll.

One thing I also don't understand is how the rolls are 50/99 exactly. Doesn't each give 1.66 bits of entropy on average? 

Instead, they choose to SHA256 the result, which looks like "25516341...", and then convert the hash to mnemonic. At least that's what I understand from their source code. So, 50 rolls, if the dice is fair, provide 6^50 bits of security*, which is about 3 times 2^128. However, because I'm completely paranoid when it comes to dice fairness, I've chosen to roll it 99 times. Just in case.

*An ECDSA private key provides 128 bit security, though.

[BlackHatCoiner]

Bump.

Fixed dead images using Talkimg.

[BlackHatCoiner]

Important updates.

As of writing this, v0.7.0 is released.

- You can now verify addresses[1][2]. That solves the security problem of an attacker compromising your watch-only wallet and replacing your addresses with theirs, and tricking you into believing you own bitcoin that you actually don't. Now that is impossible if you verify the address with your seed signer right before you request receiving bitcoin.
- You can now sign messages[3][4][5]. Same as with unsigned transactions, you can request from a supported wallet software (e.g., Sparrow) to sign a message by scanning and displaying QR codes.
- SeedSigner is reproducible[6].
- Booting takes about 12 seconds to finish, which is about 66% less than in v0.5.0.

And other highlighted in their repository.

[1] https://talkimg.com/images/2024/01/29/kcbbN.png
[2] https://talkimg.com/images/2024/01/29/kcDSa.png
[3] https://talkimg.com/images/2024/01/29/kcOso.png
[4] https://talkimg.com/images/2024/01/29/kcW9T.png
[5] https://talkimg.com/images/2024/01/29/kcqal.png
[6] https://github.com/SeedSigner/seedsigner/releases/

[dkbit98]

If you like what SeedSigner is doing than you are going to love the new premium version enclosure made from high quality aluminum metal.
There are several websites already offering this product as a separate enclosure only for €69, or as a prebuilt version for €150, and there are a bunch of colors to choose from.
I just love how cool it looks with milled, sandblasted and anodized aluminum case.


https://www.gobrrr.me/product/seedsigner-aludiy/
https://vulcan21.com/product/seedsigner-premium-orange/
https://xmrstreet.store/product/monerosigner/
https://btc-hardware-solutions.square.site/product/premium-milled-aluminum-seedsigner/20?cs=true&cst=custom

PS
Seedsigner devs are also working on payjoin implementation for more privacy, and other code improvements.

[Tibu]

Now imagine using a Seedsigner in combinaison with a Seedkeeper to safeguard your seedphrase in a secure element...

[dkbit98]

Now imagine using a Seedsigner in combinaison with a Seedkeeper to safeguard your seedphrase in a secure element...

You can if you are brilliant like Crypto Guide  
He didn't post anything for more than a month, so I am sure he is working on something new to release in public.
One of the rear crypto guys you can follow on youtube this days:
https://youtu.be/NTdiji9KpRE

[apogio]

Brilliant guide BlackHatCoiner. I have also tried to assemble a SeedSigner in the past. Suddenly the camera stopped working and I had it changed.

I like SeedSigner because in general I like DIY stuff. However, I dislike the "enter your own randomness" idea. Therefore I don't really use it.

But SeedSigner had all the small conveniences I wanted. Like the fact that you can easily scan a QR code to load the wallet (I think Jade has this feature too).

Nevertheless, I have a question and I have also thought about it. Do you believe it would be a good idea to slightly change the code to generate entropy using some CSPRNG source? It's still too abstract in my mind, but perhaps you have thought about it too. I mean since the code is open-source. I have recently written this script: https://bitcointalk.org/index.php?topic=5483173.0 which uses /dev/urandom to generate entropy. It doesn't do anything too fancy, but perhaps we could incorporate something similar to the Seed Signer. Perhaps...

[BlackHatCoiner]

However, I dislike the "enter your own randomness" idea. Therefore I don't really use it.

I disregard the "take a seed picture" for generating entropy too. However, using coin / dice results as the entropy is the single most provable way to generate randomness. I agree that /dev/urandom is sufficient for the most part, but not for the paranoid (AKA, those who don't trust their device).

Do you believe it would be a good idea to slightly change the code to generate entropy using some CSPRNG source?

Raspberry Pi zero isn't designed to run Linux, as far as I'm concerned. It has 512 MB RAM, and almost all distros I know require more than that. How do you suggest we utilize such a source without having e.g., /dev/urandom?

[apogio]

Raspberry Pi zero isn't designed to run Linux, as far as I'm concerned. It has 512 MB RAM, and almost all distros I know require more than that. How do you suggest we utilize such a source without having e.g., /dev/urandom?

You can install Linux on RPi Zero 2W which is the model I have. I have installed Raspbian Lite. The problem with it, is that it supports WiFi, which is a problem. Anyway, SeedSigner is an OS, so we need to go deep into its code to check if we can use something like /dev/urandom. If SeedSigner is like a linux distribution, it could be possible, but I seriously have no idea if it is doable.

[BlackHatCoiner]

You can install Linux on RPi Zero 2W which is the model I have. I have installed Raspbian Lite.

It is odd, though, because Raspbian Lite OS requires 520 MB of RAM, whereas Pi zero can handle up to 512 MB. Am I missing anything?

Anyway, SeedSigner is an OS, so we need to go deep into its code to check if we can use something like /dev/urandom. If SeedSigner is like a linux distribution, it could be possible, but I seriously have no idea if it is doable.

It is not a Linux distro. How do I know? Hint: 99.9% of the code is written in Python! 

Anyways, I don't believe that users should put trust on a CSPRNG that is not tested enough (as we wouldn't go with /dev/urandom). Besides, the spirit of the project is to trust none, including your RNG! 

[apogio]

It is odd, though, because Raspbian Lite OS requires 520 MB of RAM, whereas Pi zero can handle up to 512 MB. Am I missing anything?

No you are not missing anything. It just works I can't do anything with it though, so I abandonned it.

By the way, I just checked, because I also found it curious, I run the legacy version which requires 363MB.

It is not a Linux distro. How do I know? Hint: 99.9% of the code is written in Python!  

Anyways, I don't believe that users should put trust on a CSPRNG that is not tested enough (as we wouldn't go with /dev/urandom). Besides, the spirit of the project is to trust none, including your RNG!  

Sounds like a rational explanation. Sounds like I should abandon the idea. Consider it a bad idea, or better, a not valid idea.

Anyway, thanks again for the guide / review. It was helpful.

[NeuroticFish]

You can install Linux on RPi Zero 2W which is the model I have. I have installed Raspbian Lite.

It is odd, though, because Raspbian Lite OS requires 520 MB of RAM, whereas Pi zero can handle up to 512 MB. Am I missing anything?

Is it me or you compare the disk (card) size the OS image file with the device's RAM capacity?
From the image file at the end more space will be occupied and also you don't have to keep all the OS files in RAM in the same time, right?

[BlackHatCoiner]

Is it me or you compare the disk (card) size the OS image file with the device's RAM capacity?

My bad! It doesn't have a RAM requirement, so it probably works with all models as displayed.

[dkbit98]

I disregard the "take a seed picture" for generating entropy too. However, using coin / dice results as the entropy is the single most provable way to generate randomness. I agree that /dev/urandom is sufficient for the most part, but not for the paranoid (AKA, those who don't trust their device).

Be careful with that, or you'll end up like coldcard user who used their dice generation feature with weak entropy and lost all his coins.  
Same could be said for any generation that is not true random, and that means that it can be reproduced and cracked much easier.

Raspberry Pi zero isn't designed to run Linux, as far as I'm concerned.

As far as I know RaspberryOS aka Raspbian is literally based on Debian linux code.
https://en.wikipedia.org/wiki/Raspberry_Pi_OS

Anyway, I saw Seedsigner devs are finishing conversion of code for much more devices soon, as a part of new HRF bounty.
That means you will be able to run Seedsigner code on more devices soon, not just on Rpi.

 

[BlackHatCoiner]

Be careful with that, or you'll end up like coldcard user who used their dice generation feature with weak entropy and lost all his coins.

Let's just say that, fortunately, SeedSigner won't allow me to use a single dice result as an entropy! 

Same could be said for any generation that is not true random, and that means that it can be reproduced and cracked much easier.

Is it just me or is the phrase "true randomness" a bit of mixture of pleonasm and misleadingness? It kinda bothers me. If something is random, then people can't guess it; the outcome is totally unpredictable, and every possible outcome has the same probability. If that would be false, you wouldn't call it "fake randomness". You would simply call it non-random, or biased. In the case with generating entropy, both /dev/urandom and dice rolls are evidently random, hereby "truly random". But what matters in the end is being provably random.

Rolling dice is provably random, because you control the interface. /dev/urandom on the other hand requires some trust on the hardware.

[dkbit98]

I already showed you aluminum metal case for Seedsigner, and there are many variations of plastic cases, but someone recently made unique wooden SeedSigner case!
I didn't know this, but apparently you can also use wooden fibers in 3d printing machines to make enclosures like this.
This looks amazing, and you can download and print your own as .stl files and everything else is released as open source  
https://github.com/SeedSigner/seedsigner/tree/dev/enclosures/open_pill_mini_w_coverplate


https://twitter.com/SeedSigner/status/1757890380572270810

Is it just me or is the phrase "true randomness" a bit of mixture of pleonasm and misleadingness?

No it's not because there are to many ''random stickers'' for something that is not really random and can be reproduced.

[BlackHatCoiner]

wooden SeedSigner case!

That's my taste, right there! Better than both plastic and aluminum. I neither knew about the wooden fiber; I don't have a 3D printer, but I like the aesthetics.  

No it's not because there are to many ''random stickers'' for something that is not really random and can be reproduced.

My point is that you wouldn't call such a thing "random". You would call it unfair or biased. If you know that heads comes more frequently than tails, then you can predict the final output. If both heads and tails have the same probability, then you wouldn't call it "truly random", just "random" would do fine. I agree that it mustn't be binary, but where do we draw the line between random and non-random?

It just seems to me that we don't care if the dice is completely fair-- ergo, random. What matters to us is if it is rolled enough times-- ergo, the entropy generated is sufficient. Therefore, we don't care about being "truly random" or not, we care about minimizing the predictability (maximizing the entropy).