RC - BTCMiniKeyGenerator

[raritycheck]

Hey guys

For the new coins we are thinking of using a new key generaotr

We created a BTCMiniKey generator.
BTCMiniKeyGenerator uses audio + system randomness + time based randomness.

It is one of the alternatives we are considering.

Please let us know if anyone technically well versed has any feedback.

~
RC

[raghavsood]

Hey guys

For the new coins we are thinking of using a new key generaotr

We created a BTCMiniKey generator.
BTCMiniKeyGenerator uses audio + system randomness + time based randomness.

It is one of the alternatives we are considering.

Please let us know if anyone technically well versed has any feedback.

~
RC

It's nice to see the RC team putting some effort towards improving here. The feedback may sound harsh, but I give it coming from a place of wanting the team to succeed, not to criticise.

DO NOT ROLL YOUR OWN KEYGENS.

There are enough existing, battle tested options. If nothing else, follow one of Krogoth's guides and use a Trezor.

The simple implementation above is a good project implementation, but I would never use it for production:

1. A keygen should avoid pulling in random third party dependencies - even if base58 is trustworthy not, it can be compromised later.
2. The general code quality isn't at a production level for this - there's no error handling in the audio randomness, no enforcement of a minimum number of frames, time-based randomness is known to be weak.

These things work until they don't - you might accidentally run it on a computer with no mic and still get an output that is considerably weaker, with no indication of the weakness until funds are stolen.

If the RC team is inclined to sell keyed items in the future, please buy a good quality hardware wallet and use that to generate keys, or something like samr7's vanitygen. Don't try to DIY this. I spent years building and managing custody systems, there are a lot of ways to get it wrong.

[raritycheck]

Hey guys

For the new coins we are thinking of using a new key generaotr

We created a BTCMiniKey generator.
BTCMiniKeyGenerator uses audio + system randomness + time based randomness.

It is one of the alternatives we are considering.

Please let us know if anyone technically well versed has any feedback.

~
RC

It's nice to see the RC team putting some effort towards improving here. The feedback may sound harsh, but I give it coming from a place of wanting the team to succeed, not to criticise.

DO NOT ROLL YOUR OWN KEYGENS.

There are enough existing, battle tested options. If nothing else, follow one of Krogoth's guides and use a Trezor.

The simple implementation above is a good project implementation, but I would never use it for production:

1. A keygen should avoid pulling in random third party dependencies - even if base58 is trustworthy not, it can be compromised later.
2. The general code quality isn't at a production level for this - there's no error handling in the audio randomness, no enforcement of a minimum number of frames, time-based randomness is known to be weak.

These things work until they don't - you might accidentally run it on a computer with no mic and still get an output that is considerably weaker, with no indication of the weakness until funds are stolen.

If the RC team is inclined to sell keyed items in the future, please buy a good quality hardware wallet and use that to generate keys, or something like samr7's vanitygen. Don't try to DIY this. I spent years building and managing custody systems, there are a lot of ways to get it wrong.

Thank you for the feedback. We appreciate the insights you've shared, especially regarding the risks associated with rolling our own key generators.

To clarify, the BTC mini key generator version we shared was intended to get feedback, and not ready for production. We understand the importance of using well-tested solutions for key generation. But we cannot trust anyone going forward, if someday someone comes and tells that those hardware wallets are also compromised we will be compromised as well.
 
We took your feedback and updated the audio_randomness.py to address some of the concerns you've raised, particularly around error handling and audio frame rate quality.  

What else is concerning? How can we make it ready for production?
Edit: What are the other ways it can go wrong?
Edit2: Using secrets rather than os.urandom() for better randomness
Edit3: Added check for input volume

[aoluain]

It sounds like you are trying to break new ground with key generation which normally
is good, progress is good but from the position you are at now I dont think you would
be trusted to be breaking new ground. No disrespect intended.

I dont own any RC coins but love the designs and the new one in the making looks great also.

Also I have very limited experience of creating keys with a Trezor and would offer this:

1.) consider using a hardware wallet but not Ledger, check out Krogoths and
Polymerbit's threads on this

{INFO} SO, YOU WANNA GENERATE YOUR OWN KEYS FOR PHYSICAL BITCOIN ITEMS?

[ANN] Krogothmanhattan x Polymerbit: Customer DIY key generation with Trezor

2.) Use Krogoth or minerjones or Mopar to do it for you - if they are willing

3.) Produce DIY

[raritycheck]

Yes .. we will sell DIY etc.

This is for coins, if we have to generate keys ourselves.
One problem with sending to other etc is what if coins get lost (UK to US), plus the shape of the private keys (U shaped)

More info about the generator:

• PortAudio is used for adding entropy with audio around
• Generated mini keys are supported on electrum. here 1000+ keys generated with the tool

Added How it works?

[owlcatz]

Did you even check it with chatgpt or anything? 

Entropy Source:
Issue: The combination of audio data and system randomness is generally good for entropy, but it's important to consider that the effectiveness of audio-based entropy might vary depending on the environment (e.g., very quiet or noisy spaces).
Suggestion: Consider providing an option to use other entropy sources or mix additional sources to strengthen the randomness.

Just one of many issues it finds.

Cheers,
owl

[raritycheck]

Did you even check it with chatgpt or anything?  

Entropy Source:
Issue: The combination of audio data and system randomness is generally good for entropy, but it's important to consider that the effectiveness of audio-based entropy might vary depending on the environment (e.g., very quiet or noisy spaces).
Suggestion: Consider providing an option to use other entropy sources or mix additional sources to strengthen the randomness.

Just one of many issues it finds.

Cheers,
owl

Good point.
Yes. We checked with chat gpt and Claude. It uses four entropy sources.
1. Audio around you
2. System randomness with ‘OS.urandom’
3. Time based randomness
4. Cryptographically secure ‘secrets’
We also posted on the tech forums btw :
https://bitcointalk.org/index.php?topic=5506464.0


Just realized that there is this
https://www.random.org/bytes/

we will add that also another source of entropy..


15k + keys generated

https://docs.google.com/spreadsheets/d/1ZMwZ2Nc-RcwF8CpAnsoJ4FBKM0t-ulnBNknwzjhpZR8

[Eclipse33]

15k + keys generated

https://docs.google.com/spreadsheets/d/1ZMwZ2Nc-RcwF8CpAnsoJ4FBKM0t-ulnBNknwzjhpZR8

Can I send coins to one of the public addresses you generated.

Is having the private key next-to the address a security problem. 

[raritycheck]

15k + keys generated

https://docs.google.com/spreadsheets/d/1ZMwZ2Nc-RcwF8CpAnsoJ4FBKM0t-ulnBNknwzjhpZR8

Can I send coins to one of the public addresses you generated.

Is having the private key next-to the address a security problem. 

No please don’t send any btc to those addresses.
Those are just to show a demo of the key generation.