Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Project Development
Re: Are dices for generating seed words fair?
by
larry_vw_1955
on 20/10/2022, 23:31:02 UTC
Quote from: BlackHatCoiner on Today at 06:51:14 AM
Quote from: larry_vw_1955 on October 19, 2022, 09:59:42 PM
what if you filled a bag with dice and blindly pick one die at a time and put it on the table and then look at the number on top. that eliminates any bias that is in the dice.
That doesn't eliminate bias. You still need to use your hand, and pick... randomly! But since you're a human, you can't do that properly. Also, if the dices aren't fair, say the number 6 has a 50% chance to come up, then the bag is likely to give you mostly sixes.

The human hand is not sensitive enough to detect which side of a particular die is heaviest. Otherwise we wouldn't need other ways of testing dice.


Quote from: larry_vw_1955 on October 19, 2022, 09:59:42 PM
but again, i challenge anyone to show me a story where someone used dice to generate their bitcoin private key and then later said they got hacked. if they got hacked it's because of something else rather than a bad private key.
Unfortunately, this is not how security works. Just because somebody hasn't fell for it, it doesn't mean you can't be the first. Figuring out a very complicated way to generate a Bitcoin wallet, might have a smaller attacking point, but it doesn't make it more secure. As I said before, I don't know a case of a person who used an airgapped machine to generate a Bitcoin wallet using the CSPRNG, and got ripped off, and that's the commonly known secure way, backed by experts.
[/quote]

cakewallet had a csprng in the code the problem was it also had a fallback which kicked in if the csprng failed to return a seed. the fallback was using the system "current time" as the seed. the issue of whether someone could have generated their mnemonic seed with the cakewallet app while
"airgapped" is really irrelevant (although I would expect that they could) as is the argument that you require a "machine" to generate the seed. By machine I'm assuming you mean a desktop computer but a smartphone is also a machine. Which many people use.

The problem that these cakewallet users had is a common one which is if you haven't read through the source code yourself and understand how it works then you are at risk...if they had used dice to generate their seeds they wouldn't none of them would have lost money due to having an insecure seed. guaranteed.