Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: Feedback for BTC mini key generator
by
raritycheck
on 19/08/2024, 23:58:51 UTC
Quote from: Quickseller on Today at 01:39:32 PM
Quote from: ABCbits on Today at 10:39:22 AM
Quote from: raritycheck on August 17, 2024, 06:02:12 PM
But we really want some hardcore feedback.

Most member who visit this board aren't programmer or Bitcoin developer, so don't expect hardcore feedback. But here's my amateur feedback.
1. What would happen if there's no audio input on the device? Would the code throw error or return weird data?
If the audio cannot be detected, or if there is no audio device, an exception will be raised (the program will crash), but due to try statements elsewhere, the private key will not be generated.

It appears the script is intended to use the user's audio input as a means of 'randomness'

Code:
#audio_randomness.py
    if frame_count < min_frames:
        raise ValueError("Insufficient audio data captured. Try increasing the duration or ensuring the microphone is working properly.")

#...
 # Check if audio data is silent
    audio_array = np.frombuffer(audio_data, dtype=np.int16)
    if np.max(np.abs(audio_array)) < silence_threshold:
        raise ValueError("Captured audio appears to be silent. Please check the microphone volume and try again.")


I would suggest this code not be used to generate private keys that will contain anything of actual value.

The code uses 'mini keys' which use less entropy. Also, the first digit of the mini key be '0', which even further reduces entropy (and perhaps is unnecessary).

Also, although the audio portion may introduce additional entropy, audio is potentially predictable, and an attacker could potentially record your environment to get an idea of what your audio input will be, and some sound devices may reduce variance in audio even further. If you are generating many keys at the same time, each of those keys may get very similar (if not the same) input for audio, which is not good.

Given the OP's history of selling physical coins whose private keys later are compromised, it is probably not a good idea to trust any software used to generate private keys produced by this person.

Thank you Quickseller

Unfortunately we trusted another software and hence the keys were compromised but it's not just ours but a widespread RNG attack https://www.blockchain.com/explorer/addresses/btc/1AMPtQJ3ajQBjZ1JdrtnhBukFgq7MW8749

 but we are refunding every sngle impacted user.
 
And we want to make the software we are suggesting more secure.

Audio just adds another layer of entropy. But it has audio + urandom + time based entropy.
If we do want to generate mini keys.. what are your suggestions to make it more secure.