Is a bag of bech32 marbles a secure entropy source?

[seedhammer]

The manual entropy generation process for dice is somewhat complicated, for good reasons (avoiding bias).

Assume you have an opaque bag of marbles, all equal except for a bech32 character printed on each. Is the following process a secure way to generate a codex32 secret?

• As preparation, place each marble in front of you, count them, sort them and ensure there are no duplicates (nor invalid characters).
• Then, for each character in your codex32 secret:
  • thoroughly mix the marbles by hand.
  • draw a marble and write it down.
  • replace the marble.

This is similar to BIP39 word tiles, but much less cumbersome to verify integrity because of much smaller alphabet.

[apoelstra]

I think it's okay. Similar with using a deck of cards reduced to 32 elements, and drawing with replacement and shuffling in between.

But it's hard to recommend. It really depends on how well you're "thoroughly mixing" the marbles and personally I worry that humans would have some reliable bias when doing this. But I'm not aware of any studies and don't really know how to obtain the information that I'd need to make me comfortable with this.

See this Ars Technica article on dice though which is the kinda thing I'd like to see with marble-drawing.

Having said this, if I used this technique for my personal coins, I wouldn't lose any sleep over it. Some bias in key-generation is fine; what you need to worry about is entropy. And even if you're losing a whole bit of entropy with every draw, after 26 draws you'll have 104 bits rather than 130 bits. Which is more than enough. And losing a whole bit already seems implausible. It would mean like, half your alphabet was missing.

[roconnor-blockstream]

Certainly the idealization of drawing balls from a urn is the prototypical way of defining a uniform distribution.

Still balls in practice will not be equal weight/density, and there will be a tendency for some bias as the lighter ones to rise to the top of the urn and heaver ones to fall down. (And the marbles will slowly change over time as they rub against each other).

I think the quality of randomness isn't a good as debiased dice, but I would guess that it is acceptable (and much easier to produce). I would close and shake the jar rather than mixing by hand.

You could add multiple copies of characters to the jar which has some tradeoffs. Entropy would be slightly better, but at the cost of needed to count that there are exactly equal number of marbles beforehand, (something I suppose you will have to do even with one of each marble). Also you want to make sure there is plenty of room in the jar for shaking to be effective.