New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for verifiable manual entropy #1293
Comments
We are considering doing the diceware/cointoss directly in Trezor #23. |
That protects very narrowly against the RNG being bad. It's hard for a user to know whether the dice throws correspond to the seed that's generated without another device. The point is to be able to verify the seed phrase and not have to use another device. |
Copying from #1381 :
It seems to me this is much simpler to implement than a whole new workflow and UIs for entering dice/coin results (though these two features are not exclusive and are both useful), and has better properties WRT trusting the device to handle the entropy correctly. The best part is that the user can generate the seed without even having any device around. Just have the list of words handy, flip coins / roll dice according to instructions, write down the words, done. You can fix the last word when you actually want to use the seed for the first time. All it takes is for the Trezor (and ideally all other BIP39 wallets) instead of giving the feedback of "wrong checksum", use "wrong checksum; expected the last word to be: XYZ" instead. |
Compromised random number generation is one of the main security threats to any hardware device. This is a way to verifiably create a BIP39 HD seed that would be a useful feature to have.
Currently, there are only two choices when loading the hardware with a seed:
I would like a third option that lets me manually create my own seed that passes a checksum. Supposing that I have some way to generate manual entropy (dice, cards, etc), I would like to input a bunch of words directly into the device, but have the device give me the possible checksum words. Currently, 12, 18 and 24 word seeds require 4, 6 and 8 bits of checksum respectively. As the last word contains 11 bits of information, this means that for 24 words, I should have the option of picking my first 23 words and seeing the 8 possible last words (11 bits - 8 bits is 3 bits, which is 8 permutations). For 18, this is 32 possible last words and for 12, this is 128 possible last words. A number in front of each word would be very helpful for the manual entropy aspect. That way, I can roll dice or flip coins or something to choose that last word.
Essentially, this is very similar to restore-a-seed, but giving me a way to generate my own seed manually without use of any other device. Ideally, this process would be done in conjunction with a paper or metal backup. From a security standpoint, This would eliminate the dependency on the Trezor's RNG.
This would also have to be doable without the Trezor being plugged into a computer when that feature is ready.
The text was updated successfully, but these errors were encountered: