-
-
Notifications
You must be signed in to change notification settings - Fork 629
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
diceware/cointoss initialization #23
Comments
User would have to "throw the dice" many (like 100) times to make it some impact, no? |
One throw of 6-sided dice is One coin toss is 1 bit of entropy. For 128 bits you'd need to toss 128 times, for 256 bits 256 times. |
Exactly. So, do you think this is something we want to have on the device? |
for the record, the usual way of resolving this is putting 5 (i think?) dice in a box and rolling them all at the same time, for one diceroll per one recovery word |
You can do 50 dice throws under 3 minutes (assuming 3 seconds per throw), 100 throws under 6 minutes. I agree this is so much harder to do on a device with no touchscreen since the input is not so straightforward as just showing 6 buttons on a touchscreen. |
I'm interested in helping on this one. I was contemplating making this myself when I found this issue. Here's what I was thinking. Briefly, I'd want to give the user a workflow that will guide them through:
The T1 and T2 can both easily support a coin toss heads-tails input. The T2 can support a D6 die 1-6 input. Entropy is a measure of unpredictability. A perfectly biased coin/die is totally predictable, and provides 0 entropy. Thus: For our purposes, bias is bad. We want to eliminate bias in the generated entropy. The problem is that the bias of users' coins/dice is not known and can not be appraised. A proposed workflow:
A note on design choice and efficiency: I see that a competitor product uses SHA-256 for randomness extraction from D6 rolls. I assume that decision was made in order to more efficiently extract closer to ~2.585 bits per roll. References EDIT: Also, the math that gives us equal probability from the 2-trial pairs of tosses/rolls: We don't know what the probabilities of H and T actually are (that is, we don't know how fair/unfair the coin/die actually is). To generalize this across both coin and die for the process shown in [3]: Thus, the GUI on the T2 device could simply display an input keyboard like 1/H, 2/T, 3, 4, 5, 6 if it is desirable to remove the step of letting the user choose which type of input to use. A shared input keyboard would also allow a user to generate using a coin and a die in different 2-trial pairs which could be good for final result unpredictability. The key to removing bias though is to only use a single source of randomness per 2-trial pair. |
I'm thinking something like the flow below. For trial input, the GUI may use a 1-6 number pad where one button has an H and another has a T (for heads and tails). How bits and words are "indicated" during the process are to be determined. The goal is to allow the user to keep track as the process progresses, for verification purposes, to assure them that the input is exactly what is being used to generate the words. As they go, they want to know whether a 0, 1, or nothing was generated. Then they want to see the 11 bits + the word that the bits map to for wordlist verification. It's a high work, high verification, high assurance process. If space for 11 bits and the number pad can fit on a single screen, that would be great. As they progress, bits could fill in and the number pad could be temporarily replaced by a word when one is completed. |
Also, I just remembered that it's likely more desirable to have this process reachable from the UI without having to attach it to a host. In that case, then substitute a button somewhere in the UI for the DiceCoinGenerate message. Then add a screen at the beginning to let the user input the desired word count. The user could decide whether to persist the words in the screen that shows all the generated words near the end. |
I haven't used the following process in practice yet, but it seems like it would make the coin based process much more user friendly. With tossing just one coin, the whole process is not time efficient (can easily take 100+ minutes). Because of that, it's prone to being interrupted, causing work to be lost. Here's one way to speed a coin based process up:
Dice may be a better choice with respect to ease of mixing and dumping. Even/odd would equate to heads/tails in the previous process. However, dice would not be as cheap, and would be more painful to label so that you know which die is which when you go to sequentially read them after the 2nd trial. If they are not labeled, I don't know of a great, unbiased way to process them. The predetermined sequential ordering makes that part of the process obviously fair. |
Also, here's a quick little script that one can run in a tails equivalent environment to try out a coin based process. You'll need to populate the wordlist in the script from the bip39 english wordlist since I removed most of it for brevity below.
|
T2 has display so we can show head/tails or 1-2-3-4-5-6 user interface for cointoss/diceware initialization to generate user entropy.
The text was updated successfully, but these errors were encountered: