Subscribe Now
Trending News
Meet Libby in Nashville!

Blog Post

Buy

How to Roll Your Own Seed Words to Get a Truly Secure Bitcoin Wallet 

With the recent libbitcoin hack, people became more aware of letting a compromised piece of software roll their seed words.

Basically, the problem is entropy. The only thing that computers don’t do well is coming up with random numbers. When you ask a computer to give you a random number, it simply uses some algorithm based on the current time to produce one, essentially a hash of that number.

Normally that’s fine. At worst, you get stuck with a bunch of numbers that do not fall under normal distribution. In videogames, that’s when you see a bunch of critical hits or misses in a row.

But when those random numbers are used to generate cryptographic seed words that control bitcoin, then it becomes a problem.

Someone might reverse-engineer the algorithm and then be able to guess some of those generated pseudorandom numbers. Even if it takes a lot of processing power and time, it’s still much easier when they can focus on a specific dataset.

The solution is to add in entropy, meaning randomness from the real world.

Once of the simplest ways to add entropy is to roll some dice. Due to the unpredictability of the real world, this might not seem like much but it is actually random. Just roll dice and pick words from the official BIP39 wordlist.

You’ll be tempted to use some software tool that chooses those words for you. Don’t do that, since it’s the same problem all over again.

Generally hardware wallets are better at coming up with random numbers because their code is harder to compromise, or they might use some random input like the voltage to generate the seed.

The best and easiest way to generate the seed words is with this guide from Blockstream. All you need is some D20 dice, you can order them from anywhere.

To be honest, needing a 16-sided die is stupid. You can just use a D8 and roll it twice. Or even use a D20 and if you get a 17 you can count it as a 1, and so on.

The main thing is to introduce randomness from the real world.

Get a blockstream Jade wallet, it’s very cheap and has an impressive array of advanced features.

Then read the guide here https://help.blockstream.com/hc/en-us/articles/20177648363545-Create-a-recovery-phrase-using-dice

Another way, one which is quite fun when educating people in workshops and so on is Entropia, which are a bunch of tiles with the words from the BIP39 wordlist written on them.

You can pick them at random and generate your seed. Pick 11 of them and let the wallet generate the last one, you can do that with Blockstream Jade and with Sparrow.

You can get the Entropia from GoBrrr, use the coupon code LOVEISBITCOIN for 5% off. https://www.gobrrr.me/product/entropia-v2/

What do you think? Will you secure your wallet with some proper real-world entropy?

Did you enjoy this story? Then send some sats to the author!

100% of your tips go directly to the author. Need a wallet? Find one here.

Related posts

2 Comments

  1. 02b634bbfb

    “When you ask a computer to give you a random number, it simply uses some algorithm based on the current time to produce one, essentially a hash of that number.”

    No, not in most cases where security is important.

    Insecure pseudo random number generators (PRNGs) work exactly like this. The Mersenne Twister is the most common PRNG to be used in non-sensitive contexts.

    However, there are cryptographically secure pseudo random number generators that don’t work like this. They don’t use current time, and they’re not reversible like the Mersenne Twister. They use truly random, unpredictable, real world factors from the computer’s OS (like human mouse movements, background noise, or some combination of factors like this) to generate randomness, and the algorithm itself is secure.

    I think the point of your article is completely valid – the libbitcoin incident is a fair enough reason to not trust code someone else wrote unless you’re willing to review it yourself. If you’re relying on a library to generate your seed phrase, it needs to be open source AND you need to actually verify it’s not doing something dumb like using a cryptographically insecure PRNG.

    But the statement that computers can’t produce cryptographically secure random numbers is technically incorrect – CSPRNGs are used for 99%+ of all key generation, which means it’s at the core of all secrets management.

    Also – entropy is not the problem for PRNGs. Entropy is the number of possibilities. It doesn’t matter how many bits the randomly generated material is if it’s predictable. Predictability is the problem, and entropy is something entirely different.

  2. George Saoulidis

    Comments from Stackernews: @0260378aef
    Basically, the problem is entropy.
    The problem with libbitcoin wasn’t an inability to source sufficient entropy. It was an incorrect choice to use 32 bits of entropy, instead of 128+.
    (Or a meta problem – creating a seed generation function which apparently people weren’t supposed to use (?!) but they did).
    Generally hardware wallets are better at coming up with random numbers because their code is harder to compromise, or they might use some random input like the voltage to generate the seed.
    Hardware wallets, being very small, contained devices, have much less access to entropy than a PC. This does make seed generation a slightly trickier problem for them. But, true, good point about code being harder to compromise.
    To be honest, needing a 16-sided die is stupid. You can just use a D8 and roll it twice. Or even use a D20 and if you get a 17 you can count it as a 1, and so on.
    Two rolls of D8 is not the same as 1 roll of D16. The probability distribution of the former is not uniform. Even more, one outcome from D16 – “1” – is not even possible.
    Or even use a D20 and if you get a 17 you can count it as a 1, and so on.
    Again you’re creating a very non-uniform distribution there.
    Does it matter if it’s not uniform? I’d say it does, but I’d also agree that slightly uneven distributions usually wouldn’t matter that much, for private key/master secret generation. But without detailed analysis I wouldn’t trust it.
    As a scary example, imagine you sourced your nonces for signatures using a method where the final bit (out of 256!) is always zero. This can be enough to leak your private key, if you sign a fair number of times. That is profoundly unobvious – the nonce still has 255 bits of entropy, which is enormous! -but illustrates the point that if you need randomness and you generate something that has any non-randomness in it (such as a biased distribution), you are in dangerous waters.

    @frostdragon 5h
    “Basically, the problem is entropy. The only thing that computers don’t do well is coming up with random numbers. When you ask a computer to give you a random number, it simply uses some algorithm based on the current time to produce one, essentially a hash of that number.”
    Yeah, that’s how insecure PRNGs work, but there are CSPRNGs (cryptographically secure pseudo random number generators) that are perfectly fine to use for randomness. They typically incorporate some real-world element that’s truly unpredictable, like mouse movements or background noise… And the algorithm isn’t reversible.
    You can think of entropy as the number of possibilities… And entropy technically isn’t the problem, it’s the insecure/predictable/reversible algorithm.

Leave a Reply