--- Log opened Sat Nov 13 00:00:31 2021
00:19 -!- karonto [~karonto@2a02:3102:48e1:ff7e:c983:2f9:1aae:c75e] has joined #bitcoin-wizards
00:33 -!- solocshaw [~Thunderbi@gateway/vpn/pia/solocshaw] has quit [Quit: solocshaw]
01:14 -!- RubenSomsen [sid301948@user/rubensomsen] has quit [Ping timeout: 256 seconds]
01:16 -!- hendi [sid489601@lymington.irccloud.com] has quit [Ping timeout: 264 seconds]
01:17 -!- RubenSomsen [sid301948@user/rubensomsen] has joined #bitcoin-wizards
01:18 -!- hendi [sid489601@lymington.irccloud.com] has joined #bitcoin-wizards
01:19 -!- yuanti [sid16585@tinside.irccloud.com] has quit [Ping timeout: 256 seconds]
01:19 -!- blkncd [sid505676@helmsley.irccloud.com] has quit [Ping timeout: 256 seconds]
01:20 -!- karonto [~karonto@2a02:3102:48e1:ff7e:c983:2f9:1aae:c75e] has quit [Quit: This computer has gone to sleep]
01:20 -!- yuanti [sid16585@tinside.irccloud.com] has joined #bitcoin-wizards
01:21 -!- rocket_fuel__ [sid2662@ilkley.irccloud.com] has quit [Ping timeout: 264 seconds]
01:23 -!- blkncd [sid505676@helmsley.irccloud.com] has joined #bitcoin-wizards
01:24 -!- rocket_fuel__ [sid2662@ilkley.irccloud.com] has joined #bitcoin-wizards
01:26 -!- bw [sid2730@user/betawaffle] has quit [Ping timeout: 264 seconds]
01:29 -!- bw [sid2730@user/betawaffle] has joined #bitcoin-wizards
01:33 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
01:54 -!- CryptoDavid [uid14990@uxbridge.irccloud.com] has joined #bitcoin-wizards
01:57 -!- Cory [~Cory@user/pasha] has joined #bitcoin-wizards
02:03 -!- kexkey [~kexkey@static-198-54-132-165.cust.tzulo.com] has quit [Ping timeout: 245 seconds]
02:05 -!- kexkey [~kexkey@static-198-54-132-133.cust.tzulo.com] has joined #bitcoin-wizards
02:13 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has joined #bitcoin-wizards
02:36 -!- AaronvanW [~AaronvanW@71pc74.sshunet.nl] has joined #bitcoin-wizards
04:03 < andytoshi> seems we lost roconnor
04:03 < andytoshi> but i don't understand what you two are saying
04:03 < andytoshi> how do i split into groups of 256 words?
04:04 < andytoshi> such that only one word will work?
04:11 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has quit [Quit: This computer has gone to sleep]
04:16 < _aj_> andytoshi: normally, you generate 256 bits of entropy, right? then you're meant to add 8 bits of checksum, for 264 bits total, which gets divided into groups of 11. the last group is [eee ccc ccc cc] (e=entropy, c=checksum). but you're picking random words, so you'll pick [eee rrr rrr rr] instead. but if you only cycle through words with the same "e" bits set, all you'll do is cycle until r=c
04:17 < andytoshi> oh! yes, derp, thank you
04:18 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has joined #bitcoin-wizards
04:19 < andytoshi> ok, great -- so my by-hand instructions would be "randomly choose one of these 8 fixed words as your last word and then iterate from there"
04:19 < andytoshi> where the 8 fixed words are the [eee 000 000 00] ones
04:19 < andytoshi> (assuming big endianness etc)
04:21 < _aj_> yeah, as long as you're telling them to always choose 24 words
04:34 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has quit [Quit: This computer has gone to sleep]
05:06 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has joined #bitcoin-wizards
05:12 -!- AaronvanW [~AaronvanW@71pc74.sshunet.nl] has quit [Quit: Leaving...]
05:25 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has quit [Quit: This computer has gone to sleep]
05:29 -!- Guyver2_ [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
05:31 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Ping timeout: 256 seconds]
05:31 -!- Guyver2_ is now known as Guyver2
05:33 -!- _andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has quit [Remote host closed the connection]
05:34 -!- _andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has joined #bitcoin-wizards
06:12 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has joined #bitcoin-wizards
06:13 -!- roconnor [~roconnor@host-45-58-217-8.dyn.295.ca] has joined #bitcoin-wizards
06:14 < roconnor> andytoshi: How long do you think it would take to try 256 final words?  I always I assumed I would have to start over from the beginning and try again on my ledger, and it only has 2 buttons.
06:21 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Remote host closed the connection]
06:29 < andytoshi> roconnor: i believe you are correct :( so probably 30+ seconds for a single try, or 2 solid hours of fucking around with the little buttons
06:30 < andytoshi> i think, in practice i would write a python script on an airgapped computer, or maybe try to write a TI83 program to just give me the final word, or something
06:30 < andytoshi> lol maybe i could compute a sha2 by hand in less time
06:31 -!- andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has joined #bitcoin-wizards
06:33 < andytoshi> hmm actually, hashing 32 bytes is only a single sha2 compression function isn't it, and if i've already converted my 256 bits from a sane format to bip39 words, i probably have the binary expansion in front of me ready to be converted to hex
06:33 < roconnor> doing sha256 takes longer.
06:33 < roconnor> like a day.
06:34 < roconnor> I just noticed that BIP32 suggests the master seed can be upto 512 bits.  I wonder how seriously I should take that.
06:34 < andytoshi> yeah i see, it does all these quite involved operations on 32-bit numbers, which are too big to volvelle so you have to do it longhand
06:34 -!- _andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has quit [Ping timeout: 276 seconds]
06:34 < roconnor> http://www.righto.com/2014/09/mining-bitcoin-with-pencil-and-paper.html suggests 1.5 days.
06:35 < roconnor> TI83 is an interesting choice I had never considered.
06:36 < roconnor> This are required to be air-gapped for student purposes.
06:36 < andytoshi> ah true, even the new ones are aren't they
06:36 < roconnor> I don't know what students do now-a-days.
06:36 < andytoshi> i was thinking to get one of the originals (i think anything that's a TI83, not a TI83+, was made in the 90s or early 00s)
06:37 < sipa> roconnor: if i were student nowadays i'd want to use wolfram alpha
06:37 < roconnor> Probably not allowed to use wholfram alpha during a test.
06:38 < roconnor> Now I kinda want to do HD pubkey generation on my calculator.  I wonder if I still have it somewhere.
06:38 < roconnor> and if it works.
06:39 < andytoshi> sipa: in the US and canada we had special "calculators allowed" tests where you had to use this specific Texas Instruments calculator which TI asserted had the optimal amount of functionality to help students without being a crutch, or something stupid like that. and they would charge like $200 a pop for these things which probably had a $20 BOM because that specific model was the only one 
06:39 < andytoshi> allowed
06:39 < andytoshi> but it was absurd because it had a full general purpose programming language on it
06:39 < roconnor> sure, but you have to clear the calculator at the beginning of the test right?
06:39 < andytoshi> so you could pre-program whatever cheats you wanted (or just directly store answer keys)
06:39 < andytoshi> ah yes ):
06:39 < andytoshi> :)
06:40 < andytoshi> so if you were _really_ clever, you had to mock up the "clear the calculator" screen so when the teacher used it, it wouldn't work
06:40 < sipa> figuring out if the response is actually an answer to your question is a much more useful skill in life than being able to solve a differential equation by hand
06:40 < andytoshi> i never knew anyone who did this, idk if it was actually possible to mock out that srceen
06:40 < andytoshi> sipa: sure, but sadly nobody in charge of high school math curriculum is on this channel
06:40 < andytoshi> anyway
06:41 < roconnor> The important thing for our purposes, is that this is a programable device that is, in a sense, designed to be air gapped as a requirement.
06:41 < andytoshi> because of this historical abberation ... there are shitloads of these calculators out there, which are easy to find on craigslist
06:41 < andytoshi> which have a general purpose programming language, predate bitcoin by over a decade, and had strong incentives to be built with zero wireless hardware
06:41 < andytoshi> exactly
06:43 < sipa> andytoshi: of course, we also had a list of permitted calculators
06:43 < sipa> whose price was, even then, completely ridiculous
06:44 < roconnor> I couldn't immediately find my calculator.
06:45 < roconnor> I'll keep an eye out for it.
06:46 < andytoshi> hrm, i checked 3 cities' craigslists and could not find any TI83s. i'm sure i have a couple at my parents' house (thuogh we may have given them away)
06:46 < sipa> I had a casio something.
06:46 < roconnor> I'm pretty sure I had a TI-85?
06:46 < sipa> In my class there were 3 casios; everyone else had TI somethings.
06:46 < sipa> (in high school)
06:47 < roconnor> for some reason the TI-85 predates the TI-83
06:47 < andytoshi> oh cool! is it still fully programmable?
06:48 < roconnor> I wrote pong.
06:48 < andytoshi> lol then i'm sure you could write sha2
06:48 < roconnor> I kinda want to do HD key derivation.
06:49 < roconnor> There is an ASM shell too.
06:49 < roconnor> which I never used at the time.
06:49 < andytoshi> so .. my feeling is, for generating, checksumming and splitting keys, i like the volvelles because they are very easy to reason about and feel very robust against hardware failures (and secure against sidechannels provided i'm not being watched)
06:50 < andytoshi> for sha2 checksums and HD derivation i'd be happy to use a TI83 (or 85) since those are pretty hard functions to sidechannel and if they're wrong they should be very visibly wrong
06:50 < andytoshi> i guess, not HD derivation, if that fucks up you're in trouble
06:50 < roconnor> mostly I want to be able to spot check that my HW wallet isn't lying about my pubkeys.
06:50 < andytoshi> yeah, this seems like a great application for this
06:51 < andytoshi> i really wouldh not want to use the calculator as a primary source of key data :P i'm sure there are tons of weird bugs and undocumented gotchas in those 1980s circuits
06:52 < andytoshi> i also don't think those calculators can store data reliably even if you wanted them to ... like, IIRC you can take the batteries out and that'll clear them
06:52 < roconnor> sounds like a feature.
06:53 < andytoshi> so if you are worried about theives stealing your electronics and extracting your key data from them ... it's unlikely they'd even go for an old calculator in a desk drawer with no batteries
06:53 < andytoshi> but if they did you're probably still ok :P
06:53 < roconnor> depends on how popular this scheme becomes.
06:53 < roconnor> My guess is that it will be very unpopular.
06:53 < andytoshi> lol!
06:53 < andytoshi> agreed
06:54 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has joined #bitcoin-wizards
06:56 < andytoshi> there are hundreds of these calculators on ebay .. but if the seller knew we were buying them for bitcoin purposes they would be extremely easy to bug
06:57 < andytoshi> alternately target is still selling shrinkwrapped TI84s for $100 <rolling eyse>
06:58 < andytoshi> i'll just try to find the one i had in high school
06:58 < roconnor> Do you think the seller is cahoots the alledged hacker of your HW?
06:58 < roconnor> because the best the seller can do is corrupt your pubkey dervation and replace it with his own.
06:58 < andytoshi> yes, that is what i'm imagining happening
06:58 < andytoshi> i guess that would be extremely detectable
06:59 < roconnor> but if it a cross check with your HW you will know something is up with one of the two devices.
06:59 < andytoshi> well, another thing i could imagine is the device just storing every single thing that is input or output .. and the seller knows my name and shipping address (ok, i can obscure one or both of those..)
07:00 < roconnor> storing and then do what?
07:00 < roconnor> oh break in.
07:00 < andytoshi> yeah
07:00 < roconnor> I think they will just break in and bug your devices no matter what.
07:00 < andytoshi> lol good point
07:01 < andytoshi> ok, yeah, i think the ebay seller is probably not a serious attack vector
07:01 < roconnor> But certainly shipping to a PO box is fine.
07:02 < andytoshi> ok, my dad says that literally a week ago he found my calculator and gave it away to a friend who has a grade 11 child
07:04 < andytoshi> oo there is a TI85 on ebay with 90 minutes left on auction .. i haven't done this in like 15 years
07:05 < roconnor> *lol*
07:05 < roconnor> first of all you have to bid at the last minute.
07:06 < roconnor> That's all I remember.
07:07 < roconnor> Does ebay tell you what these calculators typically go for?
07:07 < andytoshi> i'm sure it can, but scrolling through listings i see most are on sale for $15-$25
07:08 < andytoshi> this one was bit at $11, but now i am the highest bid at $14.50
07:08 < andytoshi> (all USD)
07:08 < roconnor> I told you not to bid until the last minute. *lol*
07:10 < andytoshi> lol! i had already bid (and i'm glad i did it early, it took me a little bit to remember how to do it)
07:13 < andytoshi> oh, and my gf is just telling me now that she has a TI84 from school
07:14 < andytoshi> getting back to -wizards stuff ... roconnor have you settled on a linear code to use with the volvelles? i was thinking of making a base32->bip39 worksheet today (before i got gummed up dealing with the checksum)
07:15 < andytoshi> and maybe a base32->slip39 worksheet ... interestingly slip39 has a linear code checksum that we could potentially implement directly in volvelles
07:16 < roconnor> I mean one of these three @ https://github.com/roconnor-blockstream/SSS32/blob/master/polymod.md
07:16 < roconnor> probably the first one, unless I find a reason to use one of the other two.
07:16 < roconnor> But there is a problem: It doesn't work for 512 bit entropy.
07:17 < roconnor> Some solutions are (1) ignore it because no one uses that much entropy in practice.
07:17 < roconnor> (2) Add a "long" version of the format that uses a 16 character checksum when the data is too long.
07:18 < roconnor> (3) Allow for some form of two concatenated codewords that use the 13 characher checksum.  
07:19 < roconnor> I'm leaning towards some combination of (1) and (2).
07:19 < roconnor> I mean, I guess there is option (4) use a 16 character checksum.
07:19 < andytoshi> interesting, i would actually prefer (3) actually, because as a user it gives me some feedback halfway through the process
07:20 < andytoshi> that is, if i produce two codewords i can verify them indepndently
07:20 < roconnor> I mean, you get 26 checksum characters instead of 16.
07:20 < roconnor> but you do ... sort of get ... get better error correction.
07:20 < andytoshi> true, it's more total work
07:20 < andytoshi> but my experience doing bech32 by hand is that after dealing with 20 characters or so i start to worry that i made a mistake somewhere, and wish that i was able to check my work
07:21 < roconnor> I mean, it might not be more total work.  I'd have to check.  The work is additive instead of multiplicative.
07:21 < roconnor> *the amount of work is additive ....
07:21 < andytoshi> i think it's a tiny bit more work
07:21 < andytoshi> but psychologically it would probably be less
07:22 < andytoshi> i'd rather spend 30 minutes producing a 13-character checksum which i can verify in another 30 minutes ... twice ... than spend 55 minutes producing a 16-character checksum that would take another 55 minutes to verify
07:22 < andytoshi> even though the latter saves me 10 minutes in the case that i do everything right
07:22 < roconnor> I guess that is fair.
07:22 < andytoshi> and i suspect the savings is more like 1 minute than like 10
07:23 < roconnor> so maybe some combination of (1) and (3) is the way to go.
07:23 < andytoshi> yeah. i think you just need a couple sentences explaining how to deal with 512 (or more) bits
07:24 < andytoshi> or maybe just one "split your data up and do everything independently" will be clear enough
07:24 < roconnor> actually there are a lot of arbitrary design choices on how to do that.
07:24 < roconnor> I think splitting up the data independently will go very badly in practice.
07:25 < roconnor> pieces will get lost, or put in the wrong order.
07:25 < andytoshi> ah yeah .. esp if you combine the splitting with SSS
07:25 < roconnor> people will end up using the same identifier for both pieces.
07:25 < andytoshi> i think, if you have just two pieces, you've got a 50% chance of getting the right order
07:25 < roconnor> etc.
07:25 < andytoshi> yeah i see
07:26 < andytoshi> frustratingly SSS wrecks up your header format
07:26 < andytoshi> like, once you've split the secret up, the shares look random
07:26 < andytoshi> so you can't tag the shares themselves with "this goes to segment 1"
07:26 < roconnor> The most irritating problem is that no one uses 512 bit entropy so we'd be trying to standardize something that is kinda special cased and ever gets exercised.
07:26 < andytoshi> yeah
07:26 < roconnor> Nope.
07:27 < roconnor> The beauty is that SSS does not wreck my header format.
07:27 < andytoshi> ohh because it's constant for the words that correspond to the header
07:27 < andytoshi> that is beautiful
07:28 < roconnor> https://github.com/roconnor-blockstream/SSS32/blob/ms32/MasterSeed32.md#ms32 is the WIP
07:28 < roconnor> so the constant part of the header is constant.
07:28 < roconnor> and the share index label is perfectly linear.
07:28 < andytoshi> incredible
07:29 < roconnor> That's why it is hard not to write this up.
07:29 < roconnor> That means the BCH checksum can cover the header and still be compatable with the SSS.
07:29 < andytoshi> ok, nice, so we could actually just tell the user "if you are splitting this up then add extra characters <here> which encode the segment # in decimal. you will need to use L instead of 1"
07:31 < roconnor> My though was that if the data portion of the string is longer than 93 characters, then it is implicitly split at that point.
07:31 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
07:31 < roconnor> so like having lengths between 94 and 107, or whatever, wouldn't be legal.
07:34 < andytoshi> by "implicitly split" you mean the user is forced to add a new header at that point?
07:34 < roconnor> no.
07:35 < roconnor> just when the data portion (which includes the format header but excludes the HRP) is longer than 93 characters
07:35 < roconnor> then split the data protion up into, let's say, the first 93 characters and the remaining (less than 93) characters.
07:36 < roconnor> and then do the error correction algorithm on those two fragments.
07:36 < andytoshi> oh! then you would encode the first 93 chars, 13 chars of checksum, the next <less than 93> chars, 13 chars of checksum
07:36 < roconnor> (with an implicit HRP added to the second fragment, I'm thinking).
07:36 < roconnor> the last 13 characters of the first 93 characters would be the checksum.
07:36 < roconnor> but yes.
07:37 < roconnor> This is how BCH codes are usually used in practice, AFAIU.
07:37 < andytoshi> ok, yes, i think i understand you then (up to counting mistakes)
07:37 < roconnor> like on a CD.
07:38 < andytoshi> ah, yeah, when you say "having lengths between 94 and 107 wouldn't be legal" the reason is that this would imply a new segment of length <13, which is impossible because the code requires a checksum of that length
07:38 < roconnor> correct.
07:38 < andytoshi> ok. i'm happy with this
07:38 < roconnor> and =13 would imply the data part is 0, which would also be illegal.
07:38 < andytoshi> i think it's straightforward to describe, won't confuse/interrupt normal users who are not using insanely long strings
07:39 < roconnor> The sticking point is that the second part needs a "non-zero" prefix.
07:39 < roconnor> which is why I'd implicitly put a HRP onto the second half.
07:40 < andytoshi> for a paper worksheet user, an (implicit) HRP just caches out in having some initial values filled in, right?
07:41 < andytoshi> cashes out*
07:41 < roconnor> yes.
07:42 < roconnor> Maybe even for a non-paper user as well.
07:46 < andytoshi> BTW how much of this was inspired by slip39? i see they have a similar-looking header
07:46 < andytoshi> and i am tempted to try to re-use their header format
07:46 < andytoshi> to improve interoperability between the schemes
07:48 < andytoshi> ah, they are doing SSS over GF(256) which is too big to volvelle, so we couldn't make the shares compatible
07:48 < andytoshi> oof and they are using hmac-256 as a rng rather than just telling the user to make more randomness
07:49 < sipa> you're thinking of using SSS over GF(32)?
07:49 < andytoshi> sipa: yeah
07:49 < andytoshi> so you can have a maximum of 31 shares
07:49 < andytoshi> (the 32nd would be the actual secret)
07:50 < sipa> right
07:50 < roconnor> andytoshi: It is basically an attempt to replicate slip39 with hand computation.
07:50 < andytoshi> gotcha
07:51 < roconnor> andytoshi: BTW the proof that all this header and checksum stuff doesn't impact SSS security is as follows.
07:51 < roconnor> Suppose you have t-1 shares.
07:51 < roconnor> For every possible secert there is some *unique* set of other shares that would decode that secret.
07:52 < roconnor> therefore, without those shares, there is no reason to think any particular secret is more likely than any other secret.
07:52 < roconnor> therefore no information about the secret data is leaked.
07:53 < andytoshi> yep that makes sense
07:53 < roconnor> (of course the non-secret parts of the secret share, the header, and the fact that it will have a valid checksum, is leaked, but that doesn't form part of the secret data of the secret share).
07:53 < andytoshi> it's essentially the security argument for SSS, with the observation that all this constant/structured data doesn't change the argument
07:53 < roconnor> yes.
07:53 < andytoshi> another way to think about it is that you are indpendently doing SSS on every character of the message
07:54 < andytoshi> so if some characters are known, that won't affect the unknown ones
08:02 -!- gene [~gene@gateway/tor-sasl/gene] has quit [Remote host closed the connection]
08:03 -!- gene [~gene@gateway/tor-sasl/gene] has joined #bitcoin-wizards
08:03 < roconnor> That was my hand-wavy argument.
08:03 < roconnor> It's just that maybe the checksum somehow connects things across characters making things not independent.
08:04 < roconnor> certainly the checksum charaters themselves are not independent.
08:04 < andytoshi> yep, i see
08:04 < andytoshi> if it were just "there's a fixed header" i think the handwavy argument would be solid
08:04 < andytoshi> but the checksum mixes everything up
08:43 -!- CryptoDavid [uid14990@uxbridge.irccloud.com] has quit [Quit: Connection closed for inactivity]
08:46 -!- b10c [uid500648@ilkley.irccloud.com] has joined #bitcoin-wizards
08:55 < roconnor> andytoshi: did you win your bid, or is that secret?
09:25 -!- jess [~jess@libera/staff/jess] has joined #bitcoin-wizards
09:29 < andytoshi> roconnor: oh! looks like i won
09:39 < andytoshi> hmm, if i am generating a 256-bit secret by generating bech32 digits, it seems i can only produce 255 bits (or some other multiple of 5)
09:41 < andytoshi> i can't decide if i should produce 255 bits (and lose a bit of security, and have a scheme were, if some nut were to use this for nonce generation, he would leak his key)
09:41 < andytoshi> or 260, and have an extra complicated step for compressing the last base 32 digit into a bit
09:51 < andytoshi> looks like slip39 takes 256 bits from $somewhere, then pads it with 4 zero bits to get 260
09:52 < andytoshi> so the equivalent for us would be, when dice-generating base-32 characters, to generate 55 characters normally then a 56th which you compute from a coin flip, between 00000 and 10000
09:52 < andytoshi> which are q and s
10:00 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:ccbd:a6d9:9317:c741] has joined #bitcoin-wizards
10:05 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:ccbd:a6d9:9317:c741] has quit [Ping timeout: 264 seconds]
10:08 < roconnor> andytoshi: you should produce 128 bits by debiasing.
10:10 < roconnor> and pad to 130
10:14 < roconnor> roll 5 dice of different colours.
10:14 < roconnor> Write down the answers
10:14 < roconnor> roll them again
10:14 < roconnor> write down those answers below, aligning the dice colours.
10:15 < roconnor> compare the results colour-wise.
10:15 < roconnor> If the first roll was smaller, write a 0 bit for tha column. If the first roll was larger write a 1 bit for that colum.
10:15 < roconnor> take all the dice that were tied and restart, rerolling them twice.
10:16 < roconnor> once you have 5 bits, generate a bech32 character.
10:21 < roconnor> translucent dice tend to be higher quality because they are not allowed to hide bubbles inside them.
10:40 < sipa> just needs a gas with the same lightspeed as the p
10:48 < roconnor> @andytoshi Here you go https://www.ebay.com/itm/203687735254
10:48 < roconnor> 9 cents
11:57 < andytoshi> lol thanks!
11:57 < andytoshi> though i imagine anything shipping from china will arrive in 1-18 months, which is a tough range for me to guess a shipping address for..
12:01 < _aj_> could get a roleplaying set, and match them by number of faces rather than colour?
12:04 < roconnor> that's true.
13:00 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:81ac:a96e:87f8:3e26] has joined #bitcoin-wizards
13:04 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
13:05 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:81ac:a96e:87f8:3e26] has quit [Ping timeout: 245 seconds]
13:50 < andytoshi> hrphm. for a bip39 -> binary conversion chart it looks like i can fit 256 entries onto a page, so 8 pages total
14:18 < andytoshi> ah, by rotating and shrinking the font i can get 8 columns of 64 words, so 512 per page
14:45 -!- plankster [~plankster@user/plankers] has quit [Quit: No Ping reply in 180 seconds.]
14:45 -!- plankster [~plankster@user/plankers] has joined #bitcoin-wizards
14:55 -!- plankster_ [~plankster@user/plankers] has joined #bitcoin-wizards
14:57 -!- plankster [~plankster@user/plankers] has quit [Ping timeout: 256 seconds]
14:59 -!- plankster_ [~plankster@user/plankers] has quit [Client Quit]
15:02 -!- plankster [~plankster@user/plankers] has joined #bitcoin-wizards
16:06 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:f8ca:811:6d66:c48] has joined #bitcoin-wizards
16:11 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:f8ca:811:6d66:c48] has quit [Ping timeout: 264 seconds]
16:18 < andytoshi> so -- converting a 24-word bip39 seedphrase to base32 by hand took me 20-30 minutes (i was not timing myself too carefully when i started)
16:18 < andytoshi> then computing a bech32 checksum by hand took me 47 minutes
16:19 < andytoshi> my next experiment is to ask my girlfriend to verify the checksum (she is not a mathematician and is unlikely to find as many volvelle shortcuts as me) and do the inverse conversion
16:19 < andytoshi> but thus far, i think this has been a great success. i'm really happy that i can put a real checksum on my secrets
16:20 < andytoshi> without loading them onto any computers
16:20 < andytoshi> my next next experiment would be using the new code that roconnor suggested, assuming he hasn't already updated his postscript to use it
16:21 -!- AaronvanW [~AaronvanW@71pc74.sshunet.nl] has joined #bitcoin-wizards
16:22 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:e440:c217:3a13:260b] has joined #bitcoin-wizards
16:26 < _aj_> andytoshi: idea is to have a new seed word standard with different checksum then?
16:26 -!- RickSanchez [~RickSanch@2607:fb90:8916:965b:e440:c217:3a13:260b] has quit [Ping timeout: 245 seconds]
16:27 < andytoshi> _aj_: well, "standard" is probably too strong for this .. but something that is standard enough to last. i think in terms of desireable mathematical properties the SLIP39 checksum is pretty-much what i want (though I wish it was longer)
16:27 < andytoshi> _aj_: the context here is this project https://github.com/roconnor-blockstream/SSS32 which roconnor did at the start of the pandemic
16:28 < andytoshi> it is (a) a way to compute bech32 checksums by hand; (b) a way to do 2-of-N shamir secret sharing by hand (he made the remarkable observation that BCH codes are compatible with SSS in such a way that if you split a checksummed value then you'll get checksummed shares)
16:29 < andytoshi> at the time russell presented it as a toy/novelty, both because it's really a PITA to use and because nobody else had vetted any of the math
16:30 < andytoshi> and so nobody (at least, not me) really looked at it or bothered to figure out how it was supposed to work
16:30 < andytoshi> but then recently i almost-rediscovered the SSS/BCH compatibility, which was enough of an impetus to look at this
16:30 < andytoshi> and actually
16:30 < andytoshi> i think it is really really useful
16:31 < andytoshi> so -- next steps are to replace bech32 with a longer checksum. since this is all hand-computation stuff there's no real need for it to be directly compatible with any existing scheme
16:31 < andytoshi> and to improve the documentation so that you can use it without necessarily knowing the math
16:32 < andytoshi> and to clean up the source code (i didn't realize there was source code at first, but actually the .ps file in that repo is hand-written and there is a bunch of field arithmetic roconnor implemented in postscript)
16:32 < andytoshi> and to make some "extension" worksheets to allow conversion between this and the master seed import formats that real wallets use (which are bip39 and slip39 i believe)
16:33 < andytoshi> and also blockstream has some marketing ideas around it
16:35 < andytoshi> but basically ... my thinking is: this scheme is very "obviously secure" in that if you can reason about the math you can trust it, it's all pen and paper so there's no room for your computer to fuck you. it's also extremely robust, in the sense that you'll be able to "run this" as long as printers continue to exist (in fact a bit longer..), you don't need to worry about anything bitrotting or 
16:35 < andytoshi> any repos being hijacked or whatever
16:35 < andytoshi> and it's very easy to keep track of it, you just print another copy and put it in your safe
16:36 < _aj_> what are you printing?
16:36 < andytoshi> and that copy isn't going to change out from under you, even if the original repo gets replaced and every online copy gets replaced
16:36 < andytoshi> _aj_: :) check out that github repo i linked https://github.com/roconnor-blockstream/SSS32 it has a .ps file
16:37 < andytoshi> you can open that in evince or pretty-much any document viewer. (although evince kinda chokes on it, i have to use `ps2pdf` first to get a printable version)
16:39 < andytoshi> i should really emphasize, especially for other users, that at the current state of the project you SHOULD NOT USE THIS FOR REAL DATA because it is liable to change and possibly have mistakes in it
16:39 < _aj_> the shares are just strings of alphanumerics, not the state of the slide-chart thing?
16:39 < andytoshi> _aj_: correct
16:39 < sipa> works fine in evince here, even without converting to pdf
16:39 < andytoshi> the slide-charts are there to help you do the polynomial interpolation
16:40 < andytoshi> sipa: i can view it no problem, but when i try to print it (even "print to pdf") i get a single blank page
16:40 < sipa> ah
16:40 < _aj_> andytoshi: presumably "cryptosteel" and the like will produce nicely engineered versions of the slide-chart eventually...
16:41 < andytoshi> _aj_: lol! that would be a pretty cool outcome
16:45 -!- Guest1 [~Guest1@50.126.96.22] has joined #bitcoin-wizards
16:46 < Guest1> Can anyone walk me though creating a taproot raw TX?
17:30 < roconnor> you cannot really verify a cryptosteel version.
17:34 < andytoshi> well, you could visually spot-check it
17:35 -!- adiabat [~adiabat@63.209.32.102] has quit [Ping timeout: 264 seconds]
17:36 -!- AaronvanW [~AaronvanW@71pc74.sshunet.nl] has quit [Quit: Leaving...]
17:43 -!- Guest1 [~Guest1@50.126.96.22] has quit [Quit: Client closed]
17:50 < roconnor> That's true.  I was thinking checking 1000 entries isn't impossible.
17:50 < roconnor> maybe it is even easier than all the rest of the computation.
17:51 < roconnor> I'm not sure how much has to be corrupted to be effective.
17:51 < roconnor> probably a lot.
19:15 -!- b10c [uid500648@ilkley.irccloud.com] has quit [Quit: Connection closed for inactivity]
20:03 -!- solocshaw [~Thunderbi@gateway/vpn/pia/solocshaw] has joined #bitcoin-wizards
20:30 -!- adiabat [~adiabat@63.209.32.102] has joined #bitcoin-wizards
20:59 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has quit [Quit: This computer has gone to sleep]
21:12 -!- b10c [uid500648@ilkley.irccloud.com] has joined #bitcoin-wizards
21:56 -!- robertspigler [~robertspi@2001:470:69fc:105::2d53] has joined #bitcoin-wizards
23:00 < ademan[m]> ColdCard allows you to combine a hardware-random generated seed with dice rolls. It combines them like so: `NEW_SEED = sha256(CURRENT_SEED || x1 || x2 || ...)` where xN is '1' through '6'. Given what we know about sha256, is it possible that enough rolls with *loaded* dice could actually *degrade* the entropy of the seed? I suppose for the sake of argument, we could say the dice only produces '1'...
23:18 -!- solocshaw [~Thunderbi@gateway/vpn/pia/solocshaw] has quit [Ping timeout: 264 seconds]
23:32 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has joined #bitcoin-wizards
23:47 -!- karonto [~karonto@dynamic-002-211-085-157.2.211.pool.telefonica.de] has quit [Quit: This computer has gone to sleep]
--- Log closed Sun Nov 14 00:00:32 2021