* [bitcoin-dev] Card Shuffle To Bitcoin Seed
@ 2019-02-02 19:51 rhavar
2019-02-04 6:49 ` Adam Ficsor
2019-02-04 21:05 ` James MacWhyte
0 siblings, 2 replies; 7+ messages in thread
From: rhavar @ 2019-02-02 19:51 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2454 bytes --]
More of a shower-thought than a BIP, but it's something I've long wish (hardware) wallets supported:
---
Abstract: Bitcoin Wallets generally ask us to trust their seed generation is both correct and honest. Especially for hardware and air gapped wallets, this is both a big ask and more or less impossible to practically verify. So we propose a bring-your-own-entropy approach in which the wallet can function completely deterministically. Our method is based on shuffling physical deck of cards. There are 52! (2^219.88) different shuffle order, which is a big enough space to be secure against collision and brute force attacks. Conveniently a shuffled deck of cards also can serve as a physical backup which is easy to hide in plain sight with great plausible deniability.
Representation:
Each card has a suit which can be represented by one of SCHD (spades, clubs, hearts, diamonds) and a value of one of 23456789TJQKA where the numbers are obvious and (T=ten, J=jack, Q=queen, K=king, A=ace) so "7 of clubs" would be represented by "7C" and a "Ten of Hearts" would be represented with "TH".
An deck of cards looks like:
2S,3S,4S,5S,6S,7S,8S,9S,TS,JS,QS,KS,AS,2C,3C,4C,5C,6C,7C,8C,9C,TC,JC,QC,KC,AC,2H,3H,4H,5H,6H,7H,8H,9H,TH,JH,QH,KH,AH,2D,3D,4D,5D,6D,7D,8D,9D,TD,JD,QD,KD,AD
And can be verified by making sure that every one of the 52 cards appears exactly once.
Step 1. Shuffle your deck of cards
This is a lot harder than you'd imagine, so do it quite a few times, with quite a few different techniques. It is advised to do at *least* 7 good quality shuffles to achieve a true cryptographically secure shuffle. Do not look at the cards while shuffling (to avoid biasing) and don't be afraid to also shuffle them face down on the table. Err on the side over over-shuffling.
See also: https://en.wikipedia.org/wiki/Shuffling#Sufficient_number_of_shuffles
Step 2. Write out the order (comma separated)
And example shuffle is:
5C,7C,4C,AS,3C,KC,AD,QS,7S,2S,5H,4D,AC,9C,3H,6H,9D,4S,8D,TD,2H,7H,JD,QD,2D,JC,KH,9S,9H,4H,6C,7D,3D,6S,2C,AH,QC,TH,TC,JS,6D,8H,8C,JH,8S,KD,QH,5D,5S,KS,TS,3S
Step 3. Sha512 it to create a seed
In the example above you should get:
dc04e4c331b1bd347581d4361841335fe0b090d39dfe5e1c258c547255cd5cf1545e2387d8a7c4dc53e03cacca049a414a9269a2ac6954429955476c56038498
Step 4. Interpret it
e.g. For bip32 you would treat the first 32 bytes as the private key, and the second 32 bytes as as the extension code.
-Ryan
[-- Attachment #2: Type: text/html, Size: 3345 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
2019-02-02 19:51 [bitcoin-dev] Card Shuffle To Bitcoin Seed rhavar
@ 2019-02-04 6:49 ` Adam Ficsor
2019-02-04 21:05 ` James MacWhyte
1 sibling, 0 replies; 7+ messages in thread
From: Adam Ficsor @ 2019-02-04 6:49 UTC (permalink / raw)
To: rhavar, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 3161 bytes --]
Unlike mouse movement it works in a CLI software, which is great. However,
isn't there something else you can use instead of cards? Something with
invariant culture and maybe more common.
On Sun, Feb 3, 2019 at 7:27 PM Ryan Havar via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> More of a shower-thought than a BIP, but it's something I've long wish
> (hardware) wallets supported:
>
> ---
>
> Abstract: Bitcoin Wallets generally ask us to trust their seed generation
> is both correct and honest. Especially for hardware and air gapped wallets,
> this is both a big ask and more or less impossible to practically verify.
> So we propose a bring-your-own-entropy approach in which the wallet can
> function completely deterministically. Our method is based on shuffling
> physical deck of cards. There are 52! (2^219.88) different shuffle order,
> which is a big enough space to be secure against collision and brute force
> attacks. Conveniently a shuffled deck of cards also can serve as a physical
> backup which is easy to hide in plain sight with great plausible
> deniability.
>
>
> Representation:
>
> Each card has a suit which can be represented by one of SCHD (spades,
> clubs, hearts, diamonds) and a value of one of 23456789TJQKA where the
> numbers are obvious and (T=ten, J=jack, Q=queen, K=king, A=ace) so "7 of
> clubs" would be represented by "7C" and a "Ten of Hearts" would be
> represented with "TH".
>
> An deck of cards looks like:
>
>
> 2S,3S,4S,5S,6S,7S,8S,9S,TS,JS,QS,KS,AS,2C,3C,4C,5C,6C,7C,8C,9C,TC,JC,QC,KC,AC,2H,3H,4H,5H,6H,7H,8H,9H,TH,JH,QH,KH,AH,2D,3D,4D,5D,6D,7D,8D,9D,TD,JD,QD,KD,AD
>
> And can be verified by making sure that every one of the 52 cards appears
> exactly once.
>
>
> Step 1. Shuffle your deck of cards
>
> This is a lot harder than you'd imagine, so do it quite a few times, with
> quite a few different techniques. It is advised to do at *least* 7 good
> quality shuffles to achieve a true cryptographically secure shuffle. Do not
> look at the cards while shuffling (to avoid biasing) and don't be afraid to
> also shuffle them face down on the table. Err on the side over
> over-shuffling.
> See also:
> https://en.wikipedia.org/wiki/Shuffling#Sufficient_number_of_shuffles
>
> Step 2. Write out the order (comma separated)
>
> And example shuffle is:
>
>
> 5C,7C,4C,AS,3C,KC,AD,QS,7S,2S,5H,4D,AC,9C,3H,6H,9D,4S,8D,TD,2H,7H,JD,QD,2D,JC,KH,9S,9H,4H,6C,7D,3D,6S,2C,AH,QC,TH,TC,JS,6D,8H,8C,JH,8S,KD,QH,5D,5S,KS,TS,3S
>
> Step 3. Sha512 it to create a seed
>
> In the example above you should get:
>
> dc04e4c331b1bd347581d4361841335fe0b090d39dfe5e1c258c547255cd5cf1545e2387d8a7c4dc53e03cacca049a414a9269a2ac6954429955476c56038498
>
> Step 4. Interpret it
>
> e.g. For bip32 you would treat the first 32 bytes as the private key, and
> the second 32 bytes as as the extension code.
>
>
>
>
> -Ryan
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--
Best,
Ádám
[-- Attachment #2: Type: text/html, Size: 4738 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
2019-02-02 19:51 [bitcoin-dev] Card Shuffle To Bitcoin Seed rhavar
2019-02-04 6:49 ` Adam Ficsor
@ 2019-02-04 21:05 ` James MacWhyte
2019-02-05 1:37 ` Devrandom
1 sibling, 1 reply; 7+ messages in thread
From: James MacWhyte @ 2019-02-04 21:05 UTC (permalink / raw)
To: rhavar, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 542 bytes --]
James
On Sun, Feb 3, 2019 at 10:27 AM Ryan Havar via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Conveniently a shuffled deck of cards also can serve as a physical backup
> which is easy to hide in plain sight with great plausible deniability.
>
To make sure someone doesn't play with your cards and mix up the order, use
a permanent marker to draw a diagonal line on the side of the deck from
corner to corner. If the cards ever get mixed up, you can put them back in
order by making sure the diagonal line matches up.
[-- Attachment #2: Type: text/html, Size: 1037 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
2019-02-04 21:05 ` James MacWhyte
@ 2019-02-05 1:37 ` Devrandom
2019-02-06 13:48 ` Alan Evans
0 siblings, 1 reply; 7+ messages in thread
From: Devrandom @ 2019-02-05 1:37 UTC (permalink / raw)
To: James MacWhyte, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]
I would suggest 50+ 6-sided dice rolls, giving about 128 bits of entropy.
Compared to a shuffle, it's easier to be sure that you got the right amount
of entropy, even if the dice are somewhat biased.
On Mon, Feb 4, 2019 at 2:33 PM James MacWhyte via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
>
> James
>
>
> On Sun, Feb 3, 2019 at 10:27 AM Ryan Havar via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> Conveniently a shuffled deck of cards also can serve as a physical backup
>> which is easy to hide in plain sight with great plausible deniability.
>>
>
> To make sure someone doesn't play with your cards and mix up the order,
> use a permanent marker to draw a diagonal line on the side of the deck from
> corner to corner. If the cards ever get mixed up, you can put them back in
> order by making sure the diagonal line matches up.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 2055 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
2019-02-05 1:37 ` Devrandom
@ 2019-02-06 13:48 ` Alan Evans
2019-02-06 13:51 ` Alan Evans
0 siblings, 1 reply; 7+ messages in thread
From: Alan Evans @ 2019-02-06 13:48 UTC (permalink / raw)
To: Devrandom, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2351 bytes --]
It's not quite enough to just do SHA512, you missed out this condition
(incredibly rare as it is):
> In case IL is 0 or ≥n, the master key is invalid.
Also I can't see how I would use this to seed a hardware wallet that
requires a BIP39 seed as mentioned in your abstract.
For both of those reasons, you may want to just invent/formalize a scheme
that takes Cards -> Entropy.
From that Entropy one can generate BIP39, and non-BIP39 fans can just
continue, generate and store their root xprv.
Prior art: Note that Ian Coleman's BIP39 site already supports Cards (and
Dice), see the logic here:
https://github.com/iancoleman/bip39/blob/master/src/js/entropy.js
[image: image.png]
Note it detected "full deck". It also calculates the Total Bits of Entropy
and can handle card replacement and multiple decks.
PS, you're a bit out on your entropy calculation, log2(52!) ~= 225.58 bits,
not 219.
On Tue, 5 Feb 2019 at 02:08, Devrandom via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> I would suggest 50+ 6-sided dice rolls, giving about 128 bits of entropy.
> Compared to a shuffle, it's easier to be sure that you got the right amount
> of entropy, even if the dice are somewhat biased.
>
>
> On Mon, Feb 4, 2019 at 2:33 PM James MacWhyte via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>>
>> James
>>
>>
>> On Sun, Feb 3, 2019 at 10:27 AM Ryan Havar via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> Conveniently a shuffled deck of cards also can serve as a physical
>>> backup which is easy to hide in plain sight with great plausible
>>> deniability.
>>>
>>
>> To make sure someone doesn't play with your cards and mix up the order,
>> use a permanent marker to draw a diagonal line on the side of the deck from
>> corner to corner. If the cards ever get mixed up, you can put them back in
>> order by making sure the diagonal line matches up.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4197 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
2019-02-06 13:48 ` Alan Evans
@ 2019-02-06 13:51 ` Alan Evans
2019-02-07 2:42 ` James MacWhyte
0 siblings, 1 reply; 7+ messages in thread
From: Alan Evans @ 2019-02-06 13:51 UTC (permalink / raw)
To: Devrandom, Bitcoin Protocol Discussion
[-- Attachment #1.1: Type: text/plain, Size: 2564 bytes --]
Image didn't seem to attach:
[image: image.png]
On Wed, 6 Feb 2019 at 09:48, Alan Evans <thealanevans@gmail•com> wrote:
> It's not quite enough to just do SHA512, you missed out this condition
> (incredibly rare as it is):
>
> > In case IL is 0 or ≥n, the master key is invalid.
>
> Also I can't see how I would use this to seed a hardware wallet that
> requires a BIP39 seed as mentioned in your abstract.
>
> For both of those reasons, you may want to just invent/formalize a scheme
> that takes Cards -> Entropy.
> From that Entropy one can generate BIP39, and non-BIP39 fans can just
> continue, generate and store their root xprv.
>
> Prior art: Note that Ian Coleman's BIP39 site already supports Cards (and
> Dice), see the logic here:
> https://github.com/iancoleman/bip39/blob/master/src/js/entropy.js
>
> [image: image.png]
>
> Note it detected "full deck". It also calculates the Total Bits of Entropy
> and can handle card replacement and multiple decks.
>
> PS, you're a bit out on your entropy calculation, log2(52!) ~= 225.58
> bits, not 219.
>
>
> On Tue, 5 Feb 2019 at 02:08, Devrandom via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> I would suggest 50+ 6-sided dice rolls, giving about 128 bits of
>> entropy. Compared to a shuffle, it's easier to be sure that you got the
>> right amount of entropy, even if the dice are somewhat biased.
>>
>>
>> On Mon, Feb 4, 2019 at 2:33 PM James MacWhyte via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>>
>>> James
>>>
>>>
>>> On Sun, Feb 3, 2019 at 10:27 AM Ryan Havar via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> Conveniently a shuffled deck of cards also can serve as a physical
>>>> backup which is easy to hide in plain sight with great plausible
>>>> deniability.
>>>>
>>>
>>> To make sure someone doesn't play with your cards and mix up the order,
>>> use a permanent marker to draw a diagonal line on the side of the deck from
>>> corner to corner. If the cards ever get mixed up, you can put them back in
>>> order by making sure the diagonal line matches up.
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #1.2: Type: text/html, Size: 4713 bytes --]
[-- Attachment #2: image.png --]
[-- Type: image/png, Size: 176797 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
2019-02-06 13:51 ` Alan Evans
@ 2019-02-07 2:42 ` James MacWhyte
0 siblings, 0 replies; 7+ messages in thread
From: James MacWhyte @ 2019-02-07 2:42 UTC (permalink / raw)
To: Alan Evans, Bitcoin Protocol Discussion
[-- Attachment #1.1: Type: text/plain, Size: 3052 bytes --]
Oooh, that's cool. I didn't realize Ian's support for cards looks so slick
now!
Thanks for the image.
James
On Wed, Feb 6, 2019 at 7:55 AM Alan Evans via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Image didn't seem to attach:
> [image: image.png]
>
> On Wed, 6 Feb 2019 at 09:48, Alan Evans <thealanevans@gmail•com> wrote:
>
>> It's not quite enough to just do SHA512, you missed out this condition
>> (incredibly rare as it is):
>>
>> > In case IL is 0 or ≥n, the master key is invalid.
>>
>> Also I can't see how I would use this to seed a hardware wallet that
>> requires a BIP39 seed as mentioned in your abstract.
>>
>> For both of those reasons, you may want to just invent/formalize a scheme
>> that takes Cards -> Entropy.
>> From that Entropy one can generate BIP39, and non-BIP39 fans can just
>> continue, generate and store their root xprv.
>>
>> Prior art: Note that Ian Coleman's BIP39 site already supports Cards (and
>> Dice), see the logic here:
>> https://github.com/iancoleman/bip39/blob/master/src/js/entropy.js
>>
>> [image: image.png]
>>
>> Note it detected "full deck". It also calculates the Total Bits of
>> Entropy and can handle card replacement and multiple decks.
>>
>> PS, you're a bit out on your entropy calculation, log2(52!) ~= 225.58
>> bits, not 219.
>>
>>
>> On Tue, 5 Feb 2019 at 02:08, Devrandom via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> I would suggest 50+ 6-sided dice rolls, giving about 128 bits of
>>> entropy. Compared to a shuffle, it's easier to be sure that you got the
>>> right amount of entropy, even if the dice are somewhat biased.
>>>
>>>
>>> On Mon, Feb 4, 2019 at 2:33 PM James MacWhyte via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>>
>>>> James
>>>>
>>>>
>>>> On Sun, Feb 3, 2019 at 10:27 AM Ryan Havar via bitcoin-dev <
>>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>
>>>>> Conveniently a shuffled deck of cards also can serve as a physical
>>>>> backup which is easy to hide in plain sight with great plausible
>>>>> deniability.
>>>>>
>>>>
>>>> To make sure someone doesn't play with your cards and mix up the order,
>>>> use a permanent marker to draw a diagonal line on the side of the deck from
>>>> corner to corner. If the cards ever get mixed up, you can put them back in
>>>> order by making sure the diagonal line matches up.
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists•linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #1.2: Type: text/html, Size: 5822 bytes --]
[-- Attachment #2: image.png --]
[-- Type: image/png, Size: 176797 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-02-07 2:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-02 19:51 [bitcoin-dev] Card Shuffle To Bitcoin Seed rhavar
2019-02-04 6:49 ` Adam Ficsor
2019-02-04 21:05 ` James MacWhyte
2019-02-05 1:37 ` Devrandom
2019-02-06 13:48 ` Alan Evans
2019-02-06 13:51 ` Alan Evans
2019-02-07 2:42 ` James MacWhyte
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox