17 November 2021
CD44: using secure random number generators to generate bitcoin keys with waxwing and @raw_avocado
EPISODE: 44
BLOCK: 710040
PRICE: 1647 sats per dollar
TOPICS: random number generators and why they are important when securing bitcoin, history of backdoors, compromises, and poor implementations, multisig tradeoffs, hardware wallet tradeoffs, mitigations to reduce your risk
@waxwing: https://x0f.org/@waxwing
@raw_avocado: https://twitter.com/raw_avocado
streamed live every tuesday:
https://citadeldispatch.com
twitch: https://twitch.tv/citadeldispatch​
bitcointv: https://bitcointv.com/video-channels/citadeldispatch/videos
podcast: https://anchor.fm/citadeldispatch​
telegram: https://t.me/citadeldispatch​
support the show: https://tippin.me/@odell
stream sats to the show: https://www.fountain.fm/
join the chat: http://citadel.chat/
[00:00:01]
Unknown:
Pass. I wasn't prepared to translate that as host doing that little t's. Oh, that's right. With the
[00:00:06] Unknown:
a and then the ring around it. At? See, that's what I said. Mhmm.
[00:00:11] Unknown:
Kaye said she thought it was about. Yeah. Oh. But I've never heard it Around. I've never heard it said. I've always seen the mark but never heard it said. And then it sounded stupid when I said it. Violence at NBC.
[00:00:22] Unknown:
I hate what happened to her about it in the lunchroom music. There it is. Violence at nbcgecom.
[00:00:28] Unknown:
I mean
[00:00:30] Unknown:
Well, Allison should know. What is Internet anyway? Internet is, that massive computer network. The one that's becoming really big now. What do you mean? That's big? Wait. How does one not what do you write to it like mail? No. A lot of people use it and communicate with I guess they can communicate with NBC writers and producers. Allison, can you explain what Internet is? No. She can't say anything in 10 seconds or less. Oh. Oh. Allison will be in the studio shortly. What is it? What does it mean? It's a giant computer network made up made up of, started with from Oh, I thought you were gonna tell us what this was. It's a computer billboard. It's it's not an it's it's it's a computer billboard, but it's not online. It's it's several, universities and everything all joined together. Right. And others can access it. Right. And it's getting bigger and bigger all. Just It came in really handy during the quake. A lot of people, that's how they were communicating out to tell family and loved ones they were okay because all the phone lines were down. I was telling Katie, you know, about don't need you don't need that you don't need a phone line to operate? No. No.
[00:02:01] Unknown:
Happy Bitcoin Tuesday, freaks. It's your boy, Matt Odell here for another Siddle Dispatch. That clip you just listened to was not a recent clip, if you couldn't tell. That was the Today Show in 1994. Katie Couric, Brian Gumbel, and Elizabeth Vargas, the anchors of the Today Show, completely confused about what the Internet and email was. There seems to be a little bit of confusion, with the cringe level of the mainstream media clips I play at the beginning of every sale of dispatch. The intention is for them to be a bit cringey. I expect them all to age about the same way that, that Today Show clip has aged since 1994, so it should be a pretty fun thing to go back and look at.
CIL dispatch is the interactive live show about Bitcoin distributed systems privacy and open source software. Huge shout out to the rider dive freaks who continue to support the show and keep it ad free, sponsor free, and strictly focus on actionable Bitcoin discussion. The easiest way you can support the show is downloading a podcasting 2.0 app. My two favorites are fountain podcasts and Breeze. You can just load it up with Sats, search to dispatch, and then you can stream Sats directly to my lightning node. You can also support the show at sail dispatch.com, either through, Lightning on my Tippin account or through my pay name, which is Odell. Very easy to remember.
Also, huge shout out to the rider dies who consistently come in for our live chat, which you can access on Twitter, Twitch, or YouTube. You guys make this show truly special, and unique, and, I couldn't do it without you. So thank you, guys. With all that said, I'm excited to introduce our guest for today's episode. We have return guest, Waxwing, coming in from El Salvador. He's one of the lead maintainers of the join market project, and I'm very happy that he's joining us again. And we have, raw avocado here, Alex.
We will be discussing secure random number generators, why that is important when you're using Bitcoin and encryption, and what you can do to mitigate the risks associated with it. How's it going, guys?
[00:04:27] Unknown:
Good. Yo. What's happening, motherfuckers?
[00:04:32] Unknown:
That's what I meant. Yeah.
[00:04:35] Unknown:
I actually realized, I messed up the intro a tiny bit. For our freaks joining through our podcast streams, it's important for them to associate a voice to a name early on. So, Waxwing, why don't you say hi to everybody?
[00:04:53] Unknown:
Hi. This is Waxwing. I am in sunny El Salvador where there are 7 active volcanoes and military roaming the streets, and, Bitcoin is roaming the streets trying to pay for lightning. And it's all very surreal, and it's great. Are there really military on the streets? Well, I mean, if you if you walk around the city, you're gonna see men with very, very large guns. Quite a lot of them. Yeah. Wow. I guess they're taking it seriously. They don't want any Well, there was a bunch of murders a few days back, so you can't really
[00:05:24] Unknown:
Yeah. Well, stay safe out there. We don't want anything to happen to you. Alex, why don't you say hi to the freaks?
[00:05:30] Unknown:
Yo. Yo. What's happening, freaks? I mean, how can I beat that? What am I gotta say now? I mean, north I mean, north of UK. It's fucking foggy. Nothing is happening. A cow farted. That's the highlight of my day, you know. How can I beat what he's doing? Well, I think that's I don't even contribute to anything, by the way. I don't even contribute to anything. So
[00:05:48] Unknown:
You contribute to the the world's knowledge, Alex. You contribute greatly. Don't don't don't put yourself down.
[00:05:55] Unknown:
Well, I think I can speak for both me and Alex that we're very jealous, that waxwing is in El Salvador. I was sorry I couldn't make it work. So with all that said, I mean, I think a good spot for us to start here is, why is secure random generation important with respect to Bitcoin? Like, why should the freaks even care?
[00:06:16] Unknown:
I actually would go I would just start off, like, first of all, Bitcoin is a cryptocurrency. And And in case you probably didn't know this, if you're spending a lot of time on Twitter, but crypto stands for cryptography. And cryptography, most of the, most of the time has to do with secrets and sometimes authentication and other things. And the way these secrets are maintained and preserved is through mathematics that can't get inverted most of the ways, and, random numbers. So anything that uses communication uses cryptography, so it needs this random numbers. Now for Bitcoin, even more so considering that cryptography is what runs on it, it needs it. And it needs it in multiple places. It needs this when you generate your private keys, and it also needs this when you sign transactions.
Because both of these operations, if if those random numbers aren't really run random, an adversary could possibly guess your keys. That's how I would
[00:07:17] Unknown:
ask this. Can you hear me?
[00:07:19] Unknown:
Yes. We can.
[00:07:21] Unknown:
Okay. It's those it connection's not great, so I'll be coming in and out. But I'm here now. Did you did you hear Alex just now? I saw the I saw I heard the end of it. He's describing what you need random numbers numbers for. So, I mean, basically,
[00:07:38] Unknown:
and correct me if I'm wrong, the process of generating private keys, whether that's for encryption or if that's for Bitcoin, involves a source of entropy to make them secure. And when we talk about entropy, we're talking about randomness, true randomness. Yeah. And if you don't have that true randomness, if your if your, entropy is compromised or poor, just not good randomness, that can be used against you to basically have someone else regenerate the same key as you and and compromise you. Right? Like, that's the the $1,000,000 question that almost every newcomer to Bitcoin asks is, you know, I just generated this Bitcoin key offline.
How do I know that someone else isn't going to, generate the same key as me? Right? That's like I remember early on when I first started with Bitcoin, that was, like, the number one question people were asking.
[00:08:42] Unknown:
Yeah. It's a it's a natural source of uncertainty because it strikes at the very heart of the security of what you're doing, doesn't it? Yeah. And, I I do wanna mention there's a nuance with because I think Alex was saying you need it for both the the key the private keys and and the signing. And the signing operation still needs what you might call cryptographic randomness, but, there's a nuance where you can kind of get cryptographic randomness sort of secondhand where you can kind of seed what's called a a pseudo random number generator, but a a a generator that will generate, like an endless stream of random data from a starting seed, according to some complicated out which we might get into later, but but I'm just trying to say that the process of getting, like, so to speak, raw randomness from the environment, from your operating system, from something like that, that's one thing. And then there's a lot of actual of the random strings that you're using in cryptographic protocols are actually not coming directly from that. Because it's kind of hard to source masses of randomness. Right? So you might just have
[00:09:55] Unknown:
We lost you at the very end right after my what what were you saying there? You might have
[00:10:02] Unknown:
you I I'm not sure. I'm sorry. That this did did you get the point about that that you might Yes. See a random number generator, and it might produce a long string of randomness out of that. Oh, okay. It's it doesn't matter. It's not important. Please go on. But, I mean but there there's a key element here. Right? Is is so when you're
[00:10:21] Unknown:
so if if you are, let's say you're using Bitcoin Core. Right? You're using Bitcoin Core on your computer, and you create a new wallet. Where does that entropy come from?
[00:10:38] Unknown:
Right. So, Alex, do you wanna take that?
[00:10:41] Unknown:
Yeah. I I even made a a Twitter thread about this actually, about how Bitcoin Core specifically does this. Long so the thing is, like, there are multiple sources of entropies you can have. Right? And usually the more the better. And good sources of entropy on your on your computer pretty much are things that are information that your computer does. For example, how does the disc move? Or, another thing would be, like, the timing interruptions between the disc or even the timing interruptions between your keyboard and your clicks. Right? Or how resources are used by your processor and your kernel and all this weird stuff. Right? Because these things, like, they they are still deterministic things, but it's very hard for someone to to measure them. So this would be, like, one type of of sources of entropy and you can call these, like, dynamic events. Another source of entropy could be your processor because all the modern processors that we have today, they have a built in, pseudo run they have a they have a thing built in that gives you random numbers. Right? And the way Bitcoin Core does it, it takes all it takes all the sources I've mentioned before. It takes also these things sort of process. It mixes them in a very interesting way.
Mostly, it has to be using the the binary operation soar, and we can explain that what it is or whatever. But the the sore thing has very a very interesting magic property that if you so let's say I I have two sources of entropy. Right? And one of them is compromised. Like, it's it you literally, you know exactly what it is. And one of them is real entropy. Right? It's good. If you sort this thing together, this I'm just gonna end up with the the best entropy. So so sorry. What I'm trying to say is that this cannot bad entropy when you sort it with good entropy doesn't it doesn't cancel it out. So Bitcoin Core uses multiple sources like this, and it's a bit more complicated, by the way. You can check the thread if you want. They even draw it out. And you you jumble these things a lot of times, and you hash them together, and you sort them together, and that's how it gets. So that make sense. So to repeat, when whenever we say entropy in this in this conversation,
[00:12:49] Unknown:
you can the freaks can basically replace that with a source of randomness. The I I before we we're gonna dive very deep in this conversation. I wanna be very clear that you might get very scared or frightened from the conversation. You know, take a deep breath. Fortunately, we haven't had many compromises in this respect. We have had some, and we are gonna talk about that. But it's something that's very important in terms of actually using Bitcoin in a sovereign way and holding your own keys and making sure your keys are secure. So when we're talking about entropy, when we're talking about sources of entropy, the key is to have randomness that is distinct and unique, and can't be basically resimulated or recalculated on someone else's machine or device. Right?
[00:13:46] Unknown:
Yeah. Notice it's not just distinctness or uniqueness. Right? Because well, it's not just uniqueness. Because if I if I use the private key 154, that's that's unique. Nobody else has done that, but that's because nobody else is stupid enough to do that. Right? So the the the point there is I'm trying to make is that, the concept of entropy is think of it like disorder. Like, one one measure I I won't sort of get into the technical details, but one one way of measuring the randomness of some string of data, you know, bytes on your list of, characters or bytes is, can you compress it? Right? Because if if I just write the character a a a a a 50 times. It's a very long string, but it only was basic no entropy because I can take that whole string, and I can just express it as a times 50, which is a much, much shorter string algorithm that expresses that thing shorter than it originally was, then it didn't have perfect entropy or it didn't have entropy, if that makes any sense. So give it is it should be disorder. Oh, oops.
Can you I'm
[00:15:04] Unknown:
I've lost you. Yeah. Right. So caught in and out there, but I I it's actually kinda the parts that didn't necessarily, lost any information. Sorry, Matt. You were gonna say something? I was gonna add something to what you said.
[00:15:16] Unknown:
No. Add. Go ahead.
[00:15:18] Unknown:
So, actually, the thing is, like Hello? So you have this let's see. Yeah. We can hear you now.
[00:15:25] Unknown:
Oh, I could also hear myself, I think. No. Yeah. We hear we you cut out a little bit, but it seems like it just lagged, and then we heard we heard what you wanted to say. Cool. Oh, you okay. To to the freaks, Waxwing's joining us from El Salvador, and he's on hotel Wi Fi. So we're gonna make this work because it's an important conversation.
[00:15:44] Unknown:
Yeah. Did you did you get this Alex, go on. What I was
[00:15:48] Unknown:
I'm sorry.
[00:15:49] Unknown:
Go ahead. Go ahead, Alex.
[00:15:51] Unknown:
Yeah. So so what so to reiterate what you said in case, so you will know what we heard, West Wing was saying if you have, the the string that has 50 a's, right, There's not that you can compress this a lot. There's not that much entropy. There is just a 50 times so you can write in a very short format. But, to to to bring a bit more home what he's trying to say. So let's say you have something. It's a program. It's a computer. Doesn't fucking matter what it is. It's something that whenever you press the button it just speeds out a lot of numbers. Right? Gibberish. Right? So then what would be good entropy? What would classify as good entropy? Well, there's 3 main characteristics of this. First of all, it's unpredictability. Okay? Meaning that if I have, like, 2 of if I look at this, this thing, I can't predict what it's gonna do in the future Because I predict my private keys. I don't want Matt and and Waxwing and someone else to prove it my my private keys. So the first one is pre predictive unpredictability.
The second property is gonna be uniform distribution. What does this mean? Yeah. It means that if we would take like these numbers and we would chart them out, they would literally look like, you know, when you have the television and there's like perfect noise in their static, it will literally look something like that. Like the the there's no pattern. There's nothing you can say about this. It's that's why it's random. It's complete gibberish. So there's unpredictability and uniformity. And then there's lack of patterns in the sequence. You don't wanna have any any patterns here. Now worth, noting here that free implies both.
Right? Both 1 and 2. Because if you have lack of patterns, there's of course, there's gonna be uniform distribution is gonna be unpredictable. But one doesn't imply 2 because you can have something that's unpredictable, but it's not uniformly distributed. And 2 does not guarantee 1 because even if something is uniformly distributed, doesn't mean it's unpredictable. I know that it sounds a bit like concorded, but I think that would be the the simplest way I can compress, like, what would make good entropy.
[00:17:42] Unknown:
Mhmm. I hope that makes sense. It's Yeah. Yeah. There's there's also a thing about how you know, you said unpredictability. That's a very that's the difference between random numbers and cryptographically secure random numbers is, like, I could make a string of data that's completely random. Well, can you hear me? Yeah. Yeah. You're all good. Yeah. We hear you. We hear you. I I I can make a string of, I can make a stream of random numbers that that so the outside world looks totally random. But if somebody knows the algorithm that's used to generate the random numbers, then they might be able to predict the next sequence of numbers that comes after it. And it actually works backwards in time as well, which is kinda weird. What you should if you wanna make it cryptographically secure, it should also be a case that looking at the current stream of random numbers, I should not be able to go backwards in time and find out what was in the previous set of random numbers in this long stream. So that's that's that's, and I think that's part of what what Alex is saying. And that is his point about there not being a pattern is is probably the best overall, concept to remember. Yeah.
[00:18:41] Unknown:
Well, okay. Let's let's still mend this this point even more. So the thing is, like, when you hear the word entropy, this come like, the I I I like this how I think about it, by the way, so I don't feel like there's a rigorous But I think there's 3 types of entropy. First of all, there's the physical one, which that's where the word comes, and it expresses the second law of thermodynamics. And it has to do with molecular randomness. So you have a you have a so imagine you have a fart and the fart is comp composed of little tiny things. Right? And and those tiny things, like, go around it. There's a lot of, like, chaos. Right? You don't know what's happening there. Then there's the informational theoretical, context, which is what we described right now, which is something you can measure. And to measure this, Shannon invented this, unit to measure this because he was trying to measure information. So that's just what we described right now, which just says something theoretical about these things. But then there's the cryptographical context, which what is cryptography? Well, cryptography is just adversarial math, which means that we we we take what we just said, but we judge this from the perspective of how hard is for an adversary to to guess this. What do I mean? So all these things that I that we enumerated earlier, you can take the you know, pi.
Pi is this this number that goes on forever. Right? And it doesn't repeat itself. So so if you if I would take, like, I don't know, the, we have calculated something around 60,000,000,000,000 digits of powers. Something like that. I don't know. So if I would take like the 100th millions digits from now and I would give it to you guys, it would be like, oh, this looks random enough to me. Right? This is perfectly fine. You would they call these boxes. But it's not cryptographically secure because, well, it's the number pi. So what West Wing was saying, like, hey. I could realize this is pi and now I could see what your what is gonna what the other ones are gonna be and so on. I hope that makes sense.
[00:20:21] Unknown:
Yes. Important distinction. It's subtle, but it's really important.
[00:20:25] Unknown:
Yeah. No. That makes sense. So, I mean, I think I I I think it would be so so every every Bitcoin wallet, whether it's a software wallet, whether that's a wallet on your computer, something like Bitcoin Core or Sparrow Wallet, or if it's a hardware wallet, something like Coldcard or Seed Signer. The the key is when they're generating your keys is is that they're trying to have the secure randomness, the secure entropy when they're generating the keys. It's it's it's the most important thing they do. And they will source that from multiple different ways if they're if if they're a well designed wallet. Right? Because if you have one issue Can I just interrupt on that point? Can I just interrupt on that point? Yes. Interrupt me whenever you want, Waxwing.
[00:21:16] Unknown:
Alex explained that very beautifully at the beginning about how it's like looking into the operating system. It's looking at different things like the hard disk, the the CPU, and so on. Is it using are you are you talking about what comes out of dev view random? Am I right about that, Alex, on at least on Linux?
[00:21:35] Unknown:
Okay. You you know what? It would be really bigger if we'd have that picture. So the thing is, like, the so what is this random? The so when you have the Linux Linux, should should we go and explain this, or should I just answer the question? Or Explain. Go. Go for it. So so different so if you have a it's a in Linux, everything, is a file. And there's this the very special file which is you can access it as dashdevslash random. And, this file takes care of entropy. So, you know, the people who design Linux, they're like, hey. You know what, guys? We should, like, we should, like, create something in the kernel. And the kernel is, like, the the the the main thing there that that that generates random numbers because we need random numbers everywhere. Now the problem is that and this was invented in 1994, by the way. And the thing is, like, when they did computers were very different back then. And when they did this, they realized that and by the way, there weren't, like, random number generators on processors.
They were like, we need to we need to find some sources that that, are are very easy to to use and don't depend on special hardware or whatever. So that's how they designed this thing. And, and then, so so so they they had this model where they have there's multiple source to do this. Now Bitcoin core, because it was designed pretty recently, it it does have multiple sources of entropy, but it's a bit more elegant in the way it mixes them up together. And I I hope I'm not saying something wrong, but, this would be called, this is like what, Fortuna would be this type of algorithms called. And this is like more modern ones, and it's also what BSD uses.
[00:23:15] Unknown:
Right. So it's okay. Go ahead. Yeah.
[00:23:18] Unknown:
Well, yeah, that that was it.
[00:23:23] Unknown:
Okay. So so you we we now we now have chips that are designed purposely to create, you know, they they they claim to create secure random numbers. Right? And a lot of some some software and some hardware will just rely purely on those. Perfect example is, I believe, Ledger. Right? If you use, like, a Ledger hardware wallet, they have a chip on there, and they're deriving the entropy from that chip that's purpose built to derive entropy. Some wallets will give you the option to add additional environmental entropy. Stuff like dice rolls, pictures.
You can either use that entropy specifically with Oz Waxwing. He'll be back in a second. Or you can combine that with other entropy. Am I correct in that explanation?
[00:24:35] Unknown:
You are very correct. That's how things work. But, I would so so the thing is, like, your wallet, it's like your instrument that you used to interact with a Bitcoin network. So it has to do all these things, and we already established. That's why we've been talking for past a minute. This is an important operation, so it takes care of this. And so most of the wallets by default take care of this. And you're very right. Most of the the hardware wallets are are built on, like, microcontrollers which are just from very dumb computers. And these very dumb computers have indeed a chip that's supposed to take care of random number generation they want it.
Now the thing is that thing is that you have a problem of trust. And and in multiple ways. First of all, how do you know that these people are saying what they're doing? And how do you know that even if they're saying what they're doing when you get home, you actually got a device that's supposed to do this. So that's why some wallets, cold Oh, sorry. Is CallClare is a good example. They allow you to add your own interview. And another good example, which is my new, favorite project, I'm I'm a very big fanboy, is the seed signer that allows you to, that that allows you to, to even take pictures. Right? So so so the reason you would have the this, like, your, these personal sources of entropy, if we can call them, is just because you you wanna eliminate the possibility of of trusting
[00:25:59] Unknown:
anything. You know? Right. When you use something like Ledger, you're purely trusting that chip to generate your entropy for you. If you add environmental entropy, if you use SeedSigner, and you take a picture of something that's not on the Internet, you take a picture of anything, it can take randomness from that picture, and you know, like, someone wasn't in, like, your bedroom closet taking a picture of, you know, your shoes or something. Right? Or you can use something like cold card where they allow you to add dice, or use strictly dice. So cold card has, like, 2 methods. You can either add dice, you can use their chip plus dice, or you can just use dice.
If you just use dice, I guess, there is a concern there when if you just use dice, there's a concern that maybe the dice aren't sufficiently random.
[00:27:02] Unknown:
That that's a myth. That that doesn't make that's just a stupid meme that people pass around. You can mathematically I believe, like, I'm proving in 5 minutes that that doesn't make any sense if you want about that not being random enough.
[00:27:19] Unknown:
Yo, Waxwing. Try and speak.
[00:27:22] Unknown:
Hello? Yeah. We can hear you. Oh, why is I must I selected interface thing. Right? No. I didn't actually wanna say anything. I was just it just had little buttons that I was muted.
[00:27:31] Unknown:
Yeah. Blackwing thought he was muted. I did mute you for a second. When you first joined, there was a little bit of an echo, and then I unmuted you. So it might have been my fault. So, I mean, I think what we use for here is let's go through, like, the history of backdoors, compromises, poor implementations of of entropy sources, randomness. And then after that, we can jump into, like, actionable, mitigations in way that ways that freaks can, you know, make sure that their keys are secure.
[00:28:04] Unknown:
Sure. Let's do that. But but someone asked here, like because so all so all this thing when people say that because you know that you need because you know DICE for better security of your Bitcoin private keys, that's that that's just that's not true. That's just a stupid meme. It's FUD. You don't need that. Even if and and I'll just call it casino dice? No. That's that's just dumb. That's people are But they're pretty awesome. I mean, sure. But I'll tell you why they don't. The thing is, like, imagine you have so a Bitcoin private key usually it's 256 bits.
[00:28:35] Unknown:
But Have you bought casino dice? I've tested casino dice. They're pretty they're like they feel really nice in the hand. They chip very easily. You have to be careful not to roll them on hard surfaces.
[00:28:47] Unknown:
Why don't we make tungsten dice? That'd be cool, wouldn't it? That's that'd be
[00:28:51] Unknown:
Alex, have you tested tungsten dice?
[00:28:53] Unknown:
I have not tested. Fair enough. I was just trying to say that that the thing is that, from a from a you can definitely measure sorry. I'm trying to say, like, for Bitcoin private keys, if you have crooked dice, you still end up with a secure key. So you don't need
[00:29:08] Unknown:
physical dice. What if you, like, roll them enough times?
[00:29:12] Unknown:
Not even enough times. You do so the thing is, like so let's think about it. Let's say you have you say you use a 12 bit word, a 12 bit seed. Right? Which is a 128 bits. Right? Okay. 12 words seed. It's a 128 bits is what you meant to say. Yeah. Sorry. What what I said? 12 bits. You said 12 bits. You said 12 bit seed, which is Yeah. That's That's hardly insecure. It's pretty bad. Okay. So let's say you have that. Right? And let's say you have a a dice. Let's say you have a coin or a dice or it doesn't matter. Right? It really doesn't matter. That, like, 30% of the time, it gives you bad beats. It it gives you the it gives you ones. Literally, it gives you ones all the time. Right? Yeah. So then so if you would have that, like, let's so 30% is like very like crazy. 30, 30 divided by a 100 times a 128, what is that?
That's gonna be 34. So a 128 minus 34 it's not 34.
[00:30:10] Unknown:
I'm not good at math on air, so I'm not gonna attempt to help here.
[00:30:13] Unknown:
The the point is that through. 30 is about 8. So well, whatever. It's about 38, let's say. The the point is that even if you have a a a dice or whatever you want, that's 30% biased, which is a crazy bias to have, by the way, you would still end up with 94 bits of entropy. Yes. Exactly. Which is impossible for anyone to ever crack more than safe and whatever. So At some point that's meant to meet. But couldn't you have explain why this is not actually this argument is completely crap when it comes nonsense, but this argument is good when it comes to private keys. Yeah.
[00:30:43] Unknown:
But but couldn't you like, couldn't someone on Amazon sell you, like, dice that just, like, roll the same thing over and over again? Or, like, roll is that is that even a thing? Or is that just bullshit?
[00:30:56] Unknown:
Literally. What does this spice look like? Yeah. Fixed every single time that you roll it.
[00:31:04] Unknown:
Okay. Fair enough. Fair enough. Okay. Okay. You open the subject. Okay. So if you if you still wanna be paranoid, I mean, I have a fucking tinfoil head on. And if you wanna test your dice, you should use some salt water. Again, just if you want that's how the the a lot of, like, dice people. Or you can even buy a special machine. But easier, just get some salt water, and you put it there. And then you just, like, give it a so so the dice is gonna float. Right? Especially if it's because you know dice. And then you just, like, pop it just the tiniest bit. And it has to, like you're gonna see if it's, like, weighted in if it's, like, crooked, you can see it's gonna land on one face more than others. So that's how you can do that if you really want it. But it's you don't have to. Like it's useless. Like it practically it does it's just if you wanna be autistic. But if you roll the dice more times,
[00:31:52] Unknown:
that's better. Yeah. Right? The more you roll, the better.
[00:31:57] Unknown:
But the the well, I I don't know what that means because it's like, what is our algorithm for using the dice? Right? It's like Right. So let's say the easiest algorithm is like when you have an odd number, you put a 1. And when you have an even number, you put a 0. Right? Right. And you just scroll it 257 times. So it doesn't matter how much you. One roll gives you one bit. Right?
[00:32:17] Unknown:
Right. How does that make sense? That's obviously not the most efficient way to use the rolls, but whatever. I mean, I yeah. Anyway, what's the most what's the more efficient way to use the roles? Oh, because you're not capturing all of the entropy of the object itself. Right? The the the object has six possibilities. So it has what's that? Like, 2 and a half bits of entropy. So if you only take it, it's, like, odd or even. You're only taking one bit of the available entropy. Right? So that's why you'd need to roll it 256 or 7 or whatever times. Whereas if you Right. You're using it as, like, a coin flip instead of a dice roll. Exactly. So you might as well just use a coin. Exactly. And then then you'd be taking your coin into the salt water, and then it would sink, and you wonder what to do.
[00:32:54] Unknown:
But coins can be compromised. Right? Like, you could have a coin that only flips heads or
[00:32:59] Unknown:
but that would be obvious, I guess. Well, I I even have a solution for that if you can do it. Like, I have I literally have a hack for that. Like, you can I here is I will generate, and we can even I'll generate a private key with a coin? You can make as bad as you want, and I'll put a $1,000 there, and I bet no one can take it. I'm willing willing to do that.
[00:33:17] Unknown:
Okay. Well, we should do that after the show. But, anyway, we kinda skipped ahead. I I think we should talk about, like, the the history the history of compromises, basically.
[00:33:29] Unknown:
Yeah. It gives context, doesn't it? Because because it's easy to talk about theory, but if if we see practical reality, then then we might actually have a clue what to do. Yeah.
[00:33:41] Unknown:
Well, I don't know. Oh, sorry. You're gonna say?
[00:33:46] Unknown:
I mean, BTC pins has a question about pulling words out of a hat. My my original impulse was to wait until we got to mitigations, but we can talk about that right now because he mentioned it. So so you you take all the BIP 39 words. How many words are in that word list, Alex? I think 2,000 2048, something like that. Okay. So you spend all day cutting out all of those words into individual pieces of paper. You put them in a hat. You shake them up. You pull them out of the hat. What's wrong with doing that?
[00:34:21] Unknown:
Well, so here's the thing right now. So the question becomes, like, like, first of all, is there a mathematical way which we can measure this? Right? Is there anyone who ever, like, measure, how good is this as a mixing method? And there's this guy called Percy Diaconis. He actually wrote papers on on on, how you can measure the efficiency of of, what's shuffling dice shuffle not shuffling, but mixing dice and mixing all those things. And he said that the best method to so if you have a deck of cards and what is the mathematical best method to mix it up is you have to do what I do in the casino. You put them face down on a on on a table or something, and then you you do this thing where like, that's not stroke, but you like, you know, you did that with them. You you move your hands around them. So you should do that. If you put them in a hat, I don't know what the shape of those things are and whatever. I don't know how that would work. So yeah. But this would be the the best way if you're asking. But
[00:35:17] Unknown:
come on, guys. I mean, nobody's gonna do that. I don't think you kind of implied it with the way you questioned it, man. And nobody's gonna cut out 2,000 different people. Nobody's just trying to make an ass. See, but I think it the the it's a trivial point, but there's also a deeper point, isn't there, which is the practical inconvenience of a method is a huge factor, and it could lead to all kinds it could lead to you not doing it right, being sloppy, something could go wrong. Just, like, simpler is always
[00:35:43] Unknown:
Well, I mean, a 100%. So, like, I mean, I think this is a good bridging point to go into the history of compromises, because one of the main compromises I remember as a young Bitcoiner is before we had BIP 39. So BIP 39 was the Bitcoin improvement proposal that implemented this standard that we all know as seed words. So if you're a new Bitcoiner, you just entered Bitcoin and there existed these seed words for backing up your wallet. These these 12 backup words or 24 backup words that you keep safe, You don't let anyone see, and and they restore your entire wallet for you. Those didn't always exist in Bitcoin. They were added after the fact as a standard.
Now before they existed, we had something called brain wallets. And the idea of brain wallets was you would put a word phrase in that you decided on, and they would generate private keys for you based on that word phrase. And people, all the time, thought that they were being so clever Yep. With with what they were putting in there, but they they're there are people that out there that were just they were running GPUs, they were running computers, and they were just constantly trying all these different combinations. And, like, a perfect example was, like, poems or quotes. Like, people were using poems and quotes, and they were just generating people were able to generate the the private keys from those poems and quotes, and and they were just basically brute forcing it. They were just trying over and over different combinations of popular words and phrases and seeing if they could drain a wallet, if if it if it generated a real wallet that already existed.
[00:37:27] Unknown:
As as far as I remember, the people everyone was just, for some stupid reason, using the same algorithm where they would take the the text and hash it with, you know, Shar t 56. And and then so as you say, I mean, it it was quite remarkable even though we all understood that this was not very or we some of us understood this was not secure. It was remarkable. They were they literally took, like, the whole of Wikipedia a patch apparently. They they just they they were able to hash every possible combination of, you know, phrases and words and I mean, basically, obviously, not literally everything. Entire dictionaries and, like, they they cleaned it out, didn't they? There was basically, everyone who used any recognizable phrase got got taken like that.
[00:38:05] Unknown:
Yeah. That was pretty bad. And then also another thing is unlearn to learn, great name, by the way, is posting in the chat, the live chat via YouTube, is he makes it's a it's an important point to mention, is that when your wallet is is generating, your 24 word phrase, your seed phrase or 12 words, it's really the first 11 or the first 23 is what it's generating. The last word is actually a checksum to make sure that all the other words are, valid, I guess, or, like, the order is valid.
[00:38:47] Unknown:
Yeah. But the thing is, like, most of the walls have a convention, and the first lexicographical valid one, if that's what he's talking about, is gonna be suggested.
[00:38:55] Unknown:
So But the last word's a checksum. Right?
[00:38:58] Unknown:
Yeah. Yeah. That's correct.
[00:39:00] Unknown:
So so if you're making them yourself, and we still need to get into the history of backdoors, compromises, and portal implementations, but if you're making one yourself, you basically have to if you want to comply with the standard and use it in all the mainstream wallets, you need to then use a separate tool to derive the checksum. Right?
[00:39:25] Unknown:
Oh, this was in the context of the yeah. If you do it yourself, yeah, you have to know. You should go yeah. That that's a good point then. Yeah. So, Alex, have you done that? Like, how do you how do you derive the checksum? I've done it on a lot of in a in a lot of ways. I personally just like,
[00:39:42] Unknown:
you know, I I like to have an offline computer and do it pretty much. Yeah. So but what what what do you is there a tool that you use to generate the checksum? I don't you the only time I myself. The only time I've
[00:40:02] Unknown:
So that's how I did it. But I think there's even, doesn't Coldcard have a Python script that you can use for that already or something like that? Or someone? Or even C Designer, I think, may have in the menu an option to do that. You just put all the words and they just spit it out for you.
[00:40:17] Unknown:
They give you the the last word for the checksum.
[00:40:19] Unknown:
I'm not a 100% sure,
[00:40:21] Unknown:
but some of what the wallets do that. Okay. Well, I'm not positive either. Waxwing, you have any idea?
[00:40:28] Unknown:
I I would say that the reason this caught me a little unaware is just because it it would never have occurred to me to to because I always thought the the algorithm and by the way, we we we talk about history. We should mention that that it was actually electron guys, Thomas Wirtland, who first came up with this idea before bit 39, and they implemented it. A slightly different algorithm with some rather interesting code that ended up being changed later. But, but yeah. But, I mean, that's not what you're that's not how it's that. It was never intended. And I think I personally I mean, I was I was sort of pooh poohing the the taking out of a hat based on practicality, but as a more fundamental point is you're not supposed to be coming up with a sequence of words yourself because that's dangerous to I mean, that's dangerously close to the old whole brain wallet thing again, isn't it? How many people might be tempted to come up with sequences of 12 or 24 words in this list that happen to make up a nice sentence. Right?
So which is not what you're supposed to do. Right? It's a you you that's not how it's supposed to work. But, of course, cup taking out of a hat in theory is correct, except for, as you correctly point out, there's a check sum, which means you have to write one software anyway. So blah blah blah.
[00:41:42] Unknown:
Right. So, I mean, we have we have ride or die freak Younglurk in the comments, mentioning that seed signer will derive the checksum for you after you type, the first 11 or 23 words depending on what length seed phrase, you use. And the purpose there of that checksum is if if the checksum isn't valid, before you even try and restore a wallet in most good wallets, it will tell you, this seed phrase is not a valid seed phrase. And it's a it's just a way of it's it's just a, like a mistake check, a gut check to just tell you, you know, you fucked something up along the way. Now, the pass phrase, someone else is asking in the comments, the pass phrase is, yes, it's the 25th word or the 13th word, depending on how long your seed phrase is, and that is just completely from you.
There's no randomness involved in that unless you wanna add randomness to that. And every seed every passphrase that you add, every every time you change that 25th word or that 13th word, you're gonna get a completely different wallet. So it will not show as invalid. Any any passphrase you put there will show up as a completely valid wallet, and there'll either be funds in it or there won't be funds in it. So as we've said many times on this show and on rabbit hole recap, it's it's a nice plausible deniability feature because you could have one pass raise that has some money in it, but another pass raise that has the majority of money in it, And you can go down that rabbit hole, you know, with 10 different wallets, you can go crazy on it. So that that's what that passphrase is there for. And what's nice about that passphrase is it just takes a little bit less trust. It it mitigates trust a little bit more from whatever wallet you're choosing because if for whatever reason, we're gonna we're about to go through the history of backdoor's compromises or implementations. If for whatever reason, that wallet is compromised and how they're generating your seed phrase, your private keys, they if someone wanted to take your funds, they still need to brute force your passphrase because you're providing that. The wallet isn't providing that.
Okay. With all that said, we're 44 minutes in. Let's get into the history of different compromises. Alex, I think you I mean, your thread the reason one of the reasons you're on this show to begin with is you had a thread full of compromises. So you wanna start us off?
[00:44:15] Unknown:
Yeah. Okay. So the thing is, like, I the the way how that the trend started out is, like, I was listening to the city of dispatch and and Matt said that, you know, these are conspiracy theories that people try to compromise things. And I was like, oh, I have a lot of example where that's not the case. And,
[00:44:32] Unknown:
I I Yeah. Conspiracy theory was the wrong word, but, you know, when you do, when you do 400 hours of Bitcoin content, probably more than that, to be honest,
[00:44:43] Unknown:
You misspeak a lot. But, yeah, continue. I I was just being very autistic, of course. I mean, it was obvious what you're talking about. You know? But, I I I just wanted to to to write a thread because I spend so many times on this. But, the thing is that So the question becomes, do these things happen? Are these plausible? Right? Do we have to speculate? Well, I don't know if you guys should remember, but in 2,000 fourteen, Snowden leaked some documents. Right? And there's just one very specific document, that was that I got a lot of people's attention, and this is talking about the seed neck enabling project. And what this project does, it says very, very clear, like like, there's now nothing to interpret that they are putting constant effort to, well, let me read it from here. It says this, insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communication devices used by targets. Influence policies, standards, and specifications for commercial public key technologies.
Complete enabling for blacked out companies, encryption chips, and virtual private networks, and web encryption devices. So it's just pretty much that they that they've done that. And never mind they've done it. They have a program that they spend, I don't know, it would like the budget of a few 100,000,000 or something per per year budget to do this. So that's the first example. I I have 2 more brief examples. Another example is there's this company called Crypto AG in 19 seventies, which is the be in Switzerland. Now, in the 19 7 in the 19 fifties, actually, that's when it was incorporated, cryptography looked very different. Everything was very analog, and there was no open sourceness of everything. So there was this one company in Switzerland when, people, were they were like, you know, Switzerland is neutral, so everyone buys their hardware from them. Well, the guy who who founded the company, he ended up being friends with a guy who actually was the chief cryptologist for, NSA.
And from 1960 until 19 seventies, they backdoored, these things. So governments governments were paying money to get backdoor backdoor things. And here's where it gets even more crazy. From in 19 seventies, the CIA and the BND, which is the equivalent for the Germans, they literally bought this company 5050, under some dummy companies. And they operated them like that until 2018 or something. So 2017. And they sold compromised hardware to governments around the world. Like, and by oh, and they were even profitable. Keep this in mind. Like, these companies even made money.
So I don't know when these things happen and you see those things, it's like, it's kind of easy to realize that, hey, if they if they did it then for these things, like, there's there's a 100% chance something somewhere is gonna get targeted with Bitcoin also. So
[00:47:30] Unknown:
Yeah. So, I mean, obviously, before Bitcoin existed, there was a massive war on encryption. That war continues to this day. Like, the the so called crypto wars has not ended yet. We've won a lot of legal fights, in terms of protecting code as speech, but that war continues to this day. And the easiest way to compromise encryption standards or no. Compromise the use of encryption, communications, or compromise Bitcoin is through compromising the sources of entropy or randomness. Correct?
[00:48:21] Unknown:
Yeah. I mean, if you would wanna compromise on, then that would be that would be the best way to do it, because And this is why, like, something like Bitcoin Core
[00:48:31] Unknown:
doesn't use solely the chip in your computer that's designed for random number generation.
[00:48:38] Unknown:
WiFi. Correct. Sorry. Can you hear me, guys? Yeah. We can hear you. I heard you say Wi Fi as well. I yeah. Sorry about that. I just I had to find another place. I mean I mean, like, the business center is the only place I could find.
[00:48:55] Unknown:
I love it. I appreciate the dedication. Did you did you hear anything that Alex said?
[00:49:02] Unknown:
Well, I know he's talking about the crypto crypto r gay example and the, and the NSA generally. I mean, have you gotten to dual ECDRBG yet? Or but the thing is, these examples are, like, really interesting, generally, but it's, of course, the question is how much they apply to our particular
[00:49:18] Unknown:
threat model, of course. Do they not apply to our threat model threat model?
[00:49:22] Unknown:
Well, there's the sort of there's this whole concept in in, you know, amongst security researchers of the global passive adversary. You know, it's a really that it's a kind of a euphemism for the NSA really, or at least it was. Now this idea that somebody is basically to hoovering up all the data and trying to, like, get a tap into everything going on. I feel like that's quite a different thing from the problem of protecting secrets, like protecting credentials for specific, things like Bitcoin. It's not unrelated, of course. It's it's a very it's closely related concept, but it's not I'm not sure if it's exactly the same thing, really. Well, like, it's not like a crazy conspiracy
[00:50:00] Unknown:
to think and, like, I'm not trying to FUD them because they have a long track record of securing private keys. But, something like a ledger device that's used by tons of people, and its only source of entropy is, I'm pretty sure, a closed source chip.
[00:50:21] Unknown:
Right. So so can I take this opportunity while my WiFi, is working to, put put out a, like, put out my hot take? You know, my hot take about this topic, which is not, generally agreed by most experts in the field. But I I am quite against hardware wallets as a general, I'm specifically against them as being like the way. Like, it seems so common in the last couple of years for people to say to even like newbies, oh, yeah. Yeah. Take it off the exchanges and put it straight on the hardware wallet. Like, that's the right way. Like, that is the gold standard. That is the thing that every average Bitcoin user should be using. I'm not at all sure that's correct. I and my reason for saying it is specifically that it's obviously, it's related to what you just said, but it's but it's more just the general philosophical concept of of central points of failure that and and also a concept something like steganography. And and if people don't know what steganography is, it's the idea that there's one thing to hide, like using encryption or some other technology to hide some secret, but it's another thing to hide the fact that you're hiding.
And I think that, the problem with, using a Trezor or using a Ledger, albeit I'm sure they're great devices and I've I've played around with them a little bit, is that you're not hiding that you're hiding, and everything is going through a very clear central point of failure. And if we're gonna worry about NSA as a as an adversary, for example, or or the Chinese or whatever it happens to be, that's that's an obvious one. I mean, I don't think that really quite works, but it it could in theory, there could be some very malicious, very powerful actor that could get into those supply chains. Whereas if you buy off the shelf hardware and you work with things that are more custom, it might make, a lot more sense in the sense sense that it has it's not exactly steganography. That's not quite right, but it's but nobody can if nobody can predict that the device you're using is gonna be used for that particular purpose, that's a huge step up. And that's why I advocate more the the, cold, the off offline, laptop kind of model myself.
[00:52:22] Unknown:
Well, I mean so the way I look at it, I mean, I I think, I mean, everything has trade offs. Right? And
[00:52:31] Unknown:
Yeah.
[00:52:33] Unknown:
You know, to me, hardware wallets are a middle ground, And most people will not go through the trouble of having an offline machine generating secure entropy themselves. They have a computer that maybe they've had for 5 or 6 years. They use it for playing games. They use it for searching porn. They they they have it, you know, their emails on it and stuff. Oh, we hope we hope we hope it's not Windows. Right? Yeah. Most of them are using Windows.
[00:53:04] Unknown:
That's just
[00:53:06] Unknown:
some of them are using Mac. Very few are using Linux. Even fewer are actually securing their Linux distro in a sufficient way. And a hardware wallet is a is a is a nice middle ground there, that is relatively easy to use. Now the earlier hardware wallets, things like Ledger and Trezor now Trezor has all open source components in it, Ledger doesn't. Both derive the entropy internally through their own processors. The newer generation of hardware wallets allow you to add additional entropy to them. Right. Right. Right. Things like cold card. The seed signer takes it to a step above that in in a lot of ways. It does not have a secure element, so it's it's less it it it doesn't have a secure element, but it wipes itself is its strategy. So you have to re upload the secret every time. They use a QR code method now to make that easier.
But the c signer is completely off the shelf parts. It uses a raspi 0. You can just buy that in, you know, a Micro Center or something like that with cash. Are most people doing that? Probably not.
[00:54:22] Unknown:
But there it's it's all about trade off balances. And There is there is another model. I just wanna mention it, because it's something I haven't thought about for a long time. But one of the first things I tried was using Tails
[00:54:32] Unknown:
as a way of what I've done too.
[00:54:35] Unknown:
Yeah. Sort of a quasi second laptop, you know, but it's not really a laptop. It's just something that's completely in RAM, and you just stick it in. I stick it on a, like, a USB or whatever it was. And, you know, it isn't clearly quite as good, but, you know, you could imagine various virtual machine based models. You know, they they wouldn't stand up to an academic rigor like somebody would say, oh, look. This is still hooking up to the underlying operating system. They can still be hacked and blah blah blah. But it still has that nice property that it's you're doing see, like you just said that the the the hardware wallets are a middle ground, and I totally agree with you. And your point is entirely valid, but the keyword there is middle. Right? So middle is a bit like the word center, right, which is a bit like central point of failure, which is I think so the two things go together. The fact that it is easier to use attracts everyone to it. So and then you have this big kind of centralization, vector of attack.
[00:55:24] Unknown:
So before before Anyway. Before the cold card existed, before seed signer exist as a project, my main way of telling people to do cold storage was Tails. And, actually, that was before they even added Electrum. Now they have Electrum built into Tails. Correct. So you can have this Linux Distro Tails on a on a USB drive. You can boot it up, and as soon as you pull the USB drive out, it's designed to wipe everything. So theoretically, you could be using that with your regular computer, the computer you use every day. Now if we're if we're going down the rabbit hole, really, you should be using it with a computer that's always offline, that you don't use for anything else, and then just have the additional benefit of pulling out the tails drive. But it is pretty cool that they have Electrum built in. It does make it easier. You never have to you literally never have to connect it to the Internet. You can just securely generate a wallet, and then every time just keep in mind that every time you, relaunch tails, you're gonna have to put in put in your seed words again.
[00:56:27] Unknown:
Mhmm. I suppose another thing to meant oh, god. No. No. I'm just gonna start rambling. Who's No. No. Ramble. We we have you on here to ramble. We love your ramble. Was gonna say that another kind of meta level, recommendation, you know, we're talking about, recommendations is is is the idea of, like, a second opinion, isn't it? So there's multiple models where I mean, one one counterpoint I've heard from people who are, you know, experts in the field, who who say, you know, actually hardware is not so bad. They're they're often saying to me, yeah. They take my point about the supply chain, risk, but they say, well, that's why you use multisig. Of course, that's a more complex sophisticated model, so it kind of takes away partly from that selling point that hardware wallets have this ease of use, middle ground, you know, somebody can do do it pretty straightforwardly. But so it makes it a little bit more complicated, but it has that second opinion element where if you have 2 devices, you know, if one of them is compromised, the other one's gonna complain. And you can do you can mix and match. You can do that with, an offline device or or maybe a tel. You you know you know, the may maybe you have 2 different ways that you think are kind of probably secure, and you sort of try both of them and generate your your addresses from your your seed on on both of them, for example, as an idea?
[00:57:40] Unknown:
Yeah. I mean, multisig is clearly a, mitigation of the trust issues that, you know, evolve around using a single hardware wallet fender. If you have something like a 3 of 5 Yeah. And you have 5 different types of wallets there, You need 3 of them to be compromised for you to get compromised. I would say that's probably, like, the next level of middle ground. Right? And then you get and then you could even get into using multiple offline Mhmm. Computers that are dedicated, you know, to the purpose and then have them be in multisig. And I would say I mean, to I I think with multisig, you know, like, it's it's kind of it's like a relatively new niche within Bitcoin.
Have people been doing it since, like, the armory days? And, you know, yes, like, people have been doing it for a while, but it's starting to really evolve. And I the ideal would be that, you know, in the relatively near future, in the next 5 years or so, it becomes even easier to use. And, I mean, you have you already have things like Casa and Unchained where they hold your hand, and they make it relatively easy to use multisig. Now you have a whole separate trade off there where you're trusting a third party completely with your privacy. And in Casa's case, I mean, it's it's a closed source wallet app, that also in a lot of situ I think in every situation holds one of your keys.
So, I mean, that's a whole another trade off, but I feel like it's getting easier. Like, we're not we're not quite there yet, but it's it's relatively accessible. There's no doubt it's getting better. Yeah. Yeah. And if you talk about, like, 2 year even 2 years ago, I mean, it was a way it was a way worse situation in terms of using multisig.
[00:59:36] Unknown:
I feel like this is kinda like, this whole multisig thing is, like, you you think in your mind that you should have a girlfriend for each need you have. Once she cook for you, once she do this, once she do that. But then again, you have 10 girlfriend and, like, I mean, you have 10 you have 10 and you have 10 times more complexity. You know? And I think I think these companies did a good job. Fair enough. But I also feel there's, like, the people on Twitter who need something. Like, everyone needs to have an insight. Right? And I think that a lot of people always search for an insight, and I think, a lot of people think this is their insight. Multi 6 says everything. You know? But I don't think necessarily is obviously the best way to log in to 15. You know? I would I would say if you're a public Bitcoin figure, which I am,
[01:00:20] Unknown:
multisig adds an additional benefit that you can have your secrets geographically distributed. So if someone breaks into my house, not only do they have to deal with my guns, but they also have to deal with the fact that all my secrets aren't in this location. Right? And they they're gonna need to go and and get the secrets from those other locations and deal with that extra complexity, before they can steal your funds. So it's more than just mitigating the trust risk of whatever wallets you're using as the individual signers.
[01:00:54] Unknown:
I think that's perfectly valid for a case, by the way. But I'm I was I was trying to criticize as this being a social for everyone. Right? Then Right. I agree. Like, for for But I get it. You understand very well. And you you you you were like, hey. I have a very I have a very specific situation, and my security is specially catered to my situation.
[01:01:13] Unknown:
But I'm I guess my point was that maybe public figures on Twitter are more likely to be talking about it Sure. Because because it it suits their situation. Right? And people tend to get caught up. It's one of the things with this show that I'm I'm actively aware about, that I have to remember that everyone's not in my situation, and I I need to make sure that I have content, you know, for people in completely different threat models, completely different trade off balances that they're they're seeking, but a lot of people don't. Right? A lot of people just they're like, this is the best thing for me, so I'm just gonna keep talking about it. That that was my point. Can I can I, butt in and answer a question in the chat from Bill McFly?
[01:01:53] Unknown:
So he says, so memorizing so memorizing the seed is no good idea. Is is it not a good idea? He's asking. And, I think this is a a common and important question. So you have, you have a a set of words. And, obviously, the intention of bit 39 and and the former Electron version was that, you have something that's human readable and, at least in principle, human memorizable. And a lot of people will just immediately reject the idea. They'll say, oh, especially if it's 24. But even if it's 12 words, they'll say, well, you can't easily remember 12 words. That's a lot of words. That's a lot of lot of entropy to try to remember. But the thing is, the way the human brain works is the you know, I remember I vividly remember in school a absolutely terrible Latin teacher who insisted that we would memorize the entire chapter of Caesar's Gallic war before each each lesson, which is absolutely ridiculous, but I literally did it. I mean, because the human brain can do that. It can memorize an entire chapter of text.
So memorizing 12 words is trivial as long as you use a simple mnemonic technique such as, embed those words into a story and have that story have some emotional resonance for you, and then just repeat it a few times, and you will find you're actually able to remember over a fairly fairly long period. Now you'll get the counterargument, and I certainly got this from people like Greg Maxwell back in the day. You should tell me, like, no. That's don't don't do that. Don't do that because your memory was very fallible. You cannot possibly just rely on your memory. It's a very bad idea. And, of course, he's got a very good point. So I think the the ultimate nuanced answer is, no. You don't just rely on your memory long term for your storage. You have some kind of physical storage. We can get into, like, how you do that. There's many ways.
But it's also very convenient that you have this, option of memorizing memorizing, for example, when you're crossing borders. So I don't have to put anything on a piece of paper when I cross a border, let alone, carry a little device that looks like a calculator or whatever it is. Right? Right.
[01:03:41] Unknown:
So so I think there's a nuanced answer there. It's a very interesting Yeah. I mean, and if you're memorizing it to cross a border, you only need to memorize it for 24 hours or 48 hours. There's also a nuance there, like, if you have clues or something. But, like, I will I will speak from personal experience as a very paranoid person that I have right now. I have 4 encrypted drives that I do not know the password to because I thought I can memorize them, and I memorized them many times. There was many times I entered it until I couldn't enter it, you know. And I still have the drives because I'm like, one day it might come
[01:04:18] Unknown:
to me. And that's forgetting I haven't had any brain injuries or anything like that. Wait. Wait. Wait. Are there any private keys on those drives, or is it just information?
[01:04:26] Unknown:
You know, x wing, I'm not quite sure.
[01:04:29] Unknown:
You know, sure. But that's my point. My point in asking, although it's a bit of an in intrusion, my point in asking is that there's a certain incentive when there's there's money involved that you might have. There there's a there let me put it this way, Waxwing. There's a reason why I'm still holding the drives. Okay.
[01:04:46] Unknown:
I haven't thrown them out yet. I but I I have I really have no idea what's on those drives. So you had a virtual boating accident, basically. It's all all all of your yeah. It's still there. They're, you know, they're in my drawer. I just need to remember the password.
[01:04:59] Unknown:
Oh my gosh.
[01:05:01] Unknown:
But it happens. You know, you'll remember them until you don't. And if if if, you know, MVK says a very good, he has a very good line that that you should when you think about storing Bitcoin, like, you should be thinking 10 x the amount you're holding. And I would say that's even conservative. Right? Because, it's been way more than 10 x since I first entered the Bitcoin world. So you you know, it might not seem like that much. You're like, oh, I'm just setting it up. I don't need to write it down. I'll remember this. Of course. Yeah. It's it's it's it's more it's it's very likely that you will forget it. Some people will remember it until you forget it. So just, at the very least, have clues.
When it comes to storing secrets safely, pen and paper is your friend. It's offline. Someone has to come into your home or office to to access it. Obviously, it's not fireproof or water proof. That's where, like, steel comes in, stamping steel, stuff like that. To go back to the history of backdoors compromises and poor implementations, one that I remember vividly Mhmm. Was the blockchain dot info wallet, which, by the way, still exists. Do not go to that website. Do not use their wallet. Do not use any of their software. They're also blockchain.com. Do not go to that website. Do not use their software. Disclaimer. Disclaimer.
They had a compromise where they were using random.org as their source of entropy. Correct. Yeah. And it was serving a 404 error for a little bit, So all the wallets were derived from the 4 zero four error. Yeah. I think it was actually 403 redirect, but either way, it's the same. Okay.
[01:06:43] Unknown:
Either way, same reason why it's basically a fixed string, and they were just kinda hashing that and and and so it was everyone was but what's so catastrophic about that is I think that was private keys, not nonsense, right, in that that particular one. So it was actually was it? So they're actually Yeah. The one Max is referring to it was private keys. Yeah. Yeah. So does that mean that we're giving everyone the same address or the same seed anyway?
[01:07:04] Unknown:
I think they had did they have one other source of randomness, but it was, like, a bullshit derived source of randomness? At some point, they were even well, yeah. They were using random death of war, and that they didn't call anymore. But I don't think people were, like, people were in opening wallets, and they already had funds in them. It had it took an attacker. There was there was some nuance to it. Yeah. Yeah. There was definitely a bit, not simple. Yeah.
[01:07:26] Unknown:
And there was a around that same time, I think it went slightly earlier. It's less well remembered nowadays. There was a there was a bug where there was an actual weakness in the, secure random, library in Java. And and I think there were 2 or 3 wallets were hit by this where they were actually generating really insecure nonsense. Was the original shield back wallet compromised on that, I think? I think it might have been because it might have been Bitcoin j j s. Right? The the or the the Yeah. Yeah. It makes sense to me. It's just a bit unclear in my head, but because it was a long time ago. But that's the thing, Waxwing, is, like,
[01:08:04] Unknown:
like, I understand the concerns around, like, hardware wallets or whatever. But before, like, we enter the hardware wallet era Yeah. I mean, like, do you remember, like, on Bitcoin Talk and Reddit and stuff, like, it was just, you know, like, people, like, had logged me in on their computer. They just had, like, a virus on their computer something, and they were getting compromised. Like, forget entropy. I know the conversations around entropy. But, like, I it felt like every day you would just open Reddit, and it was just, like, someone got their wallet trained.
[01:08:32] Unknown:
Yeah.
[01:08:33] Unknown:
Yeah. Like, we've we've removed the low hanging fruit. Yeah. And now we can talk about now we can go deep about securing your Bitcoin because people aren't losing their shit every fucking day over some ridiculous compromise on their computer.
[01:08:51] Unknown:
I mean, yeah. It's still certainly, the the the problem I I mean, maybe I'm affected by having tried out hardware while it's in the early days of of that development where, you know, you would plug it in. It would say, like, oh, just just fire up our web app, and then it would, like, you know, and they do have it would be, like, more effectively, like, seeing all your transaction. So privacy disaster. And then it would be like, oh, just update the firmware, and there'd be another 10 firmware. And they were just like, oh, are you joking? I just the more I think I mean, I actually went to the trouble of going to the Trezor offices in Prague to actually get my Trezor, in person playing for cash. So I'd I'd try to be like the good citizen like that. But, Of course, you did. But even so, I didn't really trust I just don't trust the model, but I do see the argument that it's Well, like, the good ones nowadays, like, don't you don't use, like, a prepackaged,
[01:09:47] Unknown:
software, you know, the firmware updates or at least there's there's PGP verification there. I mean, I guess, like, a hardware wallet, the beauty of it is you can have, like, a hard coded sign in key, and they can check it for you, but, you're trusting them to check it. They're they add additional sources of entropy. You're using you can use your own node with it instead of using the centralized node that's is tracking all your balances and your transactions.
[01:10:17] Unknown:
So if we if we try and summarize, like, the historical aspects apart from the whole NSA thing, which is that the the the I think the reason Alex focused Apart from the elephant in the room. Yeah. Well, apart I think the reason, Alex focused on that is because it illustrates the point that people say, oh, don't be conspiracy theorists, whereas in fact, the conspiracies are real. Right. Right. You know, I think that is a very important point to to bear in mind. But in terms of, like, Bitcoin, it's been mostly like software flaws.
It's user error in terms of generating keys, and I think the software errors tend to be more about generating nonces. And the reason for that is you have to generate a nonce every time you do a transaction, whereas a key is a one time thing. So it's easier. It's more an isolated thing to get that right. Okay. Maybe block channel info was so terrible. They actually screwed that up as well. But Maybe now it's a it's a good moment to actually start explaining this because maybe a lot of people don't even know this is a thing where, like, what I mean. If you start, you start the whole nonce conversation. Wait. Wait. Before we get there before we get there, I wanna make it completely clear.
[01:11:17] Unknown:
I wanna make it completely clear to the freaks. We have 20 minutes left in this conversation. I just wanna make it completely clear to the freaks who are scared shitless right now. There's a lot of you out there. I know you're you're a little bit scared from this conversation. That strictly speaking, if you hold your own keys, ideally use your own node, but if you hold your own keys in any of the major hardware wallets, you're still better off than if all else equal. I I don't like speaking absolutes. You're still better off than keeping it in custodial regulated exchange, custodial wallet. We have MZ fucking legend in the comments right now talking about Mt. Gox. Like good point. Like, we have in the history of Bitcoin, if you hold your Bitcoin with the custodian, not your keys, not your coins, we say this a 1000000 times, it it can it can get frozen, it can get stolen, you can lose it, the exchange go bankrupt.
Like, there's there's a lot of ways you can lose your coin if you're holding it on an exchange. So the first step before you get into all this rabbit hole, you you you gotta hold your own keys, and don't get don't get too frightened from this conversation. Okay. Alex, continue.
[01:12:33] Unknown:
Yeah. So we were talking initially about the whole random numbers things. Right? And it's like all we said here pretty much was that, hey. It's pretty obvious and I think everyone knows even if they're a novice that you need those words to be random, and we stress this enough. Now the thing is that the way Bitcoin works, is that you have these Bitcoins laying around on that's not technically accurate, but go with me. You have these Bitcoin laying around on on the blockchain. Right? And you need to provide a signature to say, hey. I actually could This is a proof that Like you sign in Chegg that I have this Bitcoins and I'm gonna move them somewhere else. The way this signature works mathematically because it just works like that, you need some a bit of randomness for this also. And, you well, probably some of you are gonna think right now, well, we just got a new signature scheme with like Taproot and whatever is nor. So what we're gonna talk is valid for both of them. This specific aspect that we're gonna talk about Yep. Yep. Doesn't change anything. So it's valid for both of them. Anyway, so the thing is that you what the signature pretty much does in a very dumb way, you just think you also use your private key. You jumble a lot with some other with this randomness and some other things. And then when someone looks at this on the blockchain, other nodes, they're gonna be like, this is a valid signature.
And the thing is that signatures are made to function in this way and they shouldn't leak your private key. That's why you use that random you know, that's randomness to mix it together so you don't leak it. And turns out there's, like, these very clever attacks that actually if you have so I was I was actually, made a really big case earlier that, hey, if you have a crooked dice and 30% of the dice is Right. Like, 40% of the inter piece. But, like, you're still guiding up with a with a private key. It so happens that with the nonces, like, if you have even one single bit, I'm repeating this, one single bit of biased entropy there, someone could look at your, at your signatures on the blockchain and they could steal your they could guess your private keys, which is pretty crazy. It's like it sounds like it's impossible when you think about it. Maybe Adam wants to explain how this has happened. And there's actually a few variants on this attack, not just the one with a bit, but that one is the most, Yeah. I guess, scary. So yeah. So I think I think going back to first of all, let's get the word clear. So nonce is a word that's short for number used once.
[01:14:55] Unknown:
And what is this number used once? What is the purpose of it in the context of a signature? Well, the purpose of it is simply blinding. Very crude understanding of it is when you're signing with your private key, you're kind of multiplying the message by the private key very crudely. You're just taking the message and just imagine it in your head. I'm just gonna multiply it by the private key. Now if you pass that across to somebody as a signature, it would be horribly insecure because they would just divide out the message and they get your private key. So the purpose of this nonce is to add a blinding number just like, I could give you the number if I have the number 13 and it's a secret, but if I add 17 to it, you're you're just gonna see, like, what is that? 40, 30. You're gonna see 30, and you're not gonna know the original secret 13. Could be precisely because you don't know what that random blinding addition was that I did that 17. If you knew it was 17, then, of course, you could take it away and get the 13. So the purpose of a nonce in a signature scheme is specifically to blind the the output signature while still having that property that you're binding the the private key to the message.
And it's obvious from that description that I can't well, it maybe isn't obvious, but it should be clear if you think about it from that description that if I tried to use the same nonce twice so I signed 2 different messages with the same private key. But if I then use the same nonce twice, then by simple subtraction, I'd get rid of the nonce, so I'd be back to the situation where I can just trivially ex extract your private key from the signature by by taking away the messages.
[01:16:22] Unknown:
If you work out the algebra, that's how it works. And, like, the saying twice is like a simplification, but if you do it, like, 15, 20,
[01:16:30] Unknown:
100 times, it becomes easier. No. No. That that in that particular case, it's not a simplification because because the most basic nons reuse here. Specific. Yeah. So the most, yeah, so the most basic example of of a of a nonce failure, so to speak, is if you simply reuse the same nonce twice in different messages. Then it is the case because you've only used it you've only you've got 2 equations there, and you can subtract out the nonce from the two equations and get the private key. And just to add very quickly here before we move on,
[01:16:57] Unknown:
there were a lot of well, by a lot of, I mean, probably a few hundred cases of when this happened. And there are a few people who, like, did some research and there's some papers there, and they found this. And that is true. They were more like because these are implementation errors pretty much. Right? And these were happening more in the early days more than now.
[01:17:16] Unknown:
Yeah. Yeah. So so that's the most basic So how do you know the nonce is being reused?
[01:17:21] Unknown:
Right. Well, it's very simple. When when you publish a signature on the chain, you're publishing 2 pieces of data. One is the actual signature, which is a a number, a scalar number in in the field, and the other the other one is an actual elliptic curve point like a public key. So what you actually if you actually look at a signature like an easy to say signal on chain, unfortunately, it has, like, weird extra formatting. But you probably already know that public keys are like 3 or 2. Right? It's actually a pub just like your public key for your for your private key. This this nonce point, we could call it, is the corresponding elliptical point to the to the nonce scalar, the the the nonce secret. So just like your private key is not exposed by giving someone the public key, they can't they can't reverse it and find it. Similarly, when we publish the nonce point on chain, you can't reverse it back to the original nonce from the public the public point nonce, the nonce point, however you wanna say it. So if if but if you just reuse the same nonce, just like if you reuse the same private key, you'll get the same public key. Right? If you reuse the same nonce, you'll get the same nonce point. So somebody so what these people did in the early days was they set up automated programs looking on chain or or in the mempool anyway for transactions that were using the same r value, which is the public nonce point as had previously been used. Soon as they saw that, they could just subtract the 2 signatures and immediately get the private key. So it was it is visible on chain.
Yeah. The Yeah. But do you see the subtlety is that you're it doesn't reveal the actual nonce secret value itself. It reveals the public key corresponding to it. So it reveals that it's been reused, but not exactly what it is. Exactly the same way as if I gave you the the public you know, it's the same private key even. Like, anyway, you get the point. So that's the most basic example.
[01:19:01] Unknown:
Yeah. Go ahead. No. No. No. I was gonna say that that actually MZ brought up something, but I think you're gonna explain maybe then we should address the question.
[01:19:08] Unknown:
Yeah. I think before we before we do the that's a very important thing to discuss. Before we discuss that, let's just quickly I just wanna expand one little detail on, like, Alex gave you the bombshell. Right? The bombshell is that the nonces have this horrible fragility to them, which is that even if you have slight biases, 1 bit, 2 bits, 3 bits maybe, in a nonce, that can lead to, this catastrophic failure where you actually get the private key just from the nonces even though the nonces are only a tiny bit biased. And but I just wanted to just qualify that. Very important qualification to that is that that attack, I mean, it's generally called the, LLL, it's, hidden number problem is is how it's described or also a lattice based attack is another way to describe it. But this attack only works with lots of signatures. And when I say lots, it could be anything from, like, 20 to 30. Well, if it's a really extreme bias, you might only need 10 signatures. But if it's like a normal, like a few bits or 10 bits, you might need, like, 30, 40, 50 signatures. So, luckily, even if somebody's got a very slightly bad nonce generator that is random, if you only use the same key once, then it kind of, by luck, doesn't matter. Right? So that's a detail, but it's an important detail. Now MZ is making a very important point, which is everything we're describing about generating. That's not how it works. And part of the reason it doesn't work like that is because in history, there were a number of software failures leading to one very famous example was somebody we all know and love, Ryan x Charles, managed to put, this wonderful piece of code in in one library or another that some wallets were using that actually generated nonce of 64 bits instead of 256 bits.
So that's not like a 1 or 2. That's 1 or 2 bits. That's like 3 quarters of the bits rule zeros. So as a consequence, and this was found by in the paper, biased nonsense by Henning Henninger et al. Oh, that's a great name for the paper. Yeah. Bias nonsense. Yeah. You can look it up. It was funny because when when she published it, I was on I was on our IC with with Greg Maxwell, and I we were looking at at a typical Greg Maxwell. It's like you're like, oh, yeah. And it and it it I think it took him about 1 hour to figure out it was this one particular commit by Ryan x Charles. He found out which wallet it was because they were saying in the paper, we don't know which wallet generated these, but we found all these and they were all insecure and all the money was lost. And, of course, it wasn't the academics that stole the money. It was some somebody else had automated programs running looking for this kind of thing.
[01:21:34] Unknown:
That's a name I haven't heard in a while. I remember when he used to be a hero to me
[01:21:38] Unknown:
before he completely lost his shit. Oh, yes. So we yeah. Those videos. Yeah. That's kinda interesting. Yeah. That is that is something. Anyway, so what's going on? Yeah. So deterministic nonces. Now this is where it gets interesting. What you can do is because it's difficult to do this right in software and because nonces are fragile, how about let's get clever and let's refer back to something we said earlier in the the discussion, which was the idea of a pseudo random number generator. So instead of just thinking of a a fixed amount of a random number, think of something that generates a stream of random bytes. And what we can do is create, this pseudo random number generator based on 2, like, bits of secret data. The private well, not one of them secret. The private key and the transaction message. And what we can do is go through a bunch of hashing, basically. That's what it's called RFC 6979, and we can output a nonce, which and this would be the the actual secret nonce. The output nonce would be a function of both the message and the private key. So nobody who doesn't know the private key can regenerate the nonce. But the cool thing is it means that this same nonce will be generated every time you have the same message and same private key, and it also guarantees that every time you have a different message with the same private key, you'll get a different nonce. And that's the property that's absolutely critical. You never want to have the same nonce on the same private key with a different message because that's when you're repeating the nonce and you lose all your money.
So RFC 6979 has become absolutely standard across all wallets used in Bitcoin since about, I don't know, 2015, 2016. Nobody uses anything else. But there is a little, like, fly in the ointment, which is when these new, like, music music type, protocols get developed. We can no longer do that for more reason. Which we just added functionality for? Yeah. It's Taproot. Yeah. But Taproot Music isn't really in anything. Yeah. Music isn't really in anything. Yeah. It's not even in LipSect p, but but it's kind of, like, coming very quickly. So, yeah.
[01:23:32] Unknown:
So so right now, probably, you know, they're like, the people on the chat are like, okay. That was some very interesting boring fucking technical detail. Why do I fucking care? Well, I was only
[01:23:42] Unknown:
Mzs. Yeah. You're right, Mzs. That's why I was the long version of, like, what was what you're saying. No. No. But but I I I'm gonna steal man that.
[01:23:49] Unknown:
Okay. So so so you're thinking like this isn't okay. That's interesting thing, but you already said it's fixed. So why the fuck would I care? Right? Well, now here's the problem right now. So let's say you get your hard reward. Right? Which is, you know, it's a Bitcoin hard reward. Yeah. And, you you say, I I generated my so I I've done my my job. I generated with my own dice. Right? But now you have to still make transactions. And now here's comes the question. And I know this again also very esoteric attacks, so keep that in mind. So don't get scared, but it could happen. Well, if someone intercepts your hardware wallet,
[01:24:21] Unknown:
they could do specifically bug your random number generator in a way where it affects your nonsense. Right? So right now you don't know you don't sorry. When when it's creating a transaction, you don't know where it's getting this this nonsense for. You know? And and then this becomes also a different problem because so what if we have the standard? How do you know the wallet is using it? Exactly. Can I just can I just reemphasize that for my other people? People are not gonna necessarily think of it. But everything I just described is great, but you don't know if a hardware wallet is doing it. You cannot know when you look at a nonce whether it was generated by RFC 6979 or whether it was generated by dice rolls or whether it's completely, like, evil generates. You know. Yeah. Well, like, is there is there, like,
[01:25:03] Unknown:
a a time reputation kind of thing that involves this thing? I mean, people have been using some of these hardware wallets for years. Oh,
[01:25:11] Unknown:
So regarding this thing that I just said, Stefanik's Nityev, I think that's how I pronounce your name, the guy who Niggirievs. Nigirev, I think is Nigirev. The guy the guy who
[01:25:20] Unknown:
pronounced name. He's awesome.
[01:25:22] Unknown:
He he he yeah. He's just great. The he actually wrote about this thing, had a blog post, and he even they even try to standardize this a bit, and had some some posts or whatever. So and there are there are a few ways to, like, solve this problem, by the way. Even this one, you can still solve it. Maybe Adam can describe it a bit more. Can I ex expand a bit on this? Because I'm I'm running out, and I wanna talk explain. So the the concept here might be I mean, you talked about time. That's an important concept is,
[01:25:50] Unknown:
you can get really sneaky with this. One thing you could do as an attacker is if you had control of the nonce generation function, instead of just having it spit out a key immediately, you could have it spit out a couple of bits of the secret data, let's say, the master secret for your bit 32 tree. Right? It could spit out a couple of bits every every transaction or maybe just one bit every 10th transaction, and it could be, like, over, like, 3 years. He slowly but surely gets gets your key. Once you're well you know, you've spent a couple of months thinking, well, I'm not sure about this hallway. Well, like, oh, yeah. It seems to be working fine. I've done a few transactions. Now do a few bigger ones. Now do a few bigger ones. And he's waited, like, a year, and then eventually, he's got your whole key and you're you're dead. Right? So so just you have to think, like, really fiendishly, like, these adversaries. So how do we protect against this? It's a very nontrivial problem. There's a there's a post on the Bitcoin dev mailing list, I think, by Peter Willer, who went through several different ways you could try to address this problem. And it's a very weird problem because the whole concept of the hardware wallet is that the, you don't trust the, the hot computer, let's say, yeah, the online computer, and you're trusting the the the offline computer, which is the hardware wallet. But in this attack, we have to flip it around, and we have to say, okay. I'm gonna assume that the hardware wallet is is is an anniversary. Right? So how do we so so how do we deal with this? Well well, the the general concept is just like you said before with a cold card, you take some randomness and you actually sort of feed it into the nonce, add it into the randomness that the hardware wallet is generating, whether it be RFC 6979 or anything else. But you add your own little element of randomness into it to make sure that overall that nonce is in fact random.
So it's things like there's a concept concept called sign to contract, and it's basically the idea that you take the hardware while it's nonce, and you kind of add You tweak that point with a hash of some data that you fed in. And then you have to have a protocol that sort of, how to say, verifies from the the the the software wallet side, verifies that the actual procedure was followed honestly. And I think I would recommend people read a post by Blockstream on on Blockstream's mediums. It's like anti exfil, they call it. Anti dash exfil because it's against exfiltration of the secret via the nonce. So the nonce is like a side channel if the people who know about that concept.
But, yeah, it's it's pretty advanced up, but that is that is an example of a problem that you can kind of solve. But the interesting point is if you read the whole blog post, at the end, they point out that there's a fundamental sense in which you can never totally solve it. Because what can happen is if the attacker, sees that the output from this honest protocol to produce a properly honest nonce, if it produces a kind of nonce that they don't want, they can just abort the protocol and say, oh, sorry. There was an error. We can't sign sign that. So they point out in the blog post that even if you get really, really clever, you still have to take an approach of saying, you still have to be paranoid. Like, if if the thing stops working or maybe it's maybe it's, an adversary. You know? Well, it's a personal responsibility thing. You should just always be paranoid.
[01:28:51] Unknown:
But, Alex, when was the last time an attack like this happened, an a non space attack?
[01:28:56] Unknown:
Well, the the thing is, like, we kind of, like, made them very general, but you have to like, these nonce attacks are very specific. Like, even, like, Adam was saying, like, there's the whatever problem. There's even, like, specific attacks of the hidden number problem. Right? Yeah. That's true. Yes. So so so it depends which one do you mean.
[01:29:14] Unknown:
But that's but can I just say that's why you should read biased nonsense by by Henninger, et al? Because it's it's effectively a review, and it doesn't even restrict itself to Bitcoin. It also covers Ethereum and LOL Ripple. And it actually shows, like, over that they because they basically scanned the whole blockchains looking for weak nonces. And they found that they part of their summary is, like, we found, like, $24 worth of Bitcoin is still exposed and, like, $12 of Ethereum. So, essentially, all the the other examples, which they found quite a lot over several years, had already been taken. So be people had programs running continuously, and some of the most obvious examples were like the ones I mentioned before. Secure random in Java had a a weakness in its, it's supposedly cryptographically secure random number generator, which wasn't actually cryptographically secure, which meant that once somebody has seen enough data, they could predict what the next values would be, and they could use that to extract the nonce. Oh, okay. That wasn't exactly nonce reuse, but there were I think there were a lot of examples. This is something you can trivially check by just scanning of people literally just reusing nonsense due due to a software bug or just due to being stupid. I don't know exactly. But it's it has happened quite a lot. I mean, relatively, I don't mean, like, 1,000,000, but, you know, it has happened.
[01:30:26] Unknown:
You know, the idea was, like, don't worry about this, but if you were having a coverage of, like, what could go bad with entropy, this is what could go bad with entropy. And okay. So how could you, one way to limit this? Well, in order for someone to deploy this attack, they have to target your device. So get this hardware. Right? I I don't know. Don't get, but this would be a way to mitigate it pretty much.
[01:30:48] Unknown:
So, guys, this has been an absolutely fantastic conversation. We have a hard stop, that we've Yeah. Gone past.
[01:30:57] Unknown:
No. It's it's okay. I'm I'm yeah. That's good.
[01:31:00] Unknown:
You're good? You're good to continue, Wax? Well, I mean, I'm good I'm good to finish is what I meant. Oh, yeah. Yeah. We're gonna wrap up. It's been a great it's been a great conversation. I appreciate both your time. Let's let's end it with some final thoughts. Alex, first to you. Final thoughts.
[01:31:16] Unknown:
Final thoughts. I don't know. I don't know what to say. I guess you should just start being a bit more skeptical. That's what I would say about all these things and all this this common knowledge that you have that that you get from people because I don't know. That's the whole point of Bitcoin. That's that's what I would say.
[01:31:34] Unknown:
Waxwing. Thank you, Alex. Waxwing, final thoughts.
[01:31:38] Unknown:
Yeah. Well, just, be suspicious of third parties, like central parties. Be as because, you know, everything in our in our culture encourages us as consumers to just, like, do the easy thing, but but, you know, have a bit of gumption and and do the do the hard thing. There we go. But, yes, thank you, waxwing. Yeah. Everyone, practice some personal responsibility.
[01:32:02] Unknown:
Don't go for the most convenient answer, and, constantly continue learning. I wanna thank all the rider die freaks who joined us in, the live chat for this conversation. Very you you guys make this show special. Thank you to all the Rider Die Freaks that continue to support the show and keep it ad free and sponsor free. And a huge thank you to both Alex and Waxwing for joining us. It's it's been an absolute pleasure. I hope you guys come on again soon. And, Waxwing, thank you for coming on for your second time. You're you're fucking killing it. Enjoy El Salvador.
[01:32:39] Unknown:
Yeah. Thanks for thanks for having us on, Matt. And I I really appreciate, again, you just, straight away after you saw the thread, you were like, Astro, let's talk about this. So thanks for That's what that's what this show is about. That's why I do it. So thank you both. Cheers.
[01:32:52] Unknown:
Cheers. Looking out the window, hear the ice cream truck tearing through the couch, cushions, tryna scrounge up. But, Buck, you know, I'm runnin' to get to him, but, oh, he rolls away, because I gotta stay cool on a hot summer day. I've got 3 quarters and two dimes. I've got 4
[01:35:04] Unknown:
Hours yearly living life carefree, not a worry in the world from a bill or girl. Homework was the main concern, and with 99¢ I had money to burn. Looking for a block party or barbeque, Who said ballin' out was impossible? And I could do things that was hard to do, a quarter water plus chips and a Charleston juice. It was water, kid, like Evian. Looking for a girl like a move, Evian. In the vein of Christina Mille Young, but with more Echelon and some pink jellies on. Now, not some average missus, someone I could play run, catch, and kiss with. Back then, kid, please believe this. Only thing me and Eli would need is.
[01:35:39] Unknown:
Three quarters and no. 2 dimes I got. Okay. Open pieces. Come on. Oh, man. I'm walking in the street
[01:36:35] Unknown:
Love you, freaks. Thank you for joining me for another dispatch. I will see you on Rabbit Hole Recap on Thursday, and another civil dispatch on Tuesday for another Bitcoin Tuesday. We have a great lineup next week. We have Eric Sirion, the lead maintainer of Simple Bitcoin Wallet as well. That's not Eric Sirion. And Fiat Jaffe, and we're gonna be discussing Chaumian Mints on Lightning. This idea that you can have a privacy preserving, trust minimized custodial wallet that has easy UX and can interact with the rest of the Lightning Network. It could be a very special conversation. I am looking forward to it. I love you all. Stay humble. Stack stats. Cheers.
Pass. I wasn't prepared to translate that as host doing that little t's. Oh, that's right. With the
[00:00:06] Unknown:
a and then the ring around it. At? See, that's what I said. Mhmm.
[00:00:11] Unknown:
Kaye said she thought it was about. Yeah. Oh. But I've never heard it Around. I've never heard it said. I've always seen the mark but never heard it said. And then it sounded stupid when I said it. Violence at NBC.
[00:00:22] Unknown:
I hate what happened to her about it in the lunchroom music. There it is. Violence at nbcgecom.
[00:00:28] Unknown:
I mean
[00:00:30] Unknown:
Well, Allison should know. What is Internet anyway? Internet is, that massive computer network. The one that's becoming really big now. What do you mean? That's big? Wait. How does one not what do you write to it like mail? No. A lot of people use it and communicate with I guess they can communicate with NBC writers and producers. Allison, can you explain what Internet is? No. She can't say anything in 10 seconds or less. Oh. Oh. Allison will be in the studio shortly. What is it? What does it mean? It's a giant computer network made up made up of, started with from Oh, I thought you were gonna tell us what this was. It's a computer billboard. It's it's not an it's it's it's a computer billboard, but it's not online. It's it's several, universities and everything all joined together. Right. And others can access it. Right. And it's getting bigger and bigger all. Just It came in really handy during the quake. A lot of people, that's how they were communicating out to tell family and loved ones they were okay because all the phone lines were down. I was telling Katie, you know, about don't need you don't need that you don't need a phone line to operate? No. No.
[00:02:01] Unknown:
Happy Bitcoin Tuesday, freaks. It's your boy, Matt Odell here for another Siddle Dispatch. That clip you just listened to was not a recent clip, if you couldn't tell. That was the Today Show in 1994. Katie Couric, Brian Gumbel, and Elizabeth Vargas, the anchors of the Today Show, completely confused about what the Internet and email was. There seems to be a little bit of confusion, with the cringe level of the mainstream media clips I play at the beginning of every sale of dispatch. The intention is for them to be a bit cringey. I expect them all to age about the same way that, that Today Show clip has aged since 1994, so it should be a pretty fun thing to go back and look at.
CIL dispatch is the interactive live show about Bitcoin distributed systems privacy and open source software. Huge shout out to the rider dive freaks who continue to support the show and keep it ad free, sponsor free, and strictly focus on actionable Bitcoin discussion. The easiest way you can support the show is downloading a podcasting 2.0 app. My two favorites are fountain podcasts and Breeze. You can just load it up with Sats, search to dispatch, and then you can stream Sats directly to my lightning node. You can also support the show at sail dispatch.com, either through, Lightning on my Tippin account or through my pay name, which is Odell. Very easy to remember.
Also, huge shout out to the rider dies who consistently come in for our live chat, which you can access on Twitter, Twitch, or YouTube. You guys make this show truly special, and unique, and, I couldn't do it without you. So thank you, guys. With all that said, I'm excited to introduce our guest for today's episode. We have return guest, Waxwing, coming in from El Salvador. He's one of the lead maintainers of the join market project, and I'm very happy that he's joining us again. And we have, raw avocado here, Alex.
We will be discussing secure random number generators, why that is important when you're using Bitcoin and encryption, and what you can do to mitigate the risks associated with it. How's it going, guys?
[00:04:27] Unknown:
Good. Yo. What's happening, motherfuckers?
[00:04:32] Unknown:
That's what I meant. Yeah.
[00:04:35] Unknown:
I actually realized, I messed up the intro a tiny bit. For our freaks joining through our podcast streams, it's important for them to associate a voice to a name early on. So, Waxwing, why don't you say hi to everybody?
[00:04:53] Unknown:
Hi. This is Waxwing. I am in sunny El Salvador where there are 7 active volcanoes and military roaming the streets, and, Bitcoin is roaming the streets trying to pay for lightning. And it's all very surreal, and it's great. Are there really military on the streets? Well, I mean, if you if you walk around the city, you're gonna see men with very, very large guns. Quite a lot of them. Yeah. Wow. I guess they're taking it seriously. They don't want any Well, there was a bunch of murders a few days back, so you can't really
[00:05:24] Unknown:
Yeah. Well, stay safe out there. We don't want anything to happen to you. Alex, why don't you say hi to the freaks?
[00:05:30] Unknown:
Yo. Yo. What's happening, freaks? I mean, how can I beat that? What am I gotta say now? I mean, north I mean, north of UK. It's fucking foggy. Nothing is happening. A cow farted. That's the highlight of my day, you know. How can I beat what he's doing? Well, I think that's I don't even contribute to anything, by the way. I don't even contribute to anything. So
[00:05:48] Unknown:
You contribute to the the world's knowledge, Alex. You contribute greatly. Don't don't don't put yourself down.
[00:05:55] Unknown:
Well, I think I can speak for both me and Alex that we're very jealous, that waxwing is in El Salvador. I was sorry I couldn't make it work. So with all that said, I mean, I think a good spot for us to start here is, why is secure random generation important with respect to Bitcoin? Like, why should the freaks even care?
[00:06:16] Unknown:
I actually would go I would just start off, like, first of all, Bitcoin is a cryptocurrency. And And in case you probably didn't know this, if you're spending a lot of time on Twitter, but crypto stands for cryptography. And cryptography, most of the, most of the time has to do with secrets and sometimes authentication and other things. And the way these secrets are maintained and preserved is through mathematics that can't get inverted most of the ways, and, random numbers. So anything that uses communication uses cryptography, so it needs this random numbers. Now for Bitcoin, even more so considering that cryptography is what runs on it, it needs it. And it needs it in multiple places. It needs this when you generate your private keys, and it also needs this when you sign transactions.
Because both of these operations, if if those random numbers aren't really run random, an adversary could possibly guess your keys. That's how I would
[00:07:17] Unknown:
ask this. Can you hear me?
[00:07:19] Unknown:
Yes. We can.
[00:07:21] Unknown:
Okay. It's those it connection's not great, so I'll be coming in and out. But I'm here now. Did you did you hear Alex just now? I saw the I saw I heard the end of it. He's describing what you need random numbers numbers for. So, I mean, basically,
[00:07:38] Unknown:
and correct me if I'm wrong, the process of generating private keys, whether that's for encryption or if that's for Bitcoin, involves a source of entropy to make them secure. And when we talk about entropy, we're talking about randomness, true randomness. Yeah. And if you don't have that true randomness, if your if your, entropy is compromised or poor, just not good randomness, that can be used against you to basically have someone else regenerate the same key as you and and compromise you. Right? Like, that's the the $1,000,000 question that almost every newcomer to Bitcoin asks is, you know, I just generated this Bitcoin key offline.
How do I know that someone else isn't going to, generate the same key as me? Right? That's like I remember early on when I first started with Bitcoin, that was, like, the number one question people were asking.
[00:08:42] Unknown:
Yeah. It's a it's a natural source of uncertainty because it strikes at the very heart of the security of what you're doing, doesn't it? Yeah. And, I I do wanna mention there's a nuance with because I think Alex was saying you need it for both the the key the private keys and and the signing. And the signing operation still needs what you might call cryptographic randomness, but, there's a nuance where you can kind of get cryptographic randomness sort of secondhand where you can kind of seed what's called a a pseudo random number generator, but a a a generator that will generate, like an endless stream of random data from a starting seed, according to some complicated out which we might get into later, but but I'm just trying to say that the process of getting, like, so to speak, raw randomness from the environment, from your operating system, from something like that, that's one thing. And then there's a lot of actual of the random strings that you're using in cryptographic protocols are actually not coming directly from that. Because it's kind of hard to source masses of randomness. Right? So you might just have
[00:09:55] Unknown:
We lost you at the very end right after my what what were you saying there? You might have
[00:10:02] Unknown:
you I I'm not sure. I'm sorry. That this did did you get the point about that that you might Yes. See a random number generator, and it might produce a long string of randomness out of that. Oh, okay. It's it doesn't matter. It's not important. Please go on. But, I mean but there there's a key element here. Right? Is is so when you're
[00:10:21] Unknown:
so if if you are, let's say you're using Bitcoin Core. Right? You're using Bitcoin Core on your computer, and you create a new wallet. Where does that entropy come from?
[00:10:38] Unknown:
Right. So, Alex, do you wanna take that?
[00:10:41] Unknown:
Yeah. I I even made a a Twitter thread about this actually, about how Bitcoin Core specifically does this. Long so the thing is, like, there are multiple sources of entropies you can have. Right? And usually the more the better. And good sources of entropy on your on your computer pretty much are things that are information that your computer does. For example, how does the disc move? Or, another thing would be, like, the timing interruptions between the disc or even the timing interruptions between your keyboard and your clicks. Right? Or how resources are used by your processor and your kernel and all this weird stuff. Right? Because these things, like, they they are still deterministic things, but it's very hard for someone to to measure them. So this would be, like, one type of of sources of entropy and you can call these, like, dynamic events. Another source of entropy could be your processor because all the modern processors that we have today, they have a built in, pseudo run they have a they have a thing built in that gives you random numbers. Right? And the way Bitcoin Core does it, it takes all it takes all the sources I've mentioned before. It takes also these things sort of process. It mixes them in a very interesting way.
Mostly, it has to be using the the binary operation soar, and we can explain that what it is or whatever. But the the sore thing has very a very interesting magic property that if you so let's say I I have two sources of entropy. Right? And one of them is compromised. Like, it's it you literally, you know exactly what it is. And one of them is real entropy. Right? It's good. If you sort this thing together, this I'm just gonna end up with the the best entropy. So so sorry. What I'm trying to say is that this cannot bad entropy when you sort it with good entropy doesn't it doesn't cancel it out. So Bitcoin Core uses multiple sources like this, and it's a bit more complicated, by the way. You can check the thread if you want. They even draw it out. And you you jumble these things a lot of times, and you hash them together, and you sort them together, and that's how it gets. So that make sense. So to repeat, when whenever we say entropy in this in this conversation,
[00:12:49] Unknown:
you can the freaks can basically replace that with a source of randomness. The I I before we we're gonna dive very deep in this conversation. I wanna be very clear that you might get very scared or frightened from the conversation. You know, take a deep breath. Fortunately, we haven't had many compromises in this respect. We have had some, and we are gonna talk about that. But it's something that's very important in terms of actually using Bitcoin in a sovereign way and holding your own keys and making sure your keys are secure. So when we're talking about entropy, when we're talking about sources of entropy, the key is to have randomness that is distinct and unique, and can't be basically resimulated or recalculated on someone else's machine or device. Right?
[00:13:46] Unknown:
Yeah. Notice it's not just distinctness or uniqueness. Right? Because well, it's not just uniqueness. Because if I if I use the private key 154, that's that's unique. Nobody else has done that, but that's because nobody else is stupid enough to do that. Right? So the the the point there is I'm trying to make is that, the concept of entropy is think of it like disorder. Like, one one measure I I won't sort of get into the technical details, but one one way of measuring the randomness of some string of data, you know, bytes on your list of, characters or bytes is, can you compress it? Right? Because if if I just write the character a a a a a 50 times. It's a very long string, but it only was basic no entropy because I can take that whole string, and I can just express it as a times 50, which is a much, much shorter string algorithm that expresses that thing shorter than it originally was, then it didn't have perfect entropy or it didn't have entropy, if that makes any sense. So give it is it should be disorder. Oh, oops.
Can you I'm
[00:15:04] Unknown:
I've lost you. Yeah. Right. So caught in and out there, but I I it's actually kinda the parts that didn't necessarily, lost any information. Sorry, Matt. You were gonna say something? I was gonna add something to what you said.
[00:15:16] Unknown:
No. Add. Go ahead.
[00:15:18] Unknown:
So, actually, the thing is, like Hello? So you have this let's see. Yeah. We can hear you now.
[00:15:25] Unknown:
Oh, I could also hear myself, I think. No. Yeah. We hear we you cut out a little bit, but it seems like it just lagged, and then we heard we heard what you wanted to say. Cool. Oh, you okay. To to the freaks, Waxwing's joining us from El Salvador, and he's on hotel Wi Fi. So we're gonna make this work because it's an important conversation.
[00:15:44] Unknown:
Yeah. Did you did you get this Alex, go on. What I was
[00:15:48] Unknown:
I'm sorry.
[00:15:49] Unknown:
Go ahead. Go ahead, Alex.
[00:15:51] Unknown:
Yeah. So so what so to reiterate what you said in case, so you will know what we heard, West Wing was saying if you have, the the string that has 50 a's, right, There's not that you can compress this a lot. There's not that much entropy. There is just a 50 times so you can write in a very short format. But, to to to bring a bit more home what he's trying to say. So let's say you have something. It's a program. It's a computer. Doesn't fucking matter what it is. It's something that whenever you press the button it just speeds out a lot of numbers. Right? Gibberish. Right? So then what would be good entropy? What would classify as good entropy? Well, there's 3 main characteristics of this. First of all, it's unpredictability. Okay? Meaning that if I have, like, 2 of if I look at this, this thing, I can't predict what it's gonna do in the future Because I predict my private keys. I don't want Matt and and Waxwing and someone else to prove it my my private keys. So the first one is pre predictive unpredictability.
The second property is gonna be uniform distribution. What does this mean? Yeah. It means that if we would take like these numbers and we would chart them out, they would literally look like, you know, when you have the television and there's like perfect noise in their static, it will literally look something like that. Like the the there's no pattern. There's nothing you can say about this. It's that's why it's random. It's complete gibberish. So there's unpredictability and uniformity. And then there's lack of patterns in the sequence. You don't wanna have any any patterns here. Now worth, noting here that free implies both.
Right? Both 1 and 2. Because if you have lack of patterns, there's of course, there's gonna be uniform distribution is gonna be unpredictable. But one doesn't imply 2 because you can have something that's unpredictable, but it's not uniformly distributed. And 2 does not guarantee 1 because even if something is uniformly distributed, doesn't mean it's unpredictable. I know that it sounds a bit like concorded, but I think that would be the the simplest way I can compress, like, what would make good entropy.
[00:17:42] Unknown:
Mhmm. I hope that makes sense. It's Yeah. Yeah. There's there's also a thing about how you know, you said unpredictability. That's a very that's the difference between random numbers and cryptographically secure random numbers is, like, I could make a string of data that's completely random. Well, can you hear me? Yeah. Yeah. You're all good. Yeah. We hear you. We hear you. I I I can make a string of, I can make a stream of random numbers that that so the outside world looks totally random. But if somebody knows the algorithm that's used to generate the random numbers, then they might be able to predict the next sequence of numbers that comes after it. And it actually works backwards in time as well, which is kinda weird. What you should if you wanna make it cryptographically secure, it should also be a case that looking at the current stream of random numbers, I should not be able to go backwards in time and find out what was in the previous set of random numbers in this long stream. So that's that's that's, and I think that's part of what what Alex is saying. And that is his point about there not being a pattern is is probably the best overall, concept to remember. Yeah.
[00:18:41] Unknown:
Well, okay. Let's let's still mend this this point even more. So the thing is, like, when you hear the word entropy, this come like, the I I I like this how I think about it, by the way, so I don't feel like there's a rigorous But I think there's 3 types of entropy. First of all, there's the physical one, which that's where the word comes, and it expresses the second law of thermodynamics. And it has to do with molecular randomness. So you have a you have a so imagine you have a fart and the fart is comp composed of little tiny things. Right? And and those tiny things, like, go around it. There's a lot of, like, chaos. Right? You don't know what's happening there. Then there's the informational theoretical, context, which is what we described right now, which is something you can measure. And to measure this, Shannon invented this, unit to measure this because he was trying to measure information. So that's just what we described right now, which just says something theoretical about these things. But then there's the cryptographical context, which what is cryptography? Well, cryptography is just adversarial math, which means that we we we take what we just said, but we judge this from the perspective of how hard is for an adversary to to guess this. What do I mean? So all these things that I that we enumerated earlier, you can take the you know, pi.
Pi is this this number that goes on forever. Right? And it doesn't repeat itself. So so if you if I would take, like, I don't know, the, we have calculated something around 60,000,000,000,000 digits of powers. Something like that. I don't know. So if I would take like the 100th millions digits from now and I would give it to you guys, it would be like, oh, this looks random enough to me. Right? This is perfectly fine. You would they call these boxes. But it's not cryptographically secure because, well, it's the number pi. So what West Wing was saying, like, hey. I could realize this is pi and now I could see what your what is gonna what the other ones are gonna be and so on. I hope that makes sense.
[00:20:21] Unknown:
Yes. Important distinction. It's subtle, but it's really important.
[00:20:25] Unknown:
Yeah. No. That makes sense. So, I mean, I think I I I think it would be so so every every Bitcoin wallet, whether it's a software wallet, whether that's a wallet on your computer, something like Bitcoin Core or Sparrow Wallet, or if it's a hardware wallet, something like Coldcard or Seed Signer. The the key is when they're generating your keys is is that they're trying to have the secure randomness, the secure entropy when they're generating the keys. It's it's it's the most important thing they do. And they will source that from multiple different ways if they're if if they're a well designed wallet. Right? Because if you have one issue Can I just interrupt on that point? Can I just interrupt on that point? Yes. Interrupt me whenever you want, Waxwing.
[00:21:16] Unknown:
Alex explained that very beautifully at the beginning about how it's like looking into the operating system. It's looking at different things like the hard disk, the the CPU, and so on. Is it using are you are you talking about what comes out of dev view random? Am I right about that, Alex, on at least on Linux?
[00:21:35] Unknown:
Okay. You you know what? It would be really bigger if we'd have that picture. So the thing is, like, the so what is this random? The so when you have the Linux Linux, should should we go and explain this, or should I just answer the question? Or Explain. Go. Go for it. So so different so if you have a it's a in Linux, everything, is a file. And there's this the very special file which is you can access it as dashdevslash random. And, this file takes care of entropy. So, you know, the people who design Linux, they're like, hey. You know what, guys? We should, like, we should, like, create something in the kernel. And the kernel is, like, the the the the main thing there that that that generates random numbers because we need random numbers everywhere. Now the problem is that and this was invented in 1994, by the way. And the thing is, like, when they did computers were very different back then. And when they did this, they realized that and by the way, there weren't, like, random number generators on processors.
They were like, we need to we need to find some sources that that, are are very easy to to use and don't depend on special hardware or whatever. So that's how they designed this thing. And, and then, so so so they they had this model where they have there's multiple source to do this. Now Bitcoin core, because it was designed pretty recently, it it does have multiple sources of entropy, but it's a bit more elegant in the way it mixes them up together. And I I hope I'm not saying something wrong, but, this would be called, this is like what, Fortuna would be this type of algorithms called. And this is like more modern ones, and it's also what BSD uses.
[00:23:15] Unknown:
Right. So it's okay. Go ahead. Yeah.
[00:23:18] Unknown:
Well, yeah, that that was it.
[00:23:23] Unknown:
Okay. So so you we we now we now have chips that are designed purposely to create, you know, they they they claim to create secure random numbers. Right? And a lot of some some software and some hardware will just rely purely on those. Perfect example is, I believe, Ledger. Right? If you use, like, a Ledger hardware wallet, they have a chip on there, and they're deriving the entropy from that chip that's purpose built to derive entropy. Some wallets will give you the option to add additional environmental entropy. Stuff like dice rolls, pictures.
You can either use that entropy specifically with Oz Waxwing. He'll be back in a second. Or you can combine that with other entropy. Am I correct in that explanation?
[00:24:35] Unknown:
You are very correct. That's how things work. But, I would so so the thing is, like, your wallet, it's like your instrument that you used to interact with a Bitcoin network. So it has to do all these things, and we already established. That's why we've been talking for past a minute. This is an important operation, so it takes care of this. And so most of the wallets by default take care of this. And you're very right. Most of the the hardware wallets are are built on, like, microcontrollers which are just from very dumb computers. And these very dumb computers have indeed a chip that's supposed to take care of random number generation they want it.
Now the thing is that thing is that you have a problem of trust. And and in multiple ways. First of all, how do you know that these people are saying what they're doing? And how do you know that even if they're saying what they're doing when you get home, you actually got a device that's supposed to do this. So that's why some wallets, cold Oh, sorry. Is CallClare is a good example. They allow you to add your own interview. And another good example, which is my new, favorite project, I'm I'm a very big fanboy, is the seed signer that allows you to, that that allows you to, to even take pictures. Right? So so so the reason you would have the this, like, your, these personal sources of entropy, if we can call them, is just because you you wanna eliminate the possibility of of trusting
[00:25:59] Unknown:
anything. You know? Right. When you use something like Ledger, you're purely trusting that chip to generate your entropy for you. If you add environmental entropy, if you use SeedSigner, and you take a picture of something that's not on the Internet, you take a picture of anything, it can take randomness from that picture, and you know, like, someone wasn't in, like, your bedroom closet taking a picture of, you know, your shoes or something. Right? Or you can use something like cold card where they allow you to add dice, or use strictly dice. So cold card has, like, 2 methods. You can either add dice, you can use their chip plus dice, or you can just use dice.
If you just use dice, I guess, there is a concern there when if you just use dice, there's a concern that maybe the dice aren't sufficiently random.
[00:27:02] Unknown:
That that's a myth. That that doesn't make that's just a stupid meme that people pass around. You can mathematically I believe, like, I'm proving in 5 minutes that that doesn't make any sense if you want about that not being random enough.
[00:27:19] Unknown:
Yo, Waxwing. Try and speak.
[00:27:22] Unknown:
Hello? Yeah. We can hear you. Oh, why is I must I selected interface thing. Right? No. I didn't actually wanna say anything. I was just it just had little buttons that I was muted.
[00:27:31] Unknown:
Yeah. Blackwing thought he was muted. I did mute you for a second. When you first joined, there was a little bit of an echo, and then I unmuted you. So it might have been my fault. So, I mean, I think what we use for here is let's go through, like, the history of backdoors, compromises, poor implementations of of entropy sources, randomness. And then after that, we can jump into, like, actionable, mitigations in way that ways that freaks can, you know, make sure that their keys are secure.
[00:28:04] Unknown:
Sure. Let's do that. But but someone asked here, like because so all so all this thing when people say that because you know that you need because you know DICE for better security of your Bitcoin private keys, that's that that's just that's not true. That's just a stupid meme. It's FUD. You don't need that. Even if and and I'll just call it casino dice? No. That's that's just dumb. That's people are But they're pretty awesome. I mean, sure. But I'll tell you why they don't. The thing is, like, imagine you have so a Bitcoin private key usually it's 256 bits.
[00:28:35] Unknown:
But Have you bought casino dice? I've tested casino dice. They're pretty they're like they feel really nice in the hand. They chip very easily. You have to be careful not to roll them on hard surfaces.
[00:28:47] Unknown:
Why don't we make tungsten dice? That'd be cool, wouldn't it? That's that'd be
[00:28:51] Unknown:
Alex, have you tested tungsten dice?
[00:28:53] Unknown:
I have not tested. Fair enough. I was just trying to say that that the thing is that, from a from a you can definitely measure sorry. I'm trying to say, like, for Bitcoin private keys, if you have crooked dice, you still end up with a secure key. So you don't need
[00:29:08] Unknown:
physical dice. What if you, like, roll them enough times?
[00:29:12] Unknown:
Not even enough times. You do so the thing is, like so let's think about it. Let's say you have you say you use a 12 bit word, a 12 bit seed. Right? Which is a 128 bits. Right? Okay. 12 words seed. It's a 128 bits is what you meant to say. Yeah. Sorry. What what I said? 12 bits. You said 12 bits. You said 12 bit seed, which is Yeah. That's That's hardly insecure. It's pretty bad. Okay. So let's say you have that. Right? And let's say you have a a dice. Let's say you have a coin or a dice or it doesn't matter. Right? It really doesn't matter. That, like, 30% of the time, it gives you bad beats. It it gives you the it gives you ones. Literally, it gives you ones all the time. Right? Yeah. So then so if you would have that, like, let's so 30% is like very like crazy. 30, 30 divided by a 100 times a 128, what is that?
That's gonna be 34. So a 128 minus 34 it's not 34.
[00:30:10] Unknown:
I'm not good at math on air, so I'm not gonna attempt to help here.
[00:30:13] Unknown:
The the point is that through. 30 is about 8. So well, whatever. It's about 38, let's say. The the point is that even if you have a a a dice or whatever you want, that's 30% biased, which is a crazy bias to have, by the way, you would still end up with 94 bits of entropy. Yes. Exactly. Which is impossible for anyone to ever crack more than safe and whatever. So At some point that's meant to meet. But couldn't you have explain why this is not actually this argument is completely crap when it comes nonsense, but this argument is good when it comes to private keys. Yeah.
[00:30:43] Unknown:
But but couldn't you like, couldn't someone on Amazon sell you, like, dice that just, like, roll the same thing over and over again? Or, like, roll is that is that even a thing? Or is that just bullshit?
[00:30:56] Unknown:
Literally. What does this spice look like? Yeah. Fixed every single time that you roll it.
[00:31:04] Unknown:
Okay. Fair enough. Fair enough. Okay. Okay. You open the subject. Okay. So if you if you still wanna be paranoid, I mean, I have a fucking tinfoil head on. And if you wanna test your dice, you should use some salt water. Again, just if you want that's how the the a lot of, like, dice people. Or you can even buy a special machine. But easier, just get some salt water, and you put it there. And then you just, like, give it a so so the dice is gonna float. Right? Especially if it's because you know dice. And then you just, like, pop it just the tiniest bit. And it has to, like you're gonna see if it's, like, weighted in if it's, like, crooked, you can see it's gonna land on one face more than others. So that's how you can do that if you really want it. But it's you don't have to. Like it's useless. Like it practically it does it's just if you wanna be autistic. But if you roll the dice more times,
[00:31:52] Unknown:
that's better. Yeah. Right? The more you roll, the better.
[00:31:57] Unknown:
But the the well, I I don't know what that means because it's like, what is our algorithm for using the dice? Right? It's like Right. So let's say the easiest algorithm is like when you have an odd number, you put a 1. And when you have an even number, you put a 0. Right? Right. And you just scroll it 257 times. So it doesn't matter how much you. One roll gives you one bit. Right?
[00:32:17] Unknown:
Right. How does that make sense? That's obviously not the most efficient way to use the rolls, but whatever. I mean, I yeah. Anyway, what's the most what's the more efficient way to use the roles? Oh, because you're not capturing all of the entropy of the object itself. Right? The the the object has six possibilities. So it has what's that? Like, 2 and a half bits of entropy. So if you only take it, it's, like, odd or even. You're only taking one bit of the available entropy. Right? So that's why you'd need to roll it 256 or 7 or whatever times. Whereas if you Right. You're using it as, like, a coin flip instead of a dice roll. Exactly. So you might as well just use a coin. Exactly. And then then you'd be taking your coin into the salt water, and then it would sink, and you wonder what to do.
[00:32:54] Unknown:
But coins can be compromised. Right? Like, you could have a coin that only flips heads or
[00:32:59] Unknown:
but that would be obvious, I guess. Well, I I even have a solution for that if you can do it. Like, I have I literally have a hack for that. Like, you can I here is I will generate, and we can even I'll generate a private key with a coin? You can make as bad as you want, and I'll put a $1,000 there, and I bet no one can take it. I'm willing willing to do that.
[00:33:17] Unknown:
Okay. Well, we should do that after the show. But, anyway, we kinda skipped ahead. I I think we should talk about, like, the the history the history of compromises, basically.
[00:33:29] Unknown:
Yeah. It gives context, doesn't it? Because because it's easy to talk about theory, but if if we see practical reality, then then we might actually have a clue what to do. Yeah.
[00:33:41] Unknown:
Well, I don't know. Oh, sorry. You're gonna say?
[00:33:46] Unknown:
I mean, BTC pins has a question about pulling words out of a hat. My my original impulse was to wait until we got to mitigations, but we can talk about that right now because he mentioned it. So so you you take all the BIP 39 words. How many words are in that word list, Alex? I think 2,000 2048, something like that. Okay. So you spend all day cutting out all of those words into individual pieces of paper. You put them in a hat. You shake them up. You pull them out of the hat. What's wrong with doing that?
[00:34:21] Unknown:
Well, so here's the thing right now. So the question becomes, like, like, first of all, is there a mathematical way which we can measure this? Right? Is there anyone who ever, like, measure, how good is this as a mixing method? And there's this guy called Percy Diaconis. He actually wrote papers on on on, how you can measure the efficiency of of, what's shuffling dice shuffle not shuffling, but mixing dice and mixing all those things. And he said that the best method to so if you have a deck of cards and what is the mathematical best method to mix it up is you have to do what I do in the casino. You put them face down on a on on a table or something, and then you you do this thing where like, that's not stroke, but you like, you know, you did that with them. You you move your hands around them. So you should do that. If you put them in a hat, I don't know what the shape of those things are and whatever. I don't know how that would work. So yeah. But this would be the the best way if you're asking. But
[00:35:17] Unknown:
come on, guys. I mean, nobody's gonna do that. I don't think you kind of implied it with the way you questioned it, man. And nobody's gonna cut out 2,000 different people. Nobody's just trying to make an ass. See, but I think it the the it's a trivial point, but there's also a deeper point, isn't there, which is the practical inconvenience of a method is a huge factor, and it could lead to all kinds it could lead to you not doing it right, being sloppy, something could go wrong. Just, like, simpler is always
[00:35:43] Unknown:
Well, I mean, a 100%. So, like, I mean, I think this is a good bridging point to go into the history of compromises, because one of the main compromises I remember as a young Bitcoiner is before we had BIP 39. So BIP 39 was the Bitcoin improvement proposal that implemented this standard that we all know as seed words. So if you're a new Bitcoiner, you just entered Bitcoin and there existed these seed words for backing up your wallet. These these 12 backup words or 24 backup words that you keep safe, You don't let anyone see, and and they restore your entire wallet for you. Those didn't always exist in Bitcoin. They were added after the fact as a standard.
Now before they existed, we had something called brain wallets. And the idea of brain wallets was you would put a word phrase in that you decided on, and they would generate private keys for you based on that word phrase. And people, all the time, thought that they were being so clever Yep. With with what they were putting in there, but they they're there are people that out there that were just they were running GPUs, they were running computers, and they were just constantly trying all these different combinations. And, like, a perfect example was, like, poems or quotes. Like, people were using poems and quotes, and they were just generating people were able to generate the the private keys from those poems and quotes, and and they were just basically brute forcing it. They were just trying over and over different combinations of popular words and phrases and seeing if they could drain a wallet, if if it if it generated a real wallet that already existed.
[00:37:27] Unknown:
As as far as I remember, the people everyone was just, for some stupid reason, using the same algorithm where they would take the the text and hash it with, you know, Shar t 56. And and then so as you say, I mean, it it was quite remarkable even though we all understood that this was not very or we some of us understood this was not secure. It was remarkable. They were they literally took, like, the whole of Wikipedia a patch apparently. They they just they they were able to hash every possible combination of, you know, phrases and words and I mean, basically, obviously, not literally everything. Entire dictionaries and, like, they they cleaned it out, didn't they? There was basically, everyone who used any recognizable phrase got got taken like that.
[00:38:05] Unknown:
Yeah. That was pretty bad. And then also another thing is unlearn to learn, great name, by the way, is posting in the chat, the live chat via YouTube, is he makes it's a it's an important point to mention, is that when your wallet is is generating, your 24 word phrase, your seed phrase or 12 words, it's really the first 11 or the first 23 is what it's generating. The last word is actually a checksum to make sure that all the other words are, valid, I guess, or, like, the order is valid.
[00:38:47] Unknown:
Yeah. But the thing is, like, most of the walls have a convention, and the first lexicographical valid one, if that's what he's talking about, is gonna be suggested.
[00:38:55] Unknown:
So But the last word's a checksum. Right?
[00:38:58] Unknown:
Yeah. Yeah. That's correct.
[00:39:00] Unknown:
So so if you're making them yourself, and we still need to get into the history of backdoors, compromises, and portal implementations, but if you're making one yourself, you basically have to if you want to comply with the standard and use it in all the mainstream wallets, you need to then use a separate tool to derive the checksum. Right?
[00:39:25] Unknown:
Oh, this was in the context of the yeah. If you do it yourself, yeah, you have to know. You should go yeah. That that's a good point then. Yeah. So, Alex, have you done that? Like, how do you how do you derive the checksum? I've done it on a lot of in a in a lot of ways. I personally just like,
[00:39:42] Unknown:
you know, I I like to have an offline computer and do it pretty much. Yeah. So but what what what do you is there a tool that you use to generate the checksum? I don't you the only time I myself. The only time I've
[00:40:02] Unknown:
So that's how I did it. But I think there's even, doesn't Coldcard have a Python script that you can use for that already or something like that? Or someone? Or even C Designer, I think, may have in the menu an option to do that. You just put all the words and they just spit it out for you.
[00:40:17] Unknown:
They give you the the last word for the checksum.
[00:40:19] Unknown:
I'm not a 100% sure,
[00:40:21] Unknown:
but some of what the wallets do that. Okay. Well, I'm not positive either. Waxwing, you have any idea?
[00:40:28] Unknown:
I I would say that the reason this caught me a little unaware is just because it it would never have occurred to me to to because I always thought the the algorithm and by the way, we we we talk about history. We should mention that that it was actually electron guys, Thomas Wirtland, who first came up with this idea before bit 39, and they implemented it. A slightly different algorithm with some rather interesting code that ended up being changed later. But, but yeah. But, I mean, that's not what you're that's not how it's that. It was never intended. And I think I personally I mean, I was I was sort of pooh poohing the the taking out of a hat based on practicality, but as a more fundamental point is you're not supposed to be coming up with a sequence of words yourself because that's dangerous to I mean, that's dangerously close to the old whole brain wallet thing again, isn't it? How many people might be tempted to come up with sequences of 12 or 24 words in this list that happen to make up a nice sentence. Right?
So which is not what you're supposed to do. Right? It's a you you that's not how it's supposed to work. But, of course, cup taking out of a hat in theory is correct, except for, as you correctly point out, there's a check sum, which means you have to write one software anyway. So blah blah blah.
[00:41:42] Unknown:
Right. So, I mean, we have we have ride or die freak Younglurk in the comments, mentioning that seed signer will derive the checksum for you after you type, the first 11 or 23 words depending on what length seed phrase, you use. And the purpose there of that checksum is if if the checksum isn't valid, before you even try and restore a wallet in most good wallets, it will tell you, this seed phrase is not a valid seed phrase. And it's a it's just a way of it's it's just a, like a mistake check, a gut check to just tell you, you know, you fucked something up along the way. Now, the pass phrase, someone else is asking in the comments, the pass phrase is, yes, it's the 25th word or the 13th word, depending on how long your seed phrase is, and that is just completely from you.
There's no randomness involved in that unless you wanna add randomness to that. And every seed every passphrase that you add, every every time you change that 25th word or that 13th word, you're gonna get a completely different wallet. So it will not show as invalid. Any any passphrase you put there will show up as a completely valid wallet, and there'll either be funds in it or there won't be funds in it. So as we've said many times on this show and on rabbit hole recap, it's it's a nice plausible deniability feature because you could have one pass raise that has some money in it, but another pass raise that has the majority of money in it, And you can go down that rabbit hole, you know, with 10 different wallets, you can go crazy on it. So that that's what that passphrase is there for. And what's nice about that passphrase is it just takes a little bit less trust. It it mitigates trust a little bit more from whatever wallet you're choosing because if for whatever reason, we're gonna we're about to go through the history of backdoor's compromises or implementations. If for whatever reason, that wallet is compromised and how they're generating your seed phrase, your private keys, they if someone wanted to take your funds, they still need to brute force your passphrase because you're providing that. The wallet isn't providing that.
Okay. With all that said, we're 44 minutes in. Let's get into the history of different compromises. Alex, I think you I mean, your thread the reason one of the reasons you're on this show to begin with is you had a thread full of compromises. So you wanna start us off?
[00:44:15] Unknown:
Yeah. Okay. So the thing is, like, I the the way how that the trend started out is, like, I was listening to the city of dispatch and and Matt said that, you know, these are conspiracy theories that people try to compromise things. And I was like, oh, I have a lot of example where that's not the case. And,
[00:44:32] Unknown:
I I Yeah. Conspiracy theory was the wrong word, but, you know, when you do, when you do 400 hours of Bitcoin content, probably more than that, to be honest,
[00:44:43] Unknown:
You misspeak a lot. But, yeah, continue. I I was just being very autistic, of course. I mean, it was obvious what you're talking about. You know? But, I I I just wanted to to to write a thread because I spend so many times on this. But, the thing is that So the question becomes, do these things happen? Are these plausible? Right? Do we have to speculate? Well, I don't know if you guys should remember, but in 2,000 fourteen, Snowden leaked some documents. Right? And there's just one very specific document, that was that I got a lot of people's attention, and this is talking about the seed neck enabling project. And what this project does, it says very, very clear, like like, there's now nothing to interpret that they are putting constant effort to, well, let me read it from here. It says this, insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communication devices used by targets. Influence policies, standards, and specifications for commercial public key technologies.
Complete enabling for blacked out companies, encryption chips, and virtual private networks, and web encryption devices. So it's just pretty much that they that they've done that. And never mind they've done it. They have a program that they spend, I don't know, it would like the budget of a few 100,000,000 or something per per year budget to do this. So that's the first example. I I have 2 more brief examples. Another example is there's this company called Crypto AG in 19 seventies, which is the be in Switzerland. Now, in the 19 7 in the 19 fifties, actually, that's when it was incorporated, cryptography looked very different. Everything was very analog, and there was no open sourceness of everything. So there was this one company in Switzerland when, people, were they were like, you know, Switzerland is neutral, so everyone buys their hardware from them. Well, the guy who who founded the company, he ended up being friends with a guy who actually was the chief cryptologist for, NSA.
And from 1960 until 19 seventies, they backdoored, these things. So governments governments were paying money to get backdoor backdoor things. And here's where it gets even more crazy. From in 19 seventies, the CIA and the BND, which is the equivalent for the Germans, they literally bought this company 5050, under some dummy companies. And they operated them like that until 2018 or something. So 2017. And they sold compromised hardware to governments around the world. Like, and by oh, and they were even profitable. Keep this in mind. Like, these companies even made money.
So I don't know when these things happen and you see those things, it's like, it's kind of easy to realize that, hey, if they if they did it then for these things, like, there's there's a 100% chance something somewhere is gonna get targeted with Bitcoin also. So
[00:47:30] Unknown:
Yeah. So, I mean, obviously, before Bitcoin existed, there was a massive war on encryption. That war continues to this day. Like, the the so called crypto wars has not ended yet. We've won a lot of legal fights, in terms of protecting code as speech, but that war continues to this day. And the easiest way to compromise encryption standards or no. Compromise the use of encryption, communications, or compromise Bitcoin is through compromising the sources of entropy or randomness. Correct?
[00:48:21] Unknown:
Yeah. I mean, if you would wanna compromise on, then that would be that would be the best way to do it, because And this is why, like, something like Bitcoin Core
[00:48:31] Unknown:
doesn't use solely the chip in your computer that's designed for random number generation.
[00:48:38] Unknown:
WiFi. Correct. Sorry. Can you hear me, guys? Yeah. We can hear you. I heard you say Wi Fi as well. I yeah. Sorry about that. I just I had to find another place. I mean I mean, like, the business center is the only place I could find.
[00:48:55] Unknown:
I love it. I appreciate the dedication. Did you did you hear anything that Alex said?
[00:49:02] Unknown:
Well, I know he's talking about the crypto crypto r gay example and the, and the NSA generally. I mean, have you gotten to dual ECDRBG yet? Or but the thing is, these examples are, like, really interesting, generally, but it's, of course, the question is how much they apply to our particular
[00:49:18] Unknown:
threat model, of course. Do they not apply to our threat model threat model?
[00:49:22] Unknown:
Well, there's the sort of there's this whole concept in in, you know, amongst security researchers of the global passive adversary. You know, it's a really that it's a kind of a euphemism for the NSA really, or at least it was. Now this idea that somebody is basically to hoovering up all the data and trying to, like, get a tap into everything going on. I feel like that's quite a different thing from the problem of protecting secrets, like protecting credentials for specific, things like Bitcoin. It's not unrelated, of course. It's it's a very it's closely related concept, but it's not I'm not sure if it's exactly the same thing, really. Well, like, it's not like a crazy conspiracy
[00:50:00] Unknown:
to think and, like, I'm not trying to FUD them because they have a long track record of securing private keys. But, something like a ledger device that's used by tons of people, and its only source of entropy is, I'm pretty sure, a closed source chip.
[00:50:21] Unknown:
Right. So so can I take this opportunity while my WiFi, is working to, put put out a, like, put out my hot take? You know, my hot take about this topic, which is not, generally agreed by most experts in the field. But I I am quite against hardware wallets as a general, I'm specifically against them as being like the way. Like, it seems so common in the last couple of years for people to say to even like newbies, oh, yeah. Yeah. Take it off the exchanges and put it straight on the hardware wallet. Like, that's the right way. Like, that is the gold standard. That is the thing that every average Bitcoin user should be using. I'm not at all sure that's correct. I and my reason for saying it is specifically that it's obviously, it's related to what you just said, but it's but it's more just the general philosophical concept of of central points of failure that and and also a concept something like steganography. And and if people don't know what steganography is, it's the idea that there's one thing to hide, like using encryption or some other technology to hide some secret, but it's another thing to hide the fact that you're hiding.
And I think that, the problem with, using a Trezor or using a Ledger, albeit I'm sure they're great devices and I've I've played around with them a little bit, is that you're not hiding that you're hiding, and everything is going through a very clear central point of failure. And if we're gonna worry about NSA as a as an adversary, for example, or or the Chinese or whatever it happens to be, that's that's an obvious one. I mean, I don't think that really quite works, but it it could in theory, there could be some very malicious, very powerful actor that could get into those supply chains. Whereas if you buy off the shelf hardware and you work with things that are more custom, it might make, a lot more sense in the sense sense that it has it's not exactly steganography. That's not quite right, but it's but nobody can if nobody can predict that the device you're using is gonna be used for that particular purpose, that's a huge step up. And that's why I advocate more the the, cold, the off offline, laptop kind of model myself.
[00:52:22] Unknown:
Well, I mean so the way I look at it, I mean, I I think, I mean, everything has trade offs. Right? And
[00:52:31] Unknown:
Yeah.
[00:52:33] Unknown:
You know, to me, hardware wallets are a middle ground, And most people will not go through the trouble of having an offline machine generating secure entropy themselves. They have a computer that maybe they've had for 5 or 6 years. They use it for playing games. They use it for searching porn. They they they have it, you know, their emails on it and stuff. Oh, we hope we hope we hope it's not Windows. Right? Yeah. Most of them are using Windows.
[00:53:04] Unknown:
That's just
[00:53:06] Unknown:
some of them are using Mac. Very few are using Linux. Even fewer are actually securing their Linux distro in a sufficient way. And a hardware wallet is a is a is a nice middle ground there, that is relatively easy to use. Now the earlier hardware wallets, things like Ledger and Trezor now Trezor has all open source components in it, Ledger doesn't. Both derive the entropy internally through their own processors. The newer generation of hardware wallets allow you to add additional entropy to them. Right. Right. Right. Things like cold card. The seed signer takes it to a step above that in in a lot of ways. It does not have a secure element, so it's it's less it it it doesn't have a secure element, but it wipes itself is its strategy. So you have to re upload the secret every time. They use a QR code method now to make that easier.
But the c signer is completely off the shelf parts. It uses a raspi 0. You can just buy that in, you know, a Micro Center or something like that with cash. Are most people doing that? Probably not.
[00:54:22] Unknown:
But there it's it's all about trade off balances. And There is there is another model. I just wanna mention it, because it's something I haven't thought about for a long time. But one of the first things I tried was using Tails
[00:54:32] Unknown:
as a way of what I've done too.
[00:54:35] Unknown:
Yeah. Sort of a quasi second laptop, you know, but it's not really a laptop. It's just something that's completely in RAM, and you just stick it in. I stick it on a, like, a USB or whatever it was. And, you know, it isn't clearly quite as good, but, you know, you could imagine various virtual machine based models. You know, they they wouldn't stand up to an academic rigor like somebody would say, oh, look. This is still hooking up to the underlying operating system. They can still be hacked and blah blah blah. But it still has that nice property that it's you're doing see, like you just said that the the the hardware wallets are a middle ground, and I totally agree with you. And your point is entirely valid, but the keyword there is middle. Right? So middle is a bit like the word center, right, which is a bit like central point of failure, which is I think so the two things go together. The fact that it is easier to use attracts everyone to it. So and then you have this big kind of centralization, vector of attack.
[00:55:24] Unknown:
So before before Anyway. Before the cold card existed, before seed signer exist as a project, my main way of telling people to do cold storage was Tails. And, actually, that was before they even added Electrum. Now they have Electrum built into Tails. Correct. So you can have this Linux Distro Tails on a on a USB drive. You can boot it up, and as soon as you pull the USB drive out, it's designed to wipe everything. So theoretically, you could be using that with your regular computer, the computer you use every day. Now if we're if we're going down the rabbit hole, really, you should be using it with a computer that's always offline, that you don't use for anything else, and then just have the additional benefit of pulling out the tails drive. But it is pretty cool that they have Electrum built in. It does make it easier. You never have to you literally never have to connect it to the Internet. You can just securely generate a wallet, and then every time just keep in mind that every time you, relaunch tails, you're gonna have to put in put in your seed words again.
[00:56:27] Unknown:
Mhmm. I suppose another thing to meant oh, god. No. No. I'm just gonna start rambling. Who's No. No. Ramble. We we have you on here to ramble. We love your ramble. Was gonna say that another kind of meta level, recommendation, you know, we're talking about, recommendations is is is the idea of, like, a second opinion, isn't it? So there's multiple models where I mean, one one counterpoint I've heard from people who are, you know, experts in the field, who who say, you know, actually hardware is not so bad. They're they're often saying to me, yeah. They take my point about the supply chain, risk, but they say, well, that's why you use multisig. Of course, that's a more complex sophisticated model, so it kind of takes away partly from that selling point that hardware wallets have this ease of use, middle ground, you know, somebody can do do it pretty straightforwardly. But so it makes it a little bit more complicated, but it has that second opinion element where if you have 2 devices, you know, if one of them is compromised, the other one's gonna complain. And you can do you can mix and match. You can do that with, an offline device or or maybe a tel. You you know you know, the may maybe you have 2 different ways that you think are kind of probably secure, and you sort of try both of them and generate your your addresses from your your seed on on both of them, for example, as an idea?
[00:57:40] Unknown:
Yeah. I mean, multisig is clearly a, mitigation of the trust issues that, you know, evolve around using a single hardware wallet fender. If you have something like a 3 of 5 Yeah. And you have 5 different types of wallets there, You need 3 of them to be compromised for you to get compromised. I would say that's probably, like, the next level of middle ground. Right? And then you get and then you could even get into using multiple offline Mhmm. Computers that are dedicated, you know, to the purpose and then have them be in multisig. And I would say I mean, to I I think with multisig, you know, like, it's it's kind of it's like a relatively new niche within Bitcoin.
Have people been doing it since, like, the armory days? And, you know, yes, like, people have been doing it for a while, but it's starting to really evolve. And I the ideal would be that, you know, in the relatively near future, in the next 5 years or so, it becomes even easier to use. And, I mean, you have you already have things like Casa and Unchained where they hold your hand, and they make it relatively easy to use multisig. Now you have a whole separate trade off there where you're trusting a third party completely with your privacy. And in Casa's case, I mean, it's it's a closed source wallet app, that also in a lot of situ I think in every situation holds one of your keys.
So, I mean, that's a whole another trade off, but I feel like it's getting easier. Like, we're not we're not quite there yet, but it's it's relatively accessible. There's no doubt it's getting better. Yeah. Yeah. And if you talk about, like, 2 year even 2 years ago, I mean, it was a way it was a way worse situation in terms of using multisig.
[00:59:36] Unknown:
I feel like this is kinda like, this whole multisig thing is, like, you you think in your mind that you should have a girlfriend for each need you have. Once she cook for you, once she do this, once she do that. But then again, you have 10 girlfriend and, like, I mean, you have 10 you have 10 and you have 10 times more complexity. You know? And I think I think these companies did a good job. Fair enough. But I also feel there's, like, the people on Twitter who need something. Like, everyone needs to have an insight. Right? And I think that a lot of people always search for an insight, and I think, a lot of people think this is their insight. Multi 6 says everything. You know? But I don't think necessarily is obviously the best way to log in to 15. You know? I would I would say if you're a public Bitcoin figure, which I am,
[01:00:20] Unknown:
multisig adds an additional benefit that you can have your secrets geographically distributed. So if someone breaks into my house, not only do they have to deal with my guns, but they also have to deal with the fact that all my secrets aren't in this location. Right? And they they're gonna need to go and and get the secrets from those other locations and deal with that extra complexity, before they can steal your funds. So it's more than just mitigating the trust risk of whatever wallets you're using as the individual signers.
[01:00:54] Unknown:
I think that's perfectly valid for a case, by the way. But I'm I was I was trying to criticize as this being a social for everyone. Right? Then Right. I agree. Like, for for But I get it. You understand very well. And you you you you were like, hey. I have a very I have a very specific situation, and my security is specially catered to my situation.
[01:01:13] Unknown:
But I'm I guess my point was that maybe public figures on Twitter are more likely to be talking about it Sure. Because because it it suits their situation. Right? And people tend to get caught up. It's one of the things with this show that I'm I'm actively aware about, that I have to remember that everyone's not in my situation, and I I need to make sure that I have content, you know, for people in completely different threat models, completely different trade off balances that they're they're seeking, but a lot of people don't. Right? A lot of people just they're like, this is the best thing for me, so I'm just gonna keep talking about it. That that was my point. Can I can I, butt in and answer a question in the chat from Bill McFly?
[01:01:53] Unknown:
So he says, so memorizing so memorizing the seed is no good idea. Is is it not a good idea? He's asking. And, I think this is a a common and important question. So you have, you have a a set of words. And, obviously, the intention of bit 39 and and the former Electron version was that, you have something that's human readable and, at least in principle, human memorizable. And a lot of people will just immediately reject the idea. They'll say, oh, especially if it's 24. But even if it's 12 words, they'll say, well, you can't easily remember 12 words. That's a lot of words. That's a lot of lot of entropy to try to remember. But the thing is, the way the human brain works is the you know, I remember I vividly remember in school a absolutely terrible Latin teacher who insisted that we would memorize the entire chapter of Caesar's Gallic war before each each lesson, which is absolutely ridiculous, but I literally did it. I mean, because the human brain can do that. It can memorize an entire chapter of text.
So memorizing 12 words is trivial as long as you use a simple mnemonic technique such as, embed those words into a story and have that story have some emotional resonance for you, and then just repeat it a few times, and you will find you're actually able to remember over a fairly fairly long period. Now you'll get the counterargument, and I certainly got this from people like Greg Maxwell back in the day. You should tell me, like, no. That's don't don't do that. Don't do that because your memory was very fallible. You cannot possibly just rely on your memory. It's a very bad idea. And, of course, he's got a very good point. So I think the the ultimate nuanced answer is, no. You don't just rely on your memory long term for your storage. You have some kind of physical storage. We can get into, like, how you do that. There's many ways.
But it's also very convenient that you have this, option of memorizing memorizing, for example, when you're crossing borders. So I don't have to put anything on a piece of paper when I cross a border, let alone, carry a little device that looks like a calculator or whatever it is. Right? Right.
[01:03:41] Unknown:
So so I think there's a nuanced answer there. It's a very interesting Yeah. I mean, and if you're memorizing it to cross a border, you only need to memorize it for 24 hours or 48 hours. There's also a nuance there, like, if you have clues or something. But, like, I will I will speak from personal experience as a very paranoid person that I have right now. I have 4 encrypted drives that I do not know the password to because I thought I can memorize them, and I memorized them many times. There was many times I entered it until I couldn't enter it, you know. And I still have the drives because I'm like, one day it might come
[01:04:18] Unknown:
to me. And that's forgetting I haven't had any brain injuries or anything like that. Wait. Wait. Wait. Are there any private keys on those drives, or is it just information?
[01:04:26] Unknown:
You know, x wing, I'm not quite sure.
[01:04:29] Unknown:
You know, sure. But that's my point. My point in asking, although it's a bit of an in intrusion, my point in asking is that there's a certain incentive when there's there's money involved that you might have. There there's a there let me put it this way, Waxwing. There's a reason why I'm still holding the drives. Okay.
[01:04:46] Unknown:
I haven't thrown them out yet. I but I I have I really have no idea what's on those drives. So you had a virtual boating accident, basically. It's all all all of your yeah. It's still there. They're, you know, they're in my drawer. I just need to remember the password.
[01:04:59] Unknown:
Oh my gosh.
[01:05:01] Unknown:
But it happens. You know, you'll remember them until you don't. And if if if, you know, MVK says a very good, he has a very good line that that you should when you think about storing Bitcoin, like, you should be thinking 10 x the amount you're holding. And I would say that's even conservative. Right? Because, it's been way more than 10 x since I first entered the Bitcoin world. So you you know, it might not seem like that much. You're like, oh, I'm just setting it up. I don't need to write it down. I'll remember this. Of course. Yeah. It's it's it's it's more it's it's very likely that you will forget it. Some people will remember it until you forget it. So just, at the very least, have clues.
When it comes to storing secrets safely, pen and paper is your friend. It's offline. Someone has to come into your home or office to to access it. Obviously, it's not fireproof or water proof. That's where, like, steel comes in, stamping steel, stuff like that. To go back to the history of backdoors compromises and poor implementations, one that I remember vividly Mhmm. Was the blockchain dot info wallet, which, by the way, still exists. Do not go to that website. Do not use their wallet. Do not use any of their software. They're also blockchain.com. Do not go to that website. Do not use their software. Disclaimer. Disclaimer.
They had a compromise where they were using random.org as their source of entropy. Correct. Yeah. And it was serving a 404 error for a little bit, So all the wallets were derived from the 4 zero four error. Yeah. I think it was actually 403 redirect, but either way, it's the same. Okay.
[01:06:43] Unknown:
Either way, same reason why it's basically a fixed string, and they were just kinda hashing that and and and so it was everyone was but what's so catastrophic about that is I think that was private keys, not nonsense, right, in that that particular one. So it was actually was it? So they're actually Yeah. The one Max is referring to it was private keys. Yeah. Yeah. So does that mean that we're giving everyone the same address or the same seed anyway?
[01:07:04] Unknown:
I think they had did they have one other source of randomness, but it was, like, a bullshit derived source of randomness? At some point, they were even well, yeah. They were using random death of war, and that they didn't call anymore. But I don't think people were, like, people were in opening wallets, and they already had funds in them. It had it took an attacker. There was there was some nuance to it. Yeah. Yeah. There was definitely a bit, not simple. Yeah.
[01:07:26] Unknown:
And there was a around that same time, I think it went slightly earlier. It's less well remembered nowadays. There was a there was a bug where there was an actual weakness in the, secure random, library in Java. And and I think there were 2 or 3 wallets were hit by this where they were actually generating really insecure nonsense. Was the original shield back wallet compromised on that, I think? I think it might have been because it might have been Bitcoin j j s. Right? The the or the the Yeah. Yeah. It makes sense to me. It's just a bit unclear in my head, but because it was a long time ago. But that's the thing, Waxwing, is, like,
[01:08:04] Unknown:
like, I understand the concerns around, like, hardware wallets or whatever. But before, like, we enter the hardware wallet era Yeah. I mean, like, do you remember, like, on Bitcoin Talk and Reddit and stuff, like, it was just, you know, like, people, like, had logged me in on their computer. They just had, like, a virus on their computer something, and they were getting compromised. Like, forget entropy. I know the conversations around entropy. But, like, I it felt like every day you would just open Reddit, and it was just, like, someone got their wallet trained.
[01:08:32] Unknown:
Yeah.
[01:08:33] Unknown:
Yeah. Like, we've we've removed the low hanging fruit. Yeah. And now we can talk about now we can go deep about securing your Bitcoin because people aren't losing their shit every fucking day over some ridiculous compromise on their computer.
[01:08:51] Unknown:
I mean, yeah. It's still certainly, the the the problem I I mean, maybe I'm affected by having tried out hardware while it's in the early days of of that development where, you know, you would plug it in. It would say, like, oh, just just fire up our web app, and then it would, like, you know, and they do have it would be, like, more effectively, like, seeing all your transaction. So privacy disaster. And then it would be like, oh, just update the firmware, and there'd be another 10 firmware. And they were just like, oh, are you joking? I just the more I think I mean, I actually went to the trouble of going to the Trezor offices in Prague to actually get my Trezor, in person playing for cash. So I'd I'd try to be like the good citizen like that. But, Of course, you did. But even so, I didn't really trust I just don't trust the model, but I do see the argument that it's Well, like, the good ones nowadays, like, don't you don't use, like, a prepackaged,
[01:09:47] Unknown:
software, you know, the firmware updates or at least there's there's PGP verification there. I mean, I guess, like, a hardware wallet, the beauty of it is you can have, like, a hard coded sign in key, and they can check it for you, but, you're trusting them to check it. They're they add additional sources of entropy. You're using you can use your own node with it instead of using the centralized node that's is tracking all your balances and your transactions.
[01:10:17] Unknown:
So if we if we try and summarize, like, the historical aspects apart from the whole NSA thing, which is that the the the I think the reason Alex focused Apart from the elephant in the room. Yeah. Well, apart I think the reason, Alex focused on that is because it illustrates the point that people say, oh, don't be conspiracy theorists, whereas in fact, the conspiracies are real. Right. Right. You know, I think that is a very important point to to bear in mind. But in terms of, like, Bitcoin, it's been mostly like software flaws.
It's user error in terms of generating keys, and I think the software errors tend to be more about generating nonces. And the reason for that is you have to generate a nonce every time you do a transaction, whereas a key is a one time thing. So it's easier. It's more an isolated thing to get that right. Okay. Maybe block channel info was so terrible. They actually screwed that up as well. But Maybe now it's a it's a good moment to actually start explaining this because maybe a lot of people don't even know this is a thing where, like, what I mean. If you start, you start the whole nonce conversation. Wait. Wait. Before we get there before we get there, I wanna make it completely clear.
[01:11:17] Unknown:
I wanna make it completely clear to the freaks. We have 20 minutes left in this conversation. I just wanna make it completely clear to the freaks who are scared shitless right now. There's a lot of you out there. I know you're you're a little bit scared from this conversation. That strictly speaking, if you hold your own keys, ideally use your own node, but if you hold your own keys in any of the major hardware wallets, you're still better off than if all else equal. I I don't like speaking absolutes. You're still better off than keeping it in custodial regulated exchange, custodial wallet. We have MZ fucking legend in the comments right now talking about Mt. Gox. Like good point. Like, we have in the history of Bitcoin, if you hold your Bitcoin with the custodian, not your keys, not your coins, we say this a 1000000 times, it it can it can get frozen, it can get stolen, you can lose it, the exchange go bankrupt.
Like, there's there's a lot of ways you can lose your coin if you're holding it on an exchange. So the first step before you get into all this rabbit hole, you you you gotta hold your own keys, and don't get don't get too frightened from this conversation. Okay. Alex, continue.
[01:12:33] Unknown:
Yeah. So we were talking initially about the whole random numbers things. Right? And it's like all we said here pretty much was that, hey. It's pretty obvious and I think everyone knows even if they're a novice that you need those words to be random, and we stress this enough. Now the thing is that the way Bitcoin works, is that you have these Bitcoins laying around on that's not technically accurate, but go with me. You have these Bitcoin laying around on on the blockchain. Right? And you need to provide a signature to say, hey. I actually could This is a proof that Like you sign in Chegg that I have this Bitcoins and I'm gonna move them somewhere else. The way this signature works mathematically because it just works like that, you need some a bit of randomness for this also. And, you well, probably some of you are gonna think right now, well, we just got a new signature scheme with like Taproot and whatever is nor. So what we're gonna talk is valid for both of them. This specific aspect that we're gonna talk about Yep. Yep. Doesn't change anything. So it's valid for both of them. Anyway, so the thing is that you what the signature pretty much does in a very dumb way, you just think you also use your private key. You jumble a lot with some other with this randomness and some other things. And then when someone looks at this on the blockchain, other nodes, they're gonna be like, this is a valid signature.
And the thing is that signatures are made to function in this way and they shouldn't leak your private key. That's why you use that random you know, that's randomness to mix it together so you don't leak it. And turns out there's, like, these very clever attacks that actually if you have so I was I was actually, made a really big case earlier that, hey, if you have a crooked dice and 30% of the dice is Right. Like, 40% of the inter piece. But, like, you're still guiding up with a with a private key. It so happens that with the nonces, like, if you have even one single bit, I'm repeating this, one single bit of biased entropy there, someone could look at your, at your signatures on the blockchain and they could steal your they could guess your private keys, which is pretty crazy. It's like it sounds like it's impossible when you think about it. Maybe Adam wants to explain how this has happened. And there's actually a few variants on this attack, not just the one with a bit, but that one is the most, Yeah. I guess, scary. So yeah. So I think I think going back to first of all, let's get the word clear. So nonce is a word that's short for number used once.
[01:14:55] Unknown:
And what is this number used once? What is the purpose of it in the context of a signature? Well, the purpose of it is simply blinding. Very crude understanding of it is when you're signing with your private key, you're kind of multiplying the message by the private key very crudely. You're just taking the message and just imagine it in your head. I'm just gonna multiply it by the private key. Now if you pass that across to somebody as a signature, it would be horribly insecure because they would just divide out the message and they get your private key. So the purpose of this nonce is to add a blinding number just like, I could give you the number if I have the number 13 and it's a secret, but if I add 17 to it, you're you're just gonna see, like, what is that? 40, 30. You're gonna see 30, and you're not gonna know the original secret 13. Could be precisely because you don't know what that random blinding addition was that I did that 17. If you knew it was 17, then, of course, you could take it away and get the 13. So the purpose of a nonce in a signature scheme is specifically to blind the the output signature while still having that property that you're binding the the private key to the message.
And it's obvious from that description that I can't well, it maybe isn't obvious, but it should be clear if you think about it from that description that if I tried to use the same nonce twice so I signed 2 different messages with the same private key. But if I then use the same nonce twice, then by simple subtraction, I'd get rid of the nonce, so I'd be back to the situation where I can just trivially ex extract your private key from the signature by by taking away the messages.
[01:16:22] Unknown:
If you work out the algebra, that's how it works. And, like, the saying twice is like a simplification, but if you do it, like, 15, 20,
[01:16:30] Unknown:
100 times, it becomes easier. No. No. That that in that particular case, it's not a simplification because because the most basic nons reuse here. Specific. Yeah. So the most, yeah, so the most basic example of of a of a nonce failure, so to speak, is if you simply reuse the same nonce twice in different messages. Then it is the case because you've only used it you've only you've got 2 equations there, and you can subtract out the nonce from the two equations and get the private key. And just to add very quickly here before we move on,
[01:16:57] Unknown:
there were a lot of well, by a lot of, I mean, probably a few hundred cases of when this happened. And there are a few people who, like, did some research and there's some papers there, and they found this. And that is true. They were more like because these are implementation errors pretty much. Right? And these were happening more in the early days more than now.
[01:17:16] Unknown:
Yeah. Yeah. So so that's the most basic So how do you know the nonce is being reused?
[01:17:21] Unknown:
Right. Well, it's very simple. When when you publish a signature on the chain, you're publishing 2 pieces of data. One is the actual signature, which is a a number, a scalar number in in the field, and the other the other one is an actual elliptic curve point like a public key. So what you actually if you actually look at a signature like an easy to say signal on chain, unfortunately, it has, like, weird extra formatting. But you probably already know that public keys are like 3 or 2. Right? It's actually a pub just like your public key for your for your private key. This this nonce point, we could call it, is the corresponding elliptical point to the to the nonce scalar, the the the nonce secret. So just like your private key is not exposed by giving someone the public key, they can't they can't reverse it and find it. Similarly, when we publish the nonce point on chain, you can't reverse it back to the original nonce from the public the public point nonce, the nonce point, however you wanna say it. So if if but if you just reuse the same nonce, just like if you reuse the same private key, you'll get the same public key. Right? If you reuse the same nonce, you'll get the same nonce point. So somebody so what these people did in the early days was they set up automated programs looking on chain or or in the mempool anyway for transactions that were using the same r value, which is the public nonce point as had previously been used. Soon as they saw that, they could just subtract the 2 signatures and immediately get the private key. So it was it is visible on chain.
Yeah. The Yeah. But do you see the subtlety is that you're it doesn't reveal the actual nonce secret value itself. It reveals the public key corresponding to it. So it reveals that it's been reused, but not exactly what it is. Exactly the same way as if I gave you the the public you know, it's the same private key even. Like, anyway, you get the point. So that's the most basic example.
[01:19:01] Unknown:
Yeah. Go ahead. No. No. No. I was gonna say that that actually MZ brought up something, but I think you're gonna explain maybe then we should address the question.
[01:19:08] Unknown:
Yeah. I think before we before we do the that's a very important thing to discuss. Before we discuss that, let's just quickly I just wanna expand one little detail on, like, Alex gave you the bombshell. Right? The bombshell is that the nonces have this horrible fragility to them, which is that even if you have slight biases, 1 bit, 2 bits, 3 bits maybe, in a nonce, that can lead to, this catastrophic failure where you actually get the private key just from the nonces even though the nonces are only a tiny bit biased. And but I just wanted to just qualify that. Very important qualification to that is that that attack, I mean, it's generally called the, LLL, it's, hidden number problem is is how it's described or also a lattice based attack is another way to describe it. But this attack only works with lots of signatures. And when I say lots, it could be anything from, like, 20 to 30. Well, if it's a really extreme bias, you might only need 10 signatures. But if it's like a normal, like a few bits or 10 bits, you might need, like, 30, 40, 50 signatures. So, luckily, even if somebody's got a very slightly bad nonce generator that is random, if you only use the same key once, then it kind of, by luck, doesn't matter. Right? So that's a detail, but it's an important detail. Now MZ is making a very important point, which is everything we're describing about generating. That's not how it works. And part of the reason it doesn't work like that is because in history, there were a number of software failures leading to one very famous example was somebody we all know and love, Ryan x Charles, managed to put, this wonderful piece of code in in one library or another that some wallets were using that actually generated nonce of 64 bits instead of 256 bits.
So that's not like a 1 or 2. That's 1 or 2 bits. That's like 3 quarters of the bits rule zeros. So as a consequence, and this was found by in the paper, biased nonsense by Henning Henninger et al. Oh, that's a great name for the paper. Yeah. Bias nonsense. Yeah. You can look it up. It was funny because when when she published it, I was on I was on our IC with with Greg Maxwell, and I we were looking at at a typical Greg Maxwell. It's like you're like, oh, yeah. And it and it it I think it took him about 1 hour to figure out it was this one particular commit by Ryan x Charles. He found out which wallet it was because they were saying in the paper, we don't know which wallet generated these, but we found all these and they were all insecure and all the money was lost. And, of course, it wasn't the academics that stole the money. It was some somebody else had automated programs running looking for this kind of thing.
[01:21:34] Unknown:
That's a name I haven't heard in a while. I remember when he used to be a hero to me
[01:21:38] Unknown:
before he completely lost his shit. Oh, yes. So we yeah. Those videos. Yeah. That's kinda interesting. Yeah. That is that is something. Anyway, so what's going on? Yeah. So deterministic nonces. Now this is where it gets interesting. What you can do is because it's difficult to do this right in software and because nonces are fragile, how about let's get clever and let's refer back to something we said earlier in the the discussion, which was the idea of a pseudo random number generator. So instead of just thinking of a a fixed amount of a random number, think of something that generates a stream of random bytes. And what we can do is create, this pseudo random number generator based on 2, like, bits of secret data. The private well, not one of them secret. The private key and the transaction message. And what we can do is go through a bunch of hashing, basically. That's what it's called RFC 6979, and we can output a nonce, which and this would be the the actual secret nonce. The output nonce would be a function of both the message and the private key. So nobody who doesn't know the private key can regenerate the nonce. But the cool thing is it means that this same nonce will be generated every time you have the same message and same private key, and it also guarantees that every time you have a different message with the same private key, you'll get a different nonce. And that's the property that's absolutely critical. You never want to have the same nonce on the same private key with a different message because that's when you're repeating the nonce and you lose all your money.
So RFC 6979 has become absolutely standard across all wallets used in Bitcoin since about, I don't know, 2015, 2016. Nobody uses anything else. But there is a little, like, fly in the ointment, which is when these new, like, music music type, protocols get developed. We can no longer do that for more reason. Which we just added functionality for? Yeah. It's Taproot. Yeah. But Taproot Music isn't really in anything. Yeah. Music isn't really in anything. Yeah. It's not even in LipSect p, but but it's kind of, like, coming very quickly. So, yeah.
[01:23:32] Unknown:
So so right now, probably, you know, they're like, the people on the chat are like, okay. That was some very interesting boring fucking technical detail. Why do I fucking care? Well, I was only
[01:23:42] Unknown:
Mzs. Yeah. You're right, Mzs. That's why I was the long version of, like, what was what you're saying. No. No. But but I I I'm gonna steal man that.
[01:23:49] Unknown:
Okay. So so so you're thinking like this isn't okay. That's interesting thing, but you already said it's fixed. So why the fuck would I care? Right? Well, now here's the problem right now. So let's say you get your hard reward. Right? Which is, you know, it's a Bitcoin hard reward. Yeah. And, you you say, I I generated my so I I've done my my job. I generated with my own dice. Right? But now you have to still make transactions. And now here's comes the question. And I know this again also very esoteric attacks, so keep that in mind. So don't get scared, but it could happen. Well, if someone intercepts your hardware wallet,
[01:24:21] Unknown:
they could do specifically bug your random number generator in a way where it affects your nonsense. Right? So right now you don't know you don't sorry. When when it's creating a transaction, you don't know where it's getting this this nonsense for. You know? And and then this becomes also a different problem because so what if we have the standard? How do you know the wallet is using it? Exactly. Can I just can I just reemphasize that for my other people? People are not gonna necessarily think of it. But everything I just described is great, but you don't know if a hardware wallet is doing it. You cannot know when you look at a nonce whether it was generated by RFC 6979 or whether it was generated by dice rolls or whether it's completely, like, evil generates. You know. Yeah. Well, like, is there is there, like,
[01:25:03] Unknown:
a a time reputation kind of thing that involves this thing? I mean, people have been using some of these hardware wallets for years. Oh,
[01:25:11] Unknown:
So regarding this thing that I just said, Stefanik's Nityev, I think that's how I pronounce your name, the guy who Niggirievs. Nigirev, I think is Nigirev. The guy the guy who
[01:25:20] Unknown:
pronounced name. He's awesome.
[01:25:22] Unknown:
He he he yeah. He's just great. The he actually wrote about this thing, had a blog post, and he even they even try to standardize this a bit, and had some some posts or whatever. So and there are there are a few ways to, like, solve this problem, by the way. Even this one, you can still solve it. Maybe Adam can describe it a bit more. Can I ex expand a bit on this? Because I'm I'm running out, and I wanna talk explain. So the the concept here might be I mean, you talked about time. That's an important concept is,
[01:25:50] Unknown:
you can get really sneaky with this. One thing you could do as an attacker is if you had control of the nonce generation function, instead of just having it spit out a key immediately, you could have it spit out a couple of bits of the secret data, let's say, the master secret for your bit 32 tree. Right? It could spit out a couple of bits every every transaction or maybe just one bit every 10th transaction, and it could be, like, over, like, 3 years. He slowly but surely gets gets your key. Once you're well you know, you've spent a couple of months thinking, well, I'm not sure about this hallway. Well, like, oh, yeah. It seems to be working fine. I've done a few transactions. Now do a few bigger ones. Now do a few bigger ones. And he's waited, like, a year, and then eventually, he's got your whole key and you're you're dead. Right? So so just you have to think, like, really fiendishly, like, these adversaries. So how do we protect against this? It's a very nontrivial problem. There's a there's a post on the Bitcoin dev mailing list, I think, by Peter Willer, who went through several different ways you could try to address this problem. And it's a very weird problem because the whole concept of the hardware wallet is that the, you don't trust the, the hot computer, let's say, yeah, the online computer, and you're trusting the the the offline computer, which is the hardware wallet. But in this attack, we have to flip it around, and we have to say, okay. I'm gonna assume that the hardware wallet is is is an anniversary. Right? So how do we so so how do we deal with this? Well well, the the general concept is just like you said before with a cold card, you take some randomness and you actually sort of feed it into the nonce, add it into the randomness that the hardware wallet is generating, whether it be RFC 6979 or anything else. But you add your own little element of randomness into it to make sure that overall that nonce is in fact random.
So it's things like there's a concept concept called sign to contract, and it's basically the idea that you take the hardware while it's nonce, and you kind of add You tweak that point with a hash of some data that you fed in. And then you have to have a protocol that sort of, how to say, verifies from the the the the software wallet side, verifies that the actual procedure was followed honestly. And I think I would recommend people read a post by Blockstream on on Blockstream's mediums. It's like anti exfil, they call it. Anti dash exfil because it's against exfiltration of the secret via the nonce. So the nonce is like a side channel if the people who know about that concept.
But, yeah, it's it's pretty advanced up, but that is that is an example of a problem that you can kind of solve. But the interesting point is if you read the whole blog post, at the end, they point out that there's a fundamental sense in which you can never totally solve it. Because what can happen is if the attacker, sees that the output from this honest protocol to produce a properly honest nonce, if it produces a kind of nonce that they don't want, they can just abort the protocol and say, oh, sorry. There was an error. We can't sign sign that. So they point out in the blog post that even if you get really, really clever, you still have to take an approach of saying, you still have to be paranoid. Like, if if the thing stops working or maybe it's maybe it's, an adversary. You know? Well, it's a personal responsibility thing. You should just always be paranoid.
[01:28:51] Unknown:
But, Alex, when was the last time an attack like this happened, an a non space attack?
[01:28:56] Unknown:
Well, the the thing is, like, we kind of, like, made them very general, but you have to like, these nonce attacks are very specific. Like, even, like, Adam was saying, like, there's the whatever problem. There's even, like, specific attacks of the hidden number problem. Right? Yeah. That's true. Yes. So so so it depends which one do you mean.
[01:29:14] Unknown:
But that's but can I just say that's why you should read biased nonsense by by Henninger, et al? Because it's it's effectively a review, and it doesn't even restrict itself to Bitcoin. It also covers Ethereum and LOL Ripple. And it actually shows, like, over that they because they basically scanned the whole blockchains looking for weak nonces. And they found that they part of their summary is, like, we found, like, $24 worth of Bitcoin is still exposed and, like, $12 of Ethereum. So, essentially, all the the other examples, which they found quite a lot over several years, had already been taken. So be people had programs running continuously, and some of the most obvious examples were like the ones I mentioned before. Secure random in Java had a a weakness in its, it's supposedly cryptographically secure random number generator, which wasn't actually cryptographically secure, which meant that once somebody has seen enough data, they could predict what the next values would be, and they could use that to extract the nonce. Oh, okay. That wasn't exactly nonce reuse, but there were I think there were a lot of examples. This is something you can trivially check by just scanning of people literally just reusing nonsense due due to a software bug or just due to being stupid. I don't know exactly. But it's it has happened quite a lot. I mean, relatively, I don't mean, like, 1,000,000, but, you know, it has happened.
[01:30:26] Unknown:
You know, the idea was, like, don't worry about this, but if you were having a coverage of, like, what could go bad with entropy, this is what could go bad with entropy. And okay. So how could you, one way to limit this? Well, in order for someone to deploy this attack, they have to target your device. So get this hardware. Right? I I don't know. Don't get, but this would be a way to mitigate it pretty much.
[01:30:48] Unknown:
So, guys, this has been an absolutely fantastic conversation. We have a hard stop, that we've Yeah. Gone past.
[01:30:57] Unknown:
No. It's it's okay. I'm I'm yeah. That's good.
[01:31:00] Unknown:
You're good? You're good to continue, Wax? Well, I mean, I'm good I'm good to finish is what I meant. Oh, yeah. Yeah. We're gonna wrap up. It's been a great it's been a great conversation. I appreciate both your time. Let's let's end it with some final thoughts. Alex, first to you. Final thoughts.
[01:31:16] Unknown:
Final thoughts. I don't know. I don't know what to say. I guess you should just start being a bit more skeptical. That's what I would say about all these things and all this this common knowledge that you have that that you get from people because I don't know. That's the whole point of Bitcoin. That's that's what I would say.
[01:31:34] Unknown:
Waxwing. Thank you, Alex. Waxwing, final thoughts.
[01:31:38] Unknown:
Yeah. Well, just, be suspicious of third parties, like central parties. Be as because, you know, everything in our in our culture encourages us as consumers to just, like, do the easy thing, but but, you know, have a bit of gumption and and do the do the hard thing. There we go. But, yes, thank you, waxwing. Yeah. Everyone, practice some personal responsibility.
[01:32:02] Unknown:
Don't go for the most convenient answer, and, constantly continue learning. I wanna thank all the rider die freaks who joined us in, the live chat for this conversation. Very you you guys make this show special. Thank you to all the Rider Die Freaks that continue to support the show and keep it ad free and sponsor free. And a huge thank you to both Alex and Waxwing for joining us. It's it's been an absolute pleasure. I hope you guys come on again soon. And, Waxwing, thank you for coming on for your second time. You're you're fucking killing it. Enjoy El Salvador.
[01:32:39] Unknown:
Yeah. Thanks for thanks for having us on, Matt. And I I really appreciate, again, you just, straight away after you saw the thread, you were like, Astro, let's talk about this. So thanks for That's what that's what this show is about. That's why I do it. So thank you both. Cheers.
[01:32:52] Unknown:
Cheers. Looking out the window, hear the ice cream truck tearing through the couch, cushions, tryna scrounge up. But, Buck, you know, I'm runnin' to get to him, but, oh, he rolls away, because I gotta stay cool on a hot summer day. I've got 3 quarters and two dimes. I've got 4
[01:35:04] Unknown:
Hours yearly living life carefree, not a worry in the world from a bill or girl. Homework was the main concern, and with 99¢ I had money to burn. Looking for a block party or barbeque, Who said ballin' out was impossible? And I could do things that was hard to do, a quarter water plus chips and a Charleston juice. It was water, kid, like Evian. Looking for a girl like a move, Evian. In the vein of Christina Mille Young, but with more Echelon and some pink jellies on. Now, not some average missus, someone I could play run, catch, and kiss with. Back then, kid, please believe this. Only thing me and Eli would need is.
[01:35:39] Unknown:
Three quarters and no. 2 dimes I got. Okay. Open pieces. Come on. Oh, man. I'm walking in the street
[01:36:35] Unknown:
Love you, freaks. Thank you for joining me for another dispatch. I will see you on Rabbit Hole Recap on Thursday, and another civil dispatch on Tuesday for another Bitcoin Tuesday. We have a great lineup next week. We have Eric Sirion, the lead maintainer of Simple Bitcoin Wallet as well. That's not Eric Sirion. And Fiat Jaffe, and we're gonna be discussing Chaumian Mints on Lightning. This idea that you can have a privacy preserving, trust minimized custodial wallet that has easy UX and can interact with the rest of the Lightning Network. It could be a very special conversation. I am looking forward to it. I love you all. Stay humble. Stack stats. Cheers.
Introduction to the confusion about the Internet and email in the 1994 Today Show clip
Importance of secure random number generation for Bitcoin
Different sources of entropy for generating Bitcoin keys
Debunking the myth of using physical dice for generating Bitcoin keys
Discussion on the history of compromises and poor implementations of entropy sources
Backdoors, compromises, and poor implementations in Bitcoin wallets
Different methods of securing Bitcoin
The importance of holding your own keys
Discussion about the fragility of nonces and the potential for catastrophic failure
The history of software failures related to nonce generation
Introduction to deterministic nonces and their benefits
Challenges with deterministic nonces in new protocols like Taproot
Importance of being skeptical and practicing personal responsibility in Bitcoin
