The Art and Science of Bitcoin Wallet Seed Generation: Randomness is everything

The backbone of Bitcoin security and storage, is your Bitcoin wallet’s seed phrase, which is a unique series of words that act as a master key to recover and restore the wallet's private keys in case of loss or device failure. Consequently, generating a truly random seed is crucial for the security and privacy of your bitcoin holdings. 

This is actually a much harder problem, then it would intuitively appear. Computers, by their nature, are deterministic systems designed to execute instructions in a predictable manner. This predictability is at odds with the concept of randomness, making it difficult for computers to generate truly random numbers without external sources of randomness.

Entropy and Seed Generation

At its core, the generation of a seed phrase relies on a process called entropy. Entropy, in the context of cryptography and seed generation, refers to the level of randomness and unpredictability in a set of data. It is usually measured in bits, where each bit represents a binary choice (0 or 1) with equal probability. The higher the entropy, the more secure the resulting seed phrase, as it becomes increasingly difficult for an attacker to guess or brute-force the seed.

For instance, a seed with an entropy of 128 bits would have 2^128 possible combinations, making it extremely secure. The Bitcoin protocol recommends using seeds with an entropy of at least 128 bits for optimal security.

Seed generation typically involves creating a random sequence of words that corresponds to a specific level of entropy. The most common standard for seed generation is the BIP39 (Bitcoin Improvement Proposal 39) specification, which defines a list of 2048 words. Each word in the list represents 11 bits of entropy (since 2^11 = 2048). Therefore, a 12-word seed phrase would provide an entropy of 132 bits (12 words x 11 bits/word).

Now, let's explore a few specific examples of seed generation using various sources of entropy:

Hardware Random Number Generators (HRNGs)

Example: Trezor Hardware Wallet

Trezor employs an HRNG to generate random seeds. It uses a True Random Number Generator (TRNG) built into the STM32 microcontroller, which leverages electronic noise to generate random numbers. The wallet then converts these random numbers into a BIP39-compliant seed phrase. The seed generation process is as follows:

a. The HRNG generates a random 256-bit number.

b. The wallet software calculates a checksum of the 256-bit number.

c. The 256-bit number and checksum are combined to create a 264-bit number.

d. The wallet divides the 264-bit number into 24 segments, each representing 11 bits.

e. Each 11-bit segment is used to select a word from the BIP39 word list.

f. The 24 selected words form the final seed phrase.

Pseudo-Random Number Generators (PRNGs)

Example: Electrum Software Wallet

Electrum, a widely-used software wallet, generates seeds using a PRNG called 'os.urandom()' provided by the operating system. To enhance the entropy, Electrum combines the PRNG with additional sources such as user input (mouse movements and keyboard presses) and system data (e.g., system time). Here's a simplified seed generation process for Electrum:

a. The wallet gathers entropy from multiple sources (PRNG, user input, system data).

b. The combined entropy is used to generate a random 128-bit number.

c. The 128-bit number is converted into a BIP39-compliant seed phrase.

Verifying Dice Roll Method

Coldcard, a popular hardware wallet developed by Coinkite, offers an interesting and unique feature that allows users to generate their wallet seed using dice rolls.

Coldcard's wallet interface provides an option to generate a seed using dice rolls. Users select this option and then proceed to roll the dice multiple times, entering the results into the wallet. For a 256-bit seed, at least 99 rolls are required, as each roll provides approximately 2.58 bits of entropy (log2(6) ≈ 2.58). More rolls can be performed to increase the entropy further.

Once the required number of rolls has been entered, Coldcard combines the dice roll values with its built-in true random number generator to create a high-entropy seed. This hybrid approach ensures that even if the dice rolls have biases or the internal random number generator is compromised, the generated seed is still secure.

After generating the seed, the Coldcard wallet displays the corresponding BIP39 mnemonic seed phrase, which the user can record.

Coldcard's verifying dice roll method offers users an extra layer of security and control over their seed generation process. By incorporating true randomness from physical dice rolls, this method mitigates potential weaknesses in pseudo-random number generators and enhances the overall security of the generated seed.

Cloudflare & Lavalamps

Although not a wallet provider, we'll include it anyway because it's interesting - Cloudflare, a web infrastructure and security company, has come up with an innovative and quirky approach to generate random numbers using lavalamps. The method, called the "LavaRand'' system, uses the unpredictable and chaotic nature of lavalamps to create a high-entropy source for random number generation. 

To collect this data, Cloudflare has arranged about 100 lava lamps on one of the walls in the lobby of the Cloudflare headquarters and mounted a camera pointing at the lamps. The camera takes photos of the lamps at regular intervals and sends the images to Cloudflare servers.

Cloudflare's LavaRand system showcases a creative approach to random number generation, leveraging the inherent unpredictability of physical processes like lavalamp movements to create a high-entropy source for generating random numbers.

Conclusion

Wallet providers employ a variety of methods to generate random seeds, each with its own strengths and weaknesses. The key takeaway is that a wallet's seed generation method directly impacts the security and privacy of your bitcoin holdings. Some users prefer the comfort of adding their own level of randomness into the process, which comes with the dice roll method, but hardware random number generators are also considered to be in line with best practices. Cloudflare's LavaRand system showcases a creative approach to random number generation, which is the important point - real world ramndomness is key for getting a computer to generate a random number.