Contents
- How random is the act of rolling dice?
- How safe are pseudo-random-number-generators?
- How to generate a seed phrase using dice?
- How much Entropy in your seed phrase is enough?
- What kind of dice do you need to generate random numbers?
- What do you need before you start generating your seed phase with dice?
- 1. Gather your pencil and paper, your dice, a BIP39 word list, and let's get ready to roll.
- 2. Before you roll the dice, what are the rules of the game when generating a seed phrase?
- 3. Now that you know the rules, let's start rolling.
- 4. How to Generate the last word (checksum) when generating a seed phrase from dice?
- How to guess the last word.
- Using a script to find the last word.
- Checksum script code
Generate a Seed Phrase using Dice.
Detailed steps to generate your seed phrase using 20-sided dice to ensure randomness.
Using dice to generate a BIP39seed phrase is one way to establish a very high level of confidence in the randomness and initial security of seed phrases - especially compared to the default wallet approach.
When choosing a method to generate seed phrases you have to ask yourself these questions: Do you trust that the device you are using is absolutely free from any malware? Furthermore, do you trust that the developers created a sufficiently random RNG? Even if you trust both, you can never be 100% certain. What is secure today, is not always secure tomorrow.
Using Dice or a calculator to generate your seed phrase removes all of these concerns by providing a truly offline and air-gapped environment to generate entropy. By taking the process offline, you can be certain that the resulting entropy is sufficiently random and free from corruption.Net-net, by using dice, the seed generation process happens completely offline, reducing the risks of compromise by interception.
TL;DR (concentrated takeaways)
Using dice to choose random numbers can be an effective way to guarantee randomness.
Numbers are picked by rolling balanced dice.
Determining the correct last word takes a few extra steps.
Setting up and cleaning up the environment(s) to remove any traces of the numbers generated can take some extra steps.
How random is the act of rolling dice?
Think about the last time you rolled dice - you used your hands and fingers to position and throw the dice, the dice hit the surface and rolled a bit before stopping. When rolling a pair of 6-sided dice, does anyone have a better than a ⅙ chance of guessing the outcome of each dice?
In the act of throwing the dice, there are many variables that contribute to the randomness - the velocity with which the dice are thrown, the trajectory from your hands to the surface, and the construction materials of the dice and the surface.
Even if you were to account for each variable, and try to throw the dice the same exact way each time, the end result would still be sufficiently random. This is why casinos all over the world allow table games using dice. If it were possible to always roll a 7, we would not see craps games in casinos.
How safe are pseudo-random-number-generators?
Avoid digital vulnerabilities in random number generation.
When using your desktop, laptop, or mobile device to generate entropy, you are relying on a specific implementation of randomness generated by a computer.
There is a challenge with this method: computers can only do what they are programmed to do. To get around this, computers make use of a pseudo-random-number-generator (PRNG). PRNGs generate a seed number that is fed into an algorithm to generate random-seeming bits.
PRNG's have had flaws in the past, and it is possible flaws will exist in the future. In 2008, Debian developers discovered a flaw in the PRNG implementation for OpenSSL, and the flaw had existed for 2 years before being discovered. In 2012, security researchers were able to find the private keys for some TLS and SSH servers, due to poor implementation of a PRNG - it did not generate sufficient entropy.
By using dice, all potential computer-based vulnerabilities are avoided.
How to generate a seed phrase using dice?
You will be using dice in this guide to generate the initial entropy, which is a measurement of randomness. The result of the dice rolls will be used as the source input to the process that outputs your seed phrase.
How much Entropy in your seed phrase is enough?
How much Entropy is enough?
A single word from a dictionary of 2048 words represents log2(2048) = 11 bits of entropy.
12 words * 11 bits = 132 bits of entropy.
That is our target :128 bits of entropy + 4 bits of checksum.
Why are 128 bits enough?
Realistically, a very powerful organization with lots of cash could hope to perform, say, at most 2^85 elementary computations (like encrypting an AES block) within a year -- it won't be discreet, and that's still less than the millionth part of the millionth part of a 2⌃128 space.
https://security.stackexchange.com/questions/102157/do-you-need-more-than-128-bit-entropy
Does our set of dice fit with our target entropy?
D20 dice entropy = log2(20) = 4,32.. (bits)
D10 dice entropy = log2(10) = 3,32.. (bits)
Total set entropy = D20 + 2*D10 = 4,32 + 2 * 3,32 ~= 10,97 bits of entropy per single roll (word),
so that way we get enough accuracy. The "missing" ~0,03 bits per word even multiplied with 12 words doesn't qualify for a whole single bit affected.
Further reading: Do you need more than 128-bit entropy?
What kind of dice do you need to generate random numbers?
You can use any amount of dice to generate a seed phrase, however, this guide will focus on using 2 x 20D dice and 1 x D100 dice (2 x 10-sided dice representing 0-99).
This fast method for generating your seed phrase requires having a specific denomination of dice at your disposal: 2 x 20-sided dice and 2 x 10-sided dice. A major advantage of this method is that it maps the dice roll directly to the BIP39 word list.
The possible results of your dice roll will start with 1, this is called human-index. Computers and BIP39 understand 0-index. According to BIP39, there are 2048 available word indexes, expressed as 0-2047. When you source your BIP39 wordlist, check to see if the numbers start with 0 or 1. As you work through this guide, if your BIP39 word list starts with 0, you will need to adjust the numbers of your BIP39 word list +1.
Dice Balance Check
Not even dice necessarily produce perfectly random outputs ... manufacturing flaws, damage, or wear can cause dice to favor some numbers over others. In gaming contexts, there have even been cases where dice have been intentionally tampered with to affect their outcome.
If you have concerns about the quality of the dice (how they were manufactured) and therefore the balance, it may be worth performing a quick balance check. The saltwater balance check involves putting a die in water that has been saturated with salt, and the die will float. You can then spin the die in the saltwater, and If your die keeps stopping with the same number facing up, something inside the die is making it unbalanced.
Further Reading: How to Salt Water test your Dice
What do you need before you start generating your seed phase with dice?
Pencil and Paper
Always use a pencil, and never use a pen. When you finish the process, destroy the paper you wrote on. This can be used by an attacker to guess your seed phrase.
BIP39 word list
The BIP39 word list is where you will pick the words of your seed phrase from. It is very important to get the word list from a reputable source. Recommended sources include the Bitcoin Github Rep.
Computer
A computer is needed to generate the checksum of your entropy. The checksum will be used to generate the last word, as specified in BIP39.
- It is very important during this step to not connect to the internet. An air-gapped computer is best, or consider using a live Linux USB, like Tails OS
- A safe and secure location
Be aware of your surroundings. Are you on camera? Can anybody see what you are doing? Your seed phrase is essentially all the keys to your cryptocurrency, and your SINGLE POINT OF FAILURE, until you securely back it up and destroy any floating copies.
1. Gather your pencil and paper, your dice, a BIP39 word list, and let's get ready to roll.
Since you are rolling multiple dice, it is important to read the results of your dice roll in the same manner for each roll - left to right, top to bottom, bottom to top, or right to left. By doing this you are removing human influence over the reading of your results. (For example, you could roll 2 and 8. This can be 28, or 82.)
In this method you will need the following denominations of dice at a minimum:
- 2xD20 dice, a 20-sided dice representing results of 1-20. It is very helpful if these dice are visually distinct from one another, as they each serve different purposes.
- 1xD100 dice, usually made up of 2x10-sided dice representing results of 0-99.
The above set of dice is what is needed to generate a single word from the BIP39 word list on each roll. It is possible to generate multiple words at the same time, speeding up the process even more. To do this, you will need the entire set of the above dice for each additional word per roll. For example, if you want to generate 3 words on each roll, you will need 3 sets of the above dice.
2. Before you roll the dice, what are the rules of the game when generating a seed phrase?
- The indicator dice rule: When rolling your dice, if a 1 is rolled from the indicator dice, disregard the result of the other D20 dice roll.
On a 20-sided dice, the possibility of rolling any 1 number is 5 percent. This matches very closely, but is not a perfect match, to the possibility of generating numbers 1-99 out of 2048 numbers - which is 4.8 percent.
When rolling your dice, if a 1 is rolled from the indicator dice, disregard the result of the other D20 result.
- The D20 dice rule: When rolling your dice, the D20 dice roll result is the first two digits of your BIP39 word list number, from 1-20
When reading the results of your dice roll, the first step is to always check the indicator dice. As long as the indicator dice roll result is not 1, the result of the D20 dice roll is valid. The BIP39 word list has 2048 possible numbers, and each digit can be represented as a 4 digit number, 0001-2048. The D20 dice roll represents the first two digits of your BIP39 word list number.
- The D100 Dice Rule: When rolling your dice, the D100 roll represents the last two digits of your BIP39 word list number, from 0-99.
3. Now that you know the rules, let's start rolling.
- Shake up the dice in your hands and roll them onto a dice tray or a flat surface
- First check the indicator dice, if the result is 1, disregard the result of the D20 dice roll and move to the D100 roll result, and write down 00 as your first two digits.
- If the result of the indicator dice is not 1, check the result of the D20 dice roll and write it down on your paper using a pencil. The result is the first 2 digits of your BIP39 wordlist number.
- Check the result of your D100 dice roll. The result of the D100 roll is the last 2 digits of your BIP39 wordlist number. Using a pencil finish writing the number down on your paper.
- Repeat the above process until you have 12 numbers written down. The numbers must be written down in order, from 1-12. Changing the order of the words introduces human bias, and reduces entropy.
Let's test your knowledge. The chart below will show two examples of dice roll results and their corresponding number on the BIP39 wordlist.
Dice Type | Dice Roll Result | Action/Number |
D20 Indicator Dice | 1 | Disregard D20 roll result |
D20 Dice | 18 | Indicator 1 - disregard result |
D100 Dice | 29 | Final Number: 29 |
Dice Type | Dice Roll Result | Action/Number |
D20 Indicator Dice | 11 | Indicator Inactive |
D20 Dice | 8 | 8 |
D100 Dice | 79 | Final Number: 879 |
4. How to Generate the last word (checksum) when generating a seed phrase from dice?
Now that you have all 12 numbers written down, it is time to correct the last word. The last word contains a checksum that needs to be accounted for.
In BIP39, a checksum is generated by getting the SHA256 hash of the initial source of entropy. In this case, the initial source of entropy is the results of your dice rolls. The last word of your seed phrase contains part of your initial entropy and part of your checksum.
See sidenote on Entropy.
There are two ways to do this: running a script in your web browser and guessing the last word.
How to guess the last word.
Yes, you read correctly - that last word can be guessed, however only if you have the first 11 words. This is because you already have the first 7 bits of the word already fixed as a source of entropy. And the "last" 4 bits are subject to select non-randomly, to match the checksum of the previous 128 bits.
To start, take your BIP39 word list and section it off into 16-word chunks. Next, take your 12th-word number and find which 16-word chunk it appears in. These are the 16 words that you will be trying to find which one completes your seed phrase. Only 1 of the 16 words will be accurate and complete your seed phrase.
The ideal way to do this is by using a hardware wallet. By using a hardware wallet, your seed phrase will never touch an internet-connected device. Simply start up your hardware wallet, and during setup select 'restore wallet' to enter a seed phrase. Enter the first 11 words in the wallet and then cycle through each of the 16 words as your last seed phrase word until you successfully generate your wallet.
Another method for guessing the last word is using a mnemonic code generator. Using this tool you can do the same process of trying each word of the 16-word chunk. When using a mnemonic code generator, the most important step is doing the process offline. It is best to do the process in a live operating system, like Tails OS, and never connect to the internet. If you can't use Tails, restart your computer and disable wifi and Bluetooth before proceeding.
A good mnemonic code generator is Ian Coleman's BIP39 Mnemonic Code Converter, it's open-source and trusted by the community. Simply enter your 11 words into the BIP39 mnemonic converter textbox, that you compiled from the source and is running on an offline computer, and cycle through each of the 16 words until the converter accepts your seed phrase as successful.
Using a script to find the last word.
When using a script to generate the last word, the most important step is to use a live OS like Tails, or take the necessary steps to create as sterile an environment as possible on your device. A good idea is to create a new user account on the device, and operate from that new account.
The following script is designed to be run in a web browser, with networking disabled, and in incognito mode. Once you are in a secure environment, open your web browser and open the console in developer tools. This script works by passing a variable containing your 12 words to a function, which calculates the checksum and generates the correct last word.
Checksum script code
To begin, paste the following script: function checksum12words(data) { if (data.length != 12) return console.log("ERROR: Need 12 words numbers as input") let binstr = (s,l =8) => s.toString(2).padStart(l,'0') let tohex = (bytes) => bytes.map( x => x.toString(16).padStart(2,0) ).join('') let bytes = data.map( x => binstr(x - 1, 11)) // convert 0-index to binary .join('').match(/.{1,8}/g) // split 8 bits .map( x => parseInt(x, 2)) // convert to UInt8 if (bytes.length != 17) return console.log("ERROR: Something is wrong, check your input") bytes.pop() // remove wrong 17th byte of checksum console.log("Entropy is :",tohex(bytes)) window.crypto.subtle.digest("SHA-256", new Uint8Array(bytes).buffer).then( x => { if (x.byteLength != 32) return console.log("ERROR: Wrong SHA256") let hash = new Uint8Array(x) let cs = binstr(hash[0]).match(/.{1,4}/g)[0] // Thats our checksum // Take byte 15 for full 11 bits of our final word let bits = [binstr(bytes[15]),cs].join('') if (bits.length != 12) return console.log("ERROR: Wrong final word bits") //console.log(bits) console.log("Your 12th word index is: " + (1+parseInt(bits.substr(1),2))) }) return "OK"
The next step is for you to add your BIP39 wordlist numbers, including the 12th word that is incorrect. This function uses the human-index numbers you generated, ie. numbers from 1 to 2048.
data = [101, 502, 962, 1400, 1607, 1817, 1090, 1827, 820, 1334, 156, 1073]
The final step is passing the data variable to the checksum12words function and calling it.
checksum12words(data)
The results of running the function will return "OK" if successful, will show you the entropy in hex, and will show you the correct final word. In our example below, the correct final word is 1078.
Entropy is : 0c87d5e0d77c8dc6220f226674d44dc3
"OK"
Your 12th word index is: 1078
Now you have your correct 12-word seed phrase! Write down the correct number for the 12th word on your paper, and clear your console history by right-clicking → clear console history. Next, restart your machine to wipe any leftover memory.
Now that you have generated your seed phrase, learn how to safely and securely back up your seed phrase, and how to import it into your favorite wallet.
After you have securely backed up your seed phrase take the following steps to ensure you leave no traces of your work. Carefully look at your BIP39 wordlist and all papers used in writing down your dice rolls, seed phrase words, and numbers. If anything is written down on paper - destroy it by burning or shredding. The purpose of destroying any paper used is to prevent someone from accessing your seed phrase by using information gathered from the papers.
Generate a Seed Phrase using Dice.
Detailed steps to generate your seed phrase using 20-sided dice to ensure randomness.
Max Skibinsky
Max Skibinsky is a serial entrepreneur, angel investor, and startup mentor. Most recently, Max was an investment partner with Andreessen Horowitz, where he focused on enterprise security and bitcoin and deals with Tanium, TradeBlock, and Digital Ocean. In addition to co-founding Vault12, Max leads the R&D team. Before that Max was the founder and CEO of Hive7, a social entertainment company that became part of The Walt Disney Company. In 2003, Max joined the newly formed Voltage Security, an encryption startup incubated at Stanford University, where he architected and designed an Identity-Based Encryption messaging system that was showcased at DEMO '04. Voltage was acquired by Hewlett Packard in 2015. Max has also advised and invested in many startups graduating from Y Combinator including Eligible, Transcriptic, and ZenPayroll. Max graduated with a masters' degree in theoretical and mathematical physics from Moscow State University.
Art Krotou
Art is a crypto-security expert and researcher with serial entrepreneurship background. Having a degree in physics and experiences in multiple cutting-edge industries like fintech, secure hardware and semiconductors, and identity gave him a unique multi-faceted perspective on the problem of key management for individuals in the crypto networks and the evolution of the internet in general.
In his current work, he is specifically researching how cryptographic keys can be inherited without posing a threat to 3rd parties in edge cases. In addition, he advocates for "fault-tolerance via secrets automation". He discusses the quantitative impact of user experience factors on the uptake of non-custodial solutions.
As one of his most notable accomplishments, he co-founded and led through the early years of the company that contributed to the complex technology behind Apple's recent M-series CPUs. He is also the creator of the most friendly and aesthetically pleasing, but nonetheless super secure and fault-tolerant hardware wallet - U•HODL.
Check out his curated series of "Vault12 Learn" contributions below, and follow him on Twitter and LinkedIn for more sharp insights.
Vault12
Vault12 is the pioneer in crypto inheritance and backup. The company was founded in 2015 to provide a way to enable everyday crypto customers to add a legacy contact to their cry[to wallets. The Vault12 Guard solution is blockchain-independent, runs on any mobile device with biometric security, and is available in Apple and Google app stores.
You will lose your Bitcoin and other crypto when you die...
...unless you set up Crypto Inheritance Management today.
It's simple — if you don't worry about crypto inheritance, nobody else will — not your software or hardware wallet vendors, not your exchanges, and not your wealth managers. So it's up to you to think about how to protect the generational wealth you have created, and reduce the risks around passing that wealth on to your family and heirs. What are the challenges with crypto inheritance?
- Crypto Wallets are difficult to use and do not offer crypto inheritance management. In fact, most of them tell you to write down your seed phrase on a piece of paper, which is practically useless.
- Some people back up their wallet seed phrases or private keys on paper, local devices like hardware wallets or USBs, or in the cloud. All of these options have severe drawbacks that range from hacking to accidental loss to disrupted cloud services.
- Software wallets operate onspecific blockchains, yet your crypto assets span multiple blockchains. For inheritance to work, you must be able to manage inheritance across every blockchain — now and forever.
Crypto Inheritance Management: Get ready today
Vault12 is the pioneer in Crypto Inheritance Management, and offers an easy-to-use and secure method for assigning a legacy contact to your crypto wallets. Vault12 Guard enables you to pass on your wallet seed phrases and private keys for any cryptos including Bitcoin (BTC) and Ethereum (ETH) to future generations. It's designed for everyday people, yet strong enough for Crypto OGs.
This innovative, decentralized system uses a hybrid approach of software fused with the Secure Element of phone devices (the Secure Enclave for iOS devices, and Strongbox for Google devices).
Vault12 Guard enables users to appoint one or more people or mobile devices as Guardians. The designated Guardians are entrusted to collectively protect the user's comprehensive collection of wallet seed phrases and private keys, which are safely stored within a decentralized digital Vault. Nothing is stored on cloud servers or Vault12 servers, and no assets are stored on local devices, making them less of a target.
The decentralized approach reduces points of failure and removes the necessity for regularly revising wallet inventories or modifying instructions for your lawyers (which could lead to privacy breaches). Simply put, Vault12 Guard is the best way to preserve crypto generational wealth.
Take the first step and back up your crypto wallets.
Designed to be used alongside traditional hardware and software crypto wallets, Vault12 Guard helps cryptocurrency owners back up their wallet seed phrases and private keys (assets) without storing anything in the cloud or any single location. This increases protection and decreases the risks of loss. Making sure you have an up to date back up is the first step in crypto inheritance management.
The Vault12 Guard app enables secure decentralized backups and provides inheritance for all your seed phrases and private keys across any blockchain, including Bitcoin, Ethereum, ERC-20, and other crypto wallets.
Note: For anyone unfamiliar with cryptocurrencies, Vault12 refers to wallet seed phrases and private keys as assets, crypto assets, and digital assets. The Vault12 Guard app includes a software wallet that works alongside your digital Vault. The primary purpose of this is to guard your Bitcoin (BTC) or Ethereum (ETH) wallet seed phrases, private keys, and other essential data, now and for future generations.