electrum Allow user to enter additional custom entropy for seed generation (combine user-entropy with os.urandom() in XOR-like fashion)

With the NSA's shenanigans and also this fatal weakness in android there is cause to doubt the CSPRNG on many systems.

To satisfy this concern it would be important to allow users to input their entropy much like how TrueCrypt allows.

Jan 03 '14 20:01 TheMastor

this does not require any modification of the software. you can trivially do it yourself by "restoring" with your own seed.

Jan 04 '14 08:01 ecdsa

And how would I go about doing that?

Typing gibberish into the generate wallet from seed window errors out and always results in one specific watching wallet being generated.

Jan 13 '14 00:01 TheMastor

you have to choose 12 words from this list: https://github.com/spesmilo/electrum/blob/master/lib/mnemonic.py

you can use any method you want to choose the 12 words...

Jan 13 '14 00:01 wozz

What are you suggesting? Print it off and throw darts at it?

Surely you could implement something more practical. I was quite impressed by the random pool thing in truecrypt and I'm pretty sure the bitcoin community would appreciate the effort it would take to implement something similar.

Jan 13 '14 00:01 TheMastor

Or instead of just ungracefully erroring out and creating a useless watching wallet when a malformed seed is entered you could just use that as entropy (after informing the user via a dialog box).

Jan 13 '14 00:01 TheMastor

version 2.0 will no longer create wallets with malformed seeds. However, it will probably not let users use any random string

Jan 13 '14 08:01 ecdsa

hello. i want to use my own entropy bits that i got by flipping coins or whatever instead of electrum's randomness. but how? i made a BIP39 seed but you don't accept it and i don't know how to generate a valid electrum seed.

Jan 03 '19 00:01 farzher

also you won't accept an xpub, ypub, or zpub for a multisig segwit wallet. you want a Zpub. but that also seems to be a non standard electrum thing and i can't figure out how to generate one.

i just want to use my own entropy :(

Feb 24 '19 22:02 farzher

i made a BIP39 seed but you don't accept it and i don't know how to generate a valid electrum seed.

You can use a BIP39 seed if you tick the checkbox.

you want a Zpub. but that also seems to be a non standard electrum thing and i can't figure out how to generate one.

See https://github.com/spesmilo/electrum-docs/blob/master/xpub_version_bytes.rst x/y/z/Y/Z version bytes come from Electrum. Others started using the same thing. The only reason Zpubs are not really used by other wallets is because no one else supports segwit multisig. The reason why multisig uses different version bytes is explained at the above link. You can use the convert_xkey CLI command to convert between different xpub version bytes.

Feb 24 '19 23:02 SomberNight

i have to use electrum mobile version for offline key generation. the BIP39 option dosen't exist there :(

but thank you, i think i finally understand the xpub insanity. convert_xkey isn't too useful, because i don't have an offline computer. but at least i know exactly what source code to read to make a javascript implementation or something that i could run on my phone

Feb 24 '19 23:02 farzher

please reopen this.

mixing in an external physical source of entropy (e.g. dice throws) would allow generating mnemonics that are verifiably immune to false randomness from a backdoored CPU. the current reality is that most of the CPUs in use are backdoored.

here's how a Monero wallet inspired by Electrum, Feather implemented this:

https://featherwallet.org/changelog/#additional-entropy-from-dice-rolls
https://docs.featherwallet.org/guides/entropy-from-dice
https://github.com/feather-wallet/feather/blob/master/src/dialog/SeedDiceDialog.cpp

note that picking N words based on dice throws and manually "bruteforcing" the last word for a valid BIP39 mnemonic (what I suspect @farzher did, doable with at most 16 attempts for a mnemonic of length N=12) is not practically possible for Electrum-type mnemonics, due to the mnemonic hash prefix requirement: https://electrum.readthedocs.io/en/latest/seedphrase.html#version-number

Jan 20 '24 12:01 chaserene

allow generating mnemonics that are verifiably immune to false randomness from a backdoored CPU

What do you mean by "verifiably"? If the code naively mixes in custom entropy, you won't be able to tell whether the provided entropy was really used or the backdoored CPU discarded it. Or is your threat model simply that randomness generated by the CPU is weak, but otherwise you trust the CPU to execute code as-is? And by verifiably immune you just mean that you can inspect the source code to see that what you provide as custom entropy is used in a sane way?

Jan 20 '24 18:01 SomberNight

I mean the two below:

randomness generated by the CPU is weak, but otherwise you trust the CPU to execute code as-is? And by verifiably immune you just mean that you can inspect the source code to see that what you provide as custom entropy is used in a sane way?

Jan 21 '24 17:01 chaserene

Ok, I think it would be perfectly reasonable to allow that.

Unlike the option that existed in the past, which allowed the user to mix in their own entropy and then also provided a way that allowed the user to probabilistically check that the custom entropy was really used, it would be simpler and I think easier to write and validate code that just mixes in the provided entropy in a XOR-like fashion. (past option: https://github.com/spesmilo/electrum/issues/1574, https://github.com/spesmilo/electrum/issues/1964, https://github.com/spesmilo/electrum/issues/2070)

Jan 22 '24 00:01 SomberNight