Entropy Plate

Entropy Plate

A device to generate and store entropy.

Bitcoin Wallets & Entropy

A bitcoin wallet is generated from some data. For a secure wallet the data should be random. To generate random data an entropy source is required.

Most hardware & software wallets have an option to generate the entropy in software using random number generation. Entropy from multiple sources is combined - provided one source is random the combined entropy will be random.

The issue with software entropy generation is that for most users it is opaque.

Developers who inspect the code and build the software from source can verify that the entropy has been generated properly and is used to create the wallet.

But non developers (most wallet users) have no visibility into how the entropy has been generated.

To mitigate this some software / hardware wallets let users provide their own entropy. By entering the entropy on two wallets the wallet user can verify that the entropy is being used (because they see the same seed words on both wallets).

seedsigner/dice_verification.md at 59cff2fbd8a99355868f33dfa800d51bcce3ac3c · SeedSigner/seedsigner
Use an air-gapped Raspberry Pi Zero to sign for Bitcoin transactions! (and do other cool stuff) - seedsigner/dice_verification.md at 59cff2fbd8a99355868f33dfa800d51bcce3ac3c · SeedSigner/seedsigner

Entropy Plate Concept

The idea for this concept is to store the entropy used to create the wallet. This could mean that you don't need to make a backup of the encoded entropy (SeedQR or 12 words).


There have been two versions of this concept, the key difference being the item used to represent binary data.

The first design used ball bearings where a hole with no ball in represents 0 and a hole with a ball in represents 1.

The second version used coins where the orientation of the coin encodes the data (e.g. tails = 0, heads = 1).

This blog post explores Version 1.


The first version used ball bearings

To start a 3d printed guide is clamped to a brass plate. A centerpunch is used to mark 256 divets at the center of the holes.

The indentations are then drilled through with a 1.9mm drill bit.

Each hole is then chamfered using a chamfer bit.

This is DIY manufacure is very time consuming - if this concept were to be developed into a product the holes would need to be machined, stamped or laser/water jet cut.

The brass plate is then put into an enclosure with 128 steel ball bearings. The enclosure is tossed and turned to randomly position the ball bearings in the holes. The encosure must be carefully designed so that there is no bias with balls collecting on the edges.

The guide is then repositioned on top of the plate, trapping the ball bearings in position. Each ball bearing is punched / pressed / hammered into the chamfered hole. When the guide is removed the ball bearings stay fixed in place as they are in interference with the hole bore.

The random array can then be converted into binary reading from left to right, top to bottom. (A feature is required to know which is the top left corner of the plate.)

From top left reading right: 0011100111111100

Originally the hope was that this could be scanned with a QR library. It transpires that you can't just scan binary data with a QR code reader. QR codes have have finder patterns (the squares in the corners), alignment patterns (the little squares inside large QR code), are encoded with error correction (one of three levels), and have one of 8 different masks applied (the mask is overlayed on top of the encode data, any bits in the black cells are inverted).

For now my working assumption is that it is non-trivial to scan this array of binary data. If you know how to do this please send me a message on twitter.

Manual Data Entry

If scanning the data with a camera is not possible could the data be entered manually?

The answer is yes, but if a single bit is entered incorrectly the bitcoin wallet generated will be different and bitcoin will be lost.

A simple mitigation is to have the person inputing the data manually add up the number of 1 values (ball bearings) and enter that into a program. The program would compare this value to the calculated sum of the number of 1 values entered.

In a simple case let the true data be three bits: 001. The expected sum is 1 (0+0+1). Assume this sum is correctly computed and entered into the software.

Data Entered Error Calculated Sum Error Detected
001 none 1 No. Sums match
000 0 → 1 0 Yes, calculated sum greater than expected sum
011 1 → 0 2 Yes, calculated sum greater than expected sum
010 1 → 0 & 0 → 1 1 No. Sums match

If an equal number of positive and negative bit flips occur no error will be detected. This is a problem.

Because the plate has the data in a grid the rows and columns can be interrogated after entering the data and entered by the wallet user. The process would be enter all the data, enter the row sums, enter the column sums, enter the total.

A 2x2 grid of the data 1001 is assessed below. Start with the left most image. The data entered is in the 2x2 grid in the top left sector. The calculated sum for the rows, columns and total are shown. The expected sum for the rows, columns and total are also shown.

If an incorrect bit is entered there are three errors that can be detected (the row 1 sum, which is one higher than expected, the column 2 sum which is 1 higher than expected, and the total sum which is 1 higher than expected). In this case the wallet could prompt the wallet user to re-enter the bit for row 1 column 2.

If two incorrect bits are entered there are 2 errors. The third image shows an example where the bits in row 1 are both flipped. Now row 1 does not have a sum error, but columns 1 and 2 both have an error. The wallet could prompt the wallet user to re-enter the bits for row 1.

The only way the user can enter the plate data incorrectly and not have an error is if there are 4 errors. This is a special case, for a 2x2 grid of the data 1010 any combination of errors would be detected.  

After thinking through the problem it's clear that the most simple situation (fewest bitflips) where errors are not detected is when there are exactly 4 bit flips which take place in a box formation where those bits are 0110 or 1001. I don't know what this would be described as mathematically, perhaps a holow diagonal or anti diagonl matrix?

This is easiest to see with another example, 100,010,001. For this matrix there are three possible 4 bitflip errors that are not detectable.

It is possible to repeat this operation to find more complex error combinations that would be undetected. The below series of images shows how a second hollow diagonal matrix is identified after performing the first 4 bit flips. The rightmost matrix has 6 bitflips (errors) and no detectable errors.

Knowing the error correction under this scheme reconsider the original matrix. There are a vast number of 4 bitflip errors that could take place with a 16 x 16 matrix, but all require that perfect storm of errors.

exactly 4 bit flips which take place in a box formation where those bits are 0110 or 1001

Testing is needed to find out if this 'perfect storm' happens regularly.

This plate is designed to generate 256 bits of entropy but a recent twitter thread explained why 128 bits is sufficient. Future design iterations will be a 12x12 grid for 144 bits (the smallest square > 128).