Proof That Mycelium Knows How To Make A Better RNG For Its Entropy Dongle. And Isn’t.

Myceliumi recently launched this Kick-a-gogo-thing for a paper wallet USB dongle that “never sees the internet” and is “super sekoor,” etc. Naturally, given that a not inconsiderable amount of time and energy are being put into S.NSA’s elephantineii Cardano, I made a funny:

Blessedly, a fellow named Rassah got at least one of the entendres and the tweet had precisely the desired effect: bringing those involvediii in the Mycelium Entropy to #bitcoin-assets for a chat.iv While I was away from the computer when Rassah finally stopped derping about “escrowless” escrow and his 1,000 BTC Prius and got down to business, here’s what transpired when he did. And we couldn’t have asked for a better conversation than this. For anyone fucking around with Bitcoin, this is a seriously important conversation to grok.v

So grab a bottle of wine and strap in. It’s a long one:vi

Rassah: Hey, can you guys tell me who BitcoinPete is?
mircea_popescu: ;;gettrust bitcoinpete
gribble: WARNING: Currently not authenticated. Trust relationship from user mircea_popescu to user bitcoinpete: Level 1: 2, Level 2: 7 via 8 connections. Graph: | WoT data: | Rated since: Fri Mar 28 09:14:47 2014
ThickAsThieves: Rassah, bitcoinpete is a b-a disciple going back roughly 6mos, he blogs and has a neat jewfronot sure his profession

Rassah: Huh. He’s actually the reason I’m in here in the first place. I followed his blog here, after he tweeted that Mycelium Entropy < dice, and agreed once I asked him if he would be interested in auditing out device. Peter Todd will be doing an audit too, ad I was hoping Bitcoin Pete was someone with some technical knowledge or something

mircea_popescu: Rassah tech knowledge in what field ?
Rassah: software, hardware, anything.
mircea_popescu: that’s a little confused.
mircea_popescu: whoa look, bitcoinpete’s only been rated since march huh. how time flies.vii

Rassah: Basically, we have people with reservations about the randomness and security of our entropy devices, despite not actually knowing how it works, and we are hoping to get some of tose people to back up their claims
mircea_popescu: i guess asciilifeform is the guy who’s done most re entropy.
Rassah: so tech knowledge enough to be able to check how the software works, and maybe hardware knowledge to know what chips are being used in the schematic. I haven’t heard a peep from asciilifeform, actually. Most complaints ave been from slush.

asciilifeform: !s asciilifeform mycelium
assbot: 5 results for ‘asciilifeform mycelium’ :

mircea_popescu: wait. were you looking for people with tech expertise or with complaint expertise ? anyway, footnote 5 prolly of most interest to you
Rassah: mircea_popescu: Typically they are one and the same. It’s rare that people who don’t know shit about a topic shit all over it. Unless they’re politicians
mircea_popescu: or on reddit.viii or on the internet. or 20. or having a bad day. or w/e.

Rassah: The only ones on Reddit who brought up issues were the ones I know to have technical backgrounds (slush, peter todd, a few others who backed up their concerns with actual technical questions). Most everyone else just went gaga over it. I kinda assumed BitcoinPete knew something about cryptography and security, considering his statement, followed by me asking if he’d be interested in doing an audit for us, and him agreeing. Though if he just blogs, I’m not sure if that will be worth our time or money

mircea_popescu: ;;seen bitcoinpete
gribble: bitcoinpete was last seen in #bitcoin-assets 3 hours, 16 minutes, and 52 seconds ago: <bitcoinpete> Rassah: neat rating comment from theymos “Holds BTC for the forum.”
mircea_popescu: guy shows up here about once a day, you can ask him in person and get an idea.

Rassah: Will do.
mircea_popescu: anyway, i still don’t know what it is or what’s to go gaga over.
Rassah: It’s a USB stick that you stick into your priner’s USB port, it detects a photo, and you hit print, making your printer print a bicoin paper wallet that’s never been exposed to the web. Soon as you pull the stick out, the keys are gone for ever. Basically an extremely high level entropy generator that uses that entropy to make secure paper wallets.
asciilifeform: Rassah:

mircea_popescu: Rassah is this thing atmel based ?
asciilifeform: Rassah: what must one do to verify – without a shade of doubt, in personal laboratory – that your device works as described?
Rassah: asciilifeform: Atmel SAM4L series running the software, with random number being generated only from SRAM, in combinaton with other things we’re considering, like a salt you can add in a TXT file. You can check what the software calls for

asciilifeform: Rassah: generated only from SRAM << your code reads a standalone sram? or atmel claims to produce rng output this way inside a black box micro ?
Rassah: I think standalone sram
asciilifeform: Rassah: I think << you are not the designer of this item ?
Rassah: asciilifeform: No, that would be a few of the Mycelium devs. They described a lot of it to me, since I’m working with them (I’m the one doing the public interaction thing, and running Indiegogo and such). I asked and can relay the Atmel/sram question. I think they are al asleep right now, since they’re in Austria

asciilifeform: Rassah: other question. in my own experiments, i found that sram powerup ‘static’ depends heavily on the die’s temperature. what, if anything, does your product do to verify that rng is actually functioning ‘as rated’ before bits are used in anger?
mircea_popescu: Rassah probably the better avenue would be for the graybeard in charge to show up here. people have tried this “i’m the pr, i’ll pass q’s along” thing before, it never works well, not necessarily through anyone’s specific fault, but things get escalated and magnified.
Rassah: In our tests, it still had plenty of entropy at 0ºC, but it smoothly went down to zero entropy around -20º. Maybe we should put warning stickers on these things saying “Caution – Chaotic System. Do not use in low entropy environments above the Arctic or below the Antarctic circle, unless exposed to external sources of energy” :)

asciilifeform: Rassah, mircea_popescu: then one last question, for if/when he does. value of adjacent sram cells is correlated. what, if anything, was done about this? (my guess – nothing but the usual ‘whitening’.)
mircea_popescu: asciilifeform i personally doubt anyone with hardware understanding touched the design, but then again how would i know.
asciilifeform: mircea_popescu: somebody had to crap out the physical unit.

Rassah: We can store part of the raw entropy into non-volatile memory and compare it on the next run. Since we have about 30 times more entropy than we need, we can afford it. This memory effect is already very unlikely; the probability that 1/20th of the SRAM behaves fine and the other 19/20th are stuck is much lower. Especially if the stored part is taken from a different SRAM area every time. We can also add secondary sources to the mix: – the built-in TRNG; nobody trusts these things anymore as primary sources, and we did not even consider its availability when choosing the processor, but it’s there and is probably perfectly fine and random; floating ADC inputs, as Peter suggested;- five independent RC oscillators. copy/pasted from reply

asciilifeform: floating adc inputs << you mean local radio station receiver !
Rassah: asciilifeform: this device was designed and assembled by the people workin on the bitcoincard. They all know hardware extremely well

kakobrekla: Rassah why don’t you get people who are actually doing this thing here before you do more damage?
asciilifeform: rc oscillators << you meant – ‘thermometers’
mircea_popescu: so it’s using an atmel micro but not for the trng ?
Rassah: kakobrekla: Damage?ix

Rassah: Ah, got a eply. Seems we’ll be using he Atmel provided SRAM after all. And “We will be doing our own analysis of data from several chips, and provide a raw entropy file for those who want to do their own for their specific device.” combined with “option to enter a user-supllied salt”
asciilifeform: /me ‘we’ll be using he Atmel provided SRAM’ << has probably read enough.
Rassah: So, we won’t be relying on Atmel’s RNG, and will be reading their SRAM directly
mircea_popescu: this doesn’t sound terribly mature somehow.
Rassah: mature in what way? Completed and researched? Or discussed at present?
mircea_popescu: asciilifeform no, this is your punishment for xmas.
asciilifeform: ehehe

Rassah: Is Atmel really that untrustworthy? Is there a better option?
Rassah as in i get the impression things may change or w/e. anyway. atmel is a us producer of black box transistor boxes.

asciilifeform: Rassah: ever encounter the concept of ‘auditability’ ?
mircea_popescu: this is a poor fit for the application.
Rassah: mircea_popescu: No, the hardware design is finished. Changes are only in software. Initial method of creating keys is done, we are just adding software patches to add more and more entropy sources to this thing.
kakobrekla: !b 1x

mircea_popescu: software does not add entropy.
asciilifeform: floating adc inputs! am i roasting in some sort of F-student hell now?
Rassah: I mean the chip and the hardware has a lot of stuff in there. The entropy is already there, but initially we figured the SRAM chip was overkill. The “software adding entropy” meaning we just add more code to grab entropy from more hardware and user sources
mircea_popescu: i see.
asciilifeform: Rassah: user sources ???

Rassah: Yes. If you plug this device into your PC while holding down the button, it shows up in “flash mode”, where instead of just a USB stick with a JPG on it, you get to see all the system and settings files. One of those files is a user provided salt (like diceware) that will be combined with the rest of the entropy sources to produce the final key
asciilifeform: Rassah: ‘combined’ in what sense? let me guess. a hash.
Rassah: key = H(salt||H(entropy)) with H(entropy) on a second sheet of paper so the user can verify it… or something. initially the idea was: Write a salt onto the stick. Then generate key = H(H(entropy_1) + salt) + H(H(entropy_2) + salt), and print all of [key, salt, H(e1), H(H(e1) + salt), H(e2), H(H(e2) + salt)]. (+ could be arithmetic addition or XOR; either should be fine.) The user can then verify exactly one of the outer hashes on an insecure computer, and can verify the additions by hand (literally, pen and paper, no computer)

asciilifeform: Rassah: why are you using whitening (hashing) in rng? and ‘because everyone does’ is not acceptable answer. because now your bits are… correlated.
Rassah: Oh, one other answer (one of the techs is awake): We know we’re getting sram because we are physically reading it.
asciilifeform: Rassah: do you actually believe that hashing can add (instead of subtracting) entropy?
Rassah: It may reduce entropy, but it increases he number of attack vectors, doesn’t it? Attacker would need both the hardware based RNG and the salt to compromise it
asciilifeform: Rassah: ‘we are physically reading it’ << how do you know this? that is to say, if both the reader and the sram are on one ic die, how can you substitute, e.g. a fake sram that never flips bits, to test ? picture a thoroughly, obscenely broken hash.

Rassah: Due to bits not always flipping because of temperature and outside environment, we will be testing for these issues already.
asciilifeform: Rassah: then it doesn’t matter what you did to plug in the random bits – they are smeared across the ‘ciphertext’ (if you will, the hash output) and can be inferred. ‘we will be testing’ >> how ? my purpose isn’t pedantry. try to apprehend: i buy your product, get a keychain-sized gizmo with a single chip. how do i verify that the package functions exactly as described?
Rassah: I understand. I’m glad you are asking these questionsxi

asciilifeform: Rassah: consider that you are now married to the physical characteristics of a particular model from particular vendor. e.g. next year atmel ships sram that’s non-entropic down to -40. without bothering to tell you. or it is ‘entropic’, but actually picks up Voice of America.

Rassah: asciilifeform: He’s writing. Give me a sec
mircea_popescu: Rassah seriously, this guy can’t irc or something ?
Rassah: mircea_popescu: Not realy. The reason I was hired is because they don’t have time or patience for that
mircea_popescu: Rassah well then i guess they don’t get to talk about it at all, to no-one’s particular detriment.

********** INTERMISSIONxii **********

goat apples

********** END INTERMISSION **********

Rassah: asciilifeform: from Nikita: Firstly, we’ll publish our analysis of data from chips and argue that it should apply to all chips, and whoever wants can get data from his chip and run our tools or make his own. (our device will be fully open source, so anyone can make one if they wish). Secondly, we zero out a word in memory and make sure it’s got enough 1s next time. If there was not enough power-off time, sram would retain its state and we’d read 0 and refuse to generate a key. We will check if the amount of 0 > x% and < y% (to check for deep-freeze temperatures) the Closer they are to 50% the better but since the sample amount is very large even a 10% value is technically enough

asciilifeform: Rassah: ask him if whitening is used anywhere.
Rassah: I asked. Can you tell me what whiteningxiii is? I’m not that techie :( hashing?
asciilifeform: Rassah: hashing as an attempt to ‘distill’ entropy.
mircea_popescu: whitening is the process of turning the banal 11111 string into b0baee9d279d34fa1dfd71aadb908c3f
mircea_popescu: which is supposedly “entropic”, up until someone tries to put your source through md5

Rassah: asciilifeform: Nikita says we use standard cryptographic hashes. Just for salt, for private and public keys, and other bitcoin specific things
asciilifeform: mircea_popescu: yes. some people, somehow, think this adds ‘entropy’
asciilifeform: Rassah: i drew you a picture:

Rassah: We don’t use hashing as a source of entropy, no. Only to combine ours with a salt
asciilifeform: Rassah: this is approximately the kind of pattern you end up with using sram on powerup. as you can see – if you turn this into a bitstring by pure ‘raster’ scan, it will contain mostly zero. by what means do you ‘collect the entropy’ ?

mircea_popescu: asciilifeform no matter. von neuman :D
Rassah: asciilifeform: We read the ram data directly
asciilifeform: mircea_popescu: von neumann of predictable bitstream is still predictable.
mircea_popescu: but debiased!
asciilifeform: mircea_popescu: compute von neumann of ‘0101010101’.
mircea_popescu: i suspect a trick.
mike_c: 00000
mike_c: what do i win

Rassah: asciilifeform: It’s a bit white (with 0’s), but it’s considerably more populated than that. This is the paper that we used to base this one, and it has some examples of the results
assbot: CiteSeerX — Power-up SRAM State as an Identifying Fingerprint and Source of True Random Numbers
asciilifeform: Rassah: we read the paper. (or at least, i did)
Rassah: ok
asciilifeform: Rassah: consider the title of the paper. do you see any apparent contradiction?xiv

Rassah: Hah, Nikita just ran the output from our device as an actual example
assbot: 0000200: 00001011 00101101 11010100 11101010 .-.. 0000204: 11111101 01111100 1 –
asciilifeform: Rassah: not very interesting, i’m afraid. let’s see the actual grid values – unprocessed. note that you would need to know the actual physical layout of atmel’s die, to draw this picture. do you?
Rassah: asciilifeform: We’ll publish thosexv
asciilifeform: Rassah: it would have to be an electron micrograph. taken by somebody other than atmel.

Rassah: Will Atmel know what your seed and other entropy sources are? If not, why does it matter?
asciilifeform: Rassah: atmel can replace your sram with whatever it likes.
Rassah: won’t that cost them way more?
asciilifeform: Rassah: including, e.g. one that functions as an sram on all days but every 5th christmas.xvi
Rassah: and won’t that make an excellent opportunity for someone to sell a device just like ours, using their own trusted sram chips? Maybe for more money, but more secure?
asciilifeform: Rassah: but all of this pales in comparison to another little observation. recall pg. 10 of the paper. ‘Skew shift is monotonic with respect to temperature. If an increase in temperature makes a neutral cell become 1-skewed, then decreasing the temperature will Fig. 11: This contour shows the probability distribution at 273 K and 323 K, of all cells that are neutral at 293 K. Note that the probability exceeds 0.04 at the highest points; these peaks are omitted to show the rest of the distribution with greater detail. See Section VI-B1 for discussion typically. ergo: if i have a sufficiently precise graph of the temperature of your unit over time, i can infer something about the sram and which cells are responsible for the bulk of the input to rng.

Rassah: asciilifeform: We’ve dealt with skew stuff too. I don’t remember what it was, but it was addressed (I think we have more than enough enropy to work with or something)
asciilifeform: Rassah: ‘Skew shift is monotonic with respect to temperature. If an increase in temperature makes a neutral cell become 1-skewed, then decreasing the temperature will make that same cell 0-skewed.’ << fixed bad paste. the skew we’re talking about isn’t rng output skew – the kind that can be addressed with von neuman’s algo, etc. it’s the actual physical effect you’re using.
Rassah: asciilifeform: From Nikita again: Most cells have too much skew to be useful. We suck entropy out of those whose skew is low. That’s why there is ~21:1 cell-to-entropy ratio at room temperature on most devices. They had one device from Microchip IIRC, whose entropy was much lower, but the others were very close to the 20–21 ballpark. We analysed data from MRD SoC, which is in the bitcoincard, and got the same 21:1 ratio. Then I put it in the freezer in the kitchen and collected data while it was cooling down. There was still plenty at 0ºC, but it smoothly went down to zero entropy around -20º. The cells with high skew are those which effectively constitute device signature. We can say that the skews are randomly distributed among cells during manufacture, and then remain fixed; temperature shifts all skews.

asciilifeform: Rassah: your friend has cemented my conclusion.xvii i can figure out which cells are responsible for the device’s output, merely by knowing your room temperature over time. and then all we have to do is run brute force over the narrowed set. (a few bits)
Rassah: asciilifeform: So, if I use an entropy device to generate paper walets, you can bruteforce it by recording the temperature in my room???
asciilifeform: Rassah: evidently.

Rassah: I plug it into my printer, and make a paper walet. I put it away, and send money to the paper wallet. Then you……
mircea_popescu: takes the stick, puts it in the freezer, melts it slowly, identifies the flip bits, counts them. tries all values of a few bits and finds your key.xviii
asciilifeform: mircea_popescu: i was hoping he’d figure it out, without you or i drawing the picture.
mircea_popescu: he’s not tech, is he.
asciilifeform: mircea_popescu: betcha the tech won’t read any of this.

Rassah: I am not tech, no. I wasn’t aware that these things actually retained any bits when you yank them out. and on the contrary, they are reading all of this
mircea_popescu: Rassah it’s not that they retain bits. it’s that they retain their behaviour.
asciilifeform: Rassah: if you read the paper, you will see that a small minority of sram cells is responsible for most of the ‘random’ behaviour.
mircea_popescu: all it takes is to find which, and/or count them
asciilifeform: mircea_popescu: incidentally, it may not eve be necessary to capture a particular unit. just one of her ‘sisters.’
mircea_popescu: same batch, yea, obv. with a little luck they are exactly identical. with a little less luck they’re identical but physically translated in the plane.

Rassah: So it’s a good thing we’re not relying on just SRAM fo the entropy then
asciilifeform: Rassah: also on voice of america picked up by loose adc inputs?

mircea_popescu: Rassah do you know what the cook said when the people in the restaurant didn’t like his shit soup ?
Rassah: asciilifeform: Nikita: Well, yeah, you can narrow the range down to about 8000 bits.
kakobrekla: mircea_popescu leave the bits you dont like? :)
mircea_popescu: kakobrekla lmao good one. but no, it was “thanks god i put some piss in there too, so it’s not all shit”
kakobrekla: lol
asciilifeform: lol!!
Rassah: :D

Rassah: asciilifeform: Work on this device was started in early September. So we have had a lot of tests on the chips by people who have been working on bitcoin cryptography for years now. So it seems as if they are aware of most of these concerns…
asciilifeform: Rassah: ‘they are aware of most of these concerns’ << and still did nothing. this, you realize, is an accusation of willful scammitude. not mere ignorance.xix

Rassah: Me: You’re basically saying that, even if they stole the device and examined it, or stole one that was made right after it with similar chip characteristics, they’d still have 8000 bits of entropy to dea with, making their brute forcing impossible?
Rassah: Nikita: Yes.

asciilifeform: Rassah: what size sram ?
Rassah: From another tech working on this: brute forcing Ends at > 50 bits for most algos. some primitive ones can be done up to 70 bits
Rassah: Nikita: Total size 32 kBytes, we use about 21 kB as entropy source.
asciilifeform: Rassah: there are not 8000 uncorrelated bits in there.xx
mircea_popescu: bruteforcing Ends at > 50 bits for most algos. some primitive ones can be done up to 70 bits << wtf nonsense is this ?

Rassah: Different guy who does the software commenting about the software side of it? I have no idea
mircea_popescu: etc
asciilifeform: there is some typical ‘confusion between the warm and the soft’ here. the only bits that matter are entirely independent (in the statistical sense) ones.
Rassah: asciilifeform: You will be informed when our sources are released and you are invited to give his opinion then <<– Apparently my official statement. “He’s wasting your time, that’s obvious now.” <<- not official statement
kakobrekla: lol

asciilifeform: Rassah: so! product sold first. sources published – sometime, maybe – later. interesting.
mircea_popescu: you know, i had told you this won’t work about an hour ago.xxi
Rassah: no, sources will be published before product is out
mircea_popescu: at least the fact that it’s been worked on since sept makes me feel a lot better.

Rassah: We have sources, we just don’t want cheap chinese knockoffs undercutting us before we even ship
mircea_popescu: how much is it gonna cost ?xxii
asciilifeform: Rassah: wait. you expect that your target market consists of people who would even contemplate buying a knockoff ?!!
Rassah: asciilifeform: Have you seen the chinese bitcoin mining market?
asciilifeform: Rassah: what do miners have to do with it ?

Rassah: And yes, if the software and hardware is completely open source and public, why wouldn’t someone want to sell cheaper knockoffs? We hope we can still sell outs at a premium, due to our reputaton and such, but… generic hardware is easy to reproduce
asciilifeform: actually i must admit that i am looking forward to these machines being produced, shipping, selling widely. because apparently there is only one way to educate people – let them piss on electric fence in person.

Rassah: asciilifeform: I take it you’re one of those who thinks the only way to create a paper wallet is to buy a used $100 laptop, use diceware with at least 20 words, use the laptop to hash that into your private key and address, write it down by hand on paper using a hard glass surface, and then burn the laptop?xxiii
asciilifeform: Rassah: hash!?

Rassah: asciilifeform: I use “hash” interchangeably with “compute with one of the inputs for the formula being your source of entropy, and the output being your private key. Or do you think that Bitcoin is not secure, because the bitcoin address is hashed from the private key?
asciilifeform: Rassah: i have a perfectly adequate source of physical entropy. actually a small crate of them at this point.
Rassah: asciilifeform: beer bottles and writin sourcecode while drunk?

BingoBoingo: Rassah: Address is hashed from public key…
mircea_popescu: details.
Rassah: BingoBoingo: I know. Priv > pub > address. I am shortening
BingoBoingo: If fucking is just about sticking your dick in a hole that accommodates it, I’m just going to get some pipe from the hardware store, saw it into dick length pieces, and sell them pocket pussies. What could go wrong???
mircea_popescu: isn’t this fleshlight in nucet ?
kakobrekla: and it does sell.

Rassah: This thing is made for people who are not techy (most of not bitcoiners) who won’t be bothered to create a Tails linux distro on a USB, generate addresses on them using Bitaddress or something, printing to a USB connected printer, and wiping the printer. I think this device, where you plug to into your printer and hit print, will make bitcoin a hell of a lot easier to secure for the masses. And it costs a fraction of what the other options are. So, yeah, it’s not perfect (with RNG nothing ever is). But it’ll helpxxiv

And so concludes our in-depth look at random number generation, the hardware we trust, and Mycelium’s newest toy.

Now, I can even more confidently stand behind what I said before: the Mycelium Entropy is no dice.

___ ___ ___

  1. Originally, Mycelium were those wallet guys. Now, they do ATMs and other random shit. Haven’t tried them personally and I’m really not inclined to either.
  2. Elephantidae have the longest gestation periods of any animal, somewhere in the order of 22 months. Which, at this rate, isn’t far off the mark. Currently, the Cardano looks like this :

    Which is Step 2 of 7 of elephant baby-makin’ in case you were wondering.

  3. At the time, I didn’t realize that Rassah himself was involved in the project, though I’d seen him on Twitter a few times.
  4. This strategy proved far more effective than the Taleb and (since removed) TLP videos. See, Twitter works!
  5. Y’know, grok!
  6. I’ve tweaked the convo for some semblance of brevity and flow.
  7. Especially when one nestles in just so.
  8. Or CoinDesk.
  9. Damage… to reputation. Y’know, the only thing we have left in that which has no fucking recourse.
  10. Good snag! This is lulzy shit.
  11. Good. This was exactly the fucking point. There can be no further claims of “we didn’t know.” Yes, you fucking did. And it’s entirely likely that you went along with your bullshit vending anyways. Because “it’s better than the alternatives,” which neatly reduces to “lethal injection isn’t as bad as a firing squad at dawn.”
  12. In the spirit of trainflakes.
  13. In cryptographykey whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key. [via Retardopedia]
  14. How does one identify true randomness?
  15. Actually, anyone want to seed a BitBet on whether Mycelium publishes the physical layout of Amtel’s die? Not that I’d expect it to be a popular bet, but no less so than the early World Cup bets.
  16. A neat idea, really.
  17. Check mate. Exactly what we were looking for. No way out now, Mycelium.
  18. Nifty, neh?
  19. Bingo.
  20. If a 10-word diceware paper wallet has ~130 bits of entropy, there’s no way on God’s Green Fucking Earth that this USB dongle is making 61.5x that.
  21. But what percentage of randoms seriously walk into #bitcoin-assets and listen to, nay obey, MP? 3%? 5%?
  22. The pre-ordered, crowdfunded Entropy will set you back $40.
  23. Rassah must be referring to those high entropy paper wallets everyone is always talking about.
  24. Famous last words?

10 thoughts on “Proof That Mycelium Knows How To Make A Better RNG For Its Entropy Dongle. And Isn’t.

  1. Rassah says:

    Where in this discussion is the “Proof That Mycelium Knows How To Make A Better RNG?” Did I mention something that would have been a good idea, but said we won’t be implementing it? Also, hearsay from someone not involved technically in the project, who was only relaying parts of the technical questions, with the rest being filled in by someone making big fat ass-umptions is not “proof” of anything.

    • Bitcoin Pete says:


      I very much appreciate that you took the time to drop by #bitcoin-assets for a chat. It seems to me that ascii and MP provided you and the Mycelium team with a technical perspective that should encourage debate, if not outright changes to your approach. I applaud your mission and only desire to bring attention to your execution.

      While I also appreciate that you’re not technically involved in the project, it couldn’t hurt to have someone who is, Nikita perhaps?, drop by #b-a in the near future. Broken telephone is a cliché for a reason.

  2. […] Charlatans still abound in the Bitcoin space. This is to be expected. Mt Gox only died this spring, finally. The death of Pirateat40's ponzi isn't a full two years ago yet. And people still approach Bitcoin with wonder that it could go from $12 per, to $6 per, to $1200 per, to $626.89 per. This advancement isn't magic. It is merely the product of the Lawsky's of the world ignoring this thing until it already has title to their being as they lack experience with actual economics of scarcity. […]

  3. […] smart then he’s been incredibly lucky. via #bitcoin-assets. And yes, Rassah is he of Mycelium Entropy fame. […]

  4. […] When people who can or do indeed know better act maliciously and stupidly, because its easier1 their transgressions can be highlighted for future lulz. While there exist apparatus for harnessing stupidity, ignorance, and naivety in the general sense […]

  5. […] Mycelium’s Entropy USB dongle and high entropy paper wallets. […]

  6. […] be paired with thinking. This is why altcoins are scams, why smart contracts are scams, and why run-of-the-mill entropy is a scam. There’s production of unwanted shit that seems like a good idea at the time, but […]

  7. Rassah says:

    FYI, article is outdated (is not “proof”) because the suggested brute forcing will get reduced from trillions of years to only millions, and also because the device uses two other sources of entropy (gate noise and built-in RNG, not including a salt you can provide yourself) in addition to the entropy source discussed in this covo.

    • The article doesn’t claim to be correct indefinitely, nor was this its purpose. Its purpose was to bring to light the difficulty of making TRNG, for the benefit of those at Mycelium, including yourself, as well as potential customers. In this regard, its timeless and proved most effective.

      With this success in mind, all I can say is that it seems that we also should’ve discussed seals and packaging. Lesson learned ?

  8. Rassah jumps ship from Mycelium barely half a year after FUCKGOATS being released. Awww…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>