For high-entropy diceware passphrase generation (eg. paper wallets) you’re tasked with rolling five dice on a flat, even surfacei and recording the outcomes before corresponding said outcomes with the ~8k word dictionary to create a passphrase altogether more trustworthy and secure than you could ever derive from skimmed lines of Shakespeare.
This is all well and good in preventing Titanic-like, correcthorsestaplebattery-style disasters, but even still there are alarming degrees of room within which to fuck up, but perhaps not where you’d think. In our never-ending quest to address the weakest links in the digital security / finance chain, let’s address some of the issues that can arise from using improperly balanced dice.ii
The chart aboveiii was the result of my rolling shady Moroccan street market dice brought back from a recent family member’s vacation to the area for as long as I could be bothered to roll and record them, which was about 250 rolls. As you can see, there’s variance of upwards of 13.47% from expected on these handmade hunks of Fortune.iv Now, you might suspect that such a high degree of variance from the predicted outcomes is alarming enough to chuck the set entirely and head straight for the most razor-edged casino quality set you can feasibly lay hands on. But that’s not it at all. The issue with these Moroccan mongoloids is rather that all the dice manufactured by this vendor may be broken in the same way – that is, that every set of five dice is biased in the same way, and furthermore that our enemies are privy to this design. This may seem highly improbable to you, particularly as the African levels of workmanship make it all too clear that each of the five varies from the others in shape and form, but who’s to say that every pre-packaged set isn’t still identical ? Because if they were it’d be hiiiiiighly consequential!v
For comparison purposes, an online dice rollervi yielded a maximum deviation of 6.09%vii with, again, the largest sample size I could be bothered to tally (1182 “rolls”). But that’s hardly a free lunch either.viii
In summa : “YRMV” has never been better advised nor the scamminess of randomness better recalled. Still, unless your particular dice fall into enemy hands and their biases reverse engineered, or unless your location sufficiently surveilled to reveal their outcomes, suffice to say that old-fashioned physical dice are still safer than your average online widget.
Especially if you roast ‘em after rollin’ / toast ‘em after tumblin’.
___ ___ ___
- This idea about rolling dice on a “flat, even surface” is right out of the textbook, but why should we heed it ? No really, why ? The theory is that this creates the “fairest” set of outcomes, but is that really what we’re seeking here ? Or are we seeking outcomes that are maximally difficult to replicate by our enemies ? Should we roll dice on a laser-leveled marble table that we’ll enjoy meals atop for the next three decades or on a $10 bathroom floormat that we burn after using ?
It’s a foundational, pivotal question, this, but it’s not one I can answer for you. It just depends on your budget, imagination, and risk tolerance. The most important thing, however, is that you don’t use a playbook.
mircea_popescu: For a strict recap : 1. Power is not just what you have, but also what the enemy thinks you have. Arbitrage every difference, to your benefit. Punish the enemy ruthlessly when it dares challenge the latter part, Chinese or no Chinese, cartel or no cartel. 2. Never go outside the expertise of your WoT ; always go outside the expertise of enemy’s. 3. Make them live to their book of rules. If you also have a book of rules you lose.
It really doesn’t get much more succinct than that. [↩]
- For more on this fascinating area of research, as is so often the case, ye logs of thunder and lightning are less than silent on the matter :
pete_dushenski: Anyone here have experience physical rolling dice a lot ? Wondering how many times you rolled a set of 5 before you have sufficient confidence in their fairness. obviously, there’s no absolute answer to this inquest, just curious if anyone has bothered or if ‘casino dice’ are considered sufficient precaution.
asciilifeform: I admit that I’m a little curious re the widespread interest in dice. I can see generating, e.g., bitcoin private key (though do you have the stomach for the debiasing? what if you need 1,000 rolls?) but how about the k-value in sigs ? Will also roll dice for that ?
pete_dushenski: For the truly daft, what do you mean by ‘debiasing’ ?
jurov is curious, too
danielpbarron: Three dice rolls of any biased dice == 1 provably unbiased roll. Not really three though, and it could be infinity.
asciilifeform: ^ there is NOT a bound.
danielpbarron: If you roll doubles you have to roll again. And you probably have to roll the same die 3 times as opposed to rolling 3 dice once, unless there’s something i’m missing in all this.
mircea_popescu: pete_dushenski Look into L’Hospital. There’s a mathematical solution to “what is the probability of x specific configuration come out of y random process of given probabilities”
pete_dushenski: Will do.
asciilifeform: The boojum is that no mathematical process can create ‘additional’ entropy.
mircea_popescu: Of course not.
jurov: Is it even physically possible to make biased dice with, 50% less entropy output? (That can’t be detected by cursory inspection)
asciilifeform: Ask the opposite question. (How much entropy is there actually in a dice throw.)
mircea_popescu: Coupla bits ?
asciilifeform: That’s the notion. But do we know ?
mircea_popescu: Well yes.
asciilifeform: The other thing is, I have found that dice appeal to folks because ‘not electronic’, but these same people then go and generate, e.g., the key, with a computer…
jurov: Ideally it’s log2(6) = 2.58 bits
asciilifeform: It would be quite another thing if they used a pencil, but no.
mircea_popescu: It’s unclear to me exactly how not electronic they are. Dice roll off a table, that’s electrons at work.
jurov: Say you fudge the throws badly and in the end get only 2 bits per throw. That’s still pretty strong key after 100 throws.
asciilifeform boots up bricklispmachine and hands to mircea_popescu
mircea_popescu: Quest for “not electronic” interaction is a little lulzy to me thatsall
asciilifeform: jurov: Try to understand what I meant
jurov: I just explained how I understood it?
asciilifeform: We do not know much much information re future throws is actually, in fact, present in a dice outcome. It could easily be >0.
mircea_popescu: If the dice is biased.
asciilifeform: The ‘it has n bits’ ~presupposes~ the conclusion. All physical dice are biased.
jurov: And I am asking you how much bias do you usually estimate and why? By what physical process? If it’s like 20% as i wrote above, then it’s still fine, no?
asciilifeform: By throwing, clearly. Dice also, incidentally, wear.
mircea_popescu: But they do not wear in a predictible fashion, which is why I said maybe. Still, one really dedicated could create glass dice and sharpen the edge by the same process used to make the few-hundre-atom thick blades they use to cut microscope samples with and then throw it on a magnetic field.
jurov: You’re welcome to make a specifically worn dice that produces only ~2 bits of entropy. I suspect that would be very hard.
mircea_popescu: I’ll make it with 4 faces. “Worn”
asciilifeform: Actually it would be interesting to conduct ‘accelerated aging’ experiment on dice.
jurov: Oh I forgot to specify “it should be non-obvious”
mircea_popescu: “DWIM” ? This is not entirely a virgin field. There is even a special tumbler for this process.
phf: It came up in the logs before.
asciilifeform: I’d be quite surprised if it were virgin. phf: link?
phf: Actually, I’m misremembering. It’s someone built a tumbler to test dice bias, your conclusion was that he’s testing errors in his OCR.
asciilifeform: Ah I recall.
jurov: Well, if someone generates their keys with pre-worn dice and tumbler supplied by enemy and strictly following instructions on the tumbler…
phf: http://btcbase.org/log/2015-12-01#1334775 ☝︎
a111: Logged on 2015-12-01 19:22 BingoBoingo: http://www.markfickett.com/stuff/artPage.php?id=389 << Six sides good, more sides bad
asciilifeform: Other interesting question, IMHO, re any RNG, is – how much does enemy learn if he captures it. Is it safe to discard a set of dice ? Can Dr. Evil pick it up and learn a few bits of yer key. And I suppose everyone recalls the roulette laser. (And the entirely independent laserless cheat machine that used pure stats, in a shoe)
mircea_popescu: The problem of discards is not well solved to date. Which is why people just tend to burn everything.
asciilifeform: It is only a problem in ridiculously narrow trickle sort of RNG. Like dice, coin, roulette. Reason being that these cannot be health-tested with any regularity. Enemy can only learn something from a worn RNG if the owner himself had no way to meaningfully measure wear.
phf: Strategic superiority through judicial application of wood chipper.
asciilifeform: phf always carries his wood chipper ? Anyway IMHO any RNG which has measurable wear during normal operating life, is defective design.
mircea_popescu: phf judicious.
phf: That’s second time.
phf: A dice RNG is “defective design”. It’s all over the place, low tech solution right in the middle of high tech stack. Can’t make one at home, since bias. Wouldn’t really make key by hand either. Any optimizations turn to logical “why not flip electrons instead”. I’ve noticed the tendency though, friend told me that he’s generating work passwords with dicewear. I think it’s collective unconsciousness response to ongoing diddled hardware revelations.
- Source table :
- As seen here :
- Strictly speaking, this is probably more of a gray swan than a black swan, as it’s very easy to predict by a great many people with their heads screwed on straight! And so it is! [↩]
- I used Brock Jones’ doohickey because it had a useful dice history column on the right side, not because it’s “guaranteed random” or any other such histrionic snake oil befitting a 19th century patent medicine man. [↩]
- After ~250 “rolls,” the largest deviation was 9.33% from expected, showing that a larger sample size is useful for improving confidence in the fairness of a set of dice. And unlike Taleb‘s famous turkey, there’s no Thanksgiving for dice. [↩]
- The primary risk factor with online dice rollers is not only that their source code is frequently veiled and inaccessible but also that the service provider himself(or his webhost!) may be recording your dice rolls. Of course, some dice rollers allow you to work offline, which is recommended for obvious reasons, if still dependent on non-WoT workmanship. [↩]