Show HN: Satoshi9000 analog BTC key generator (mechanical)

The control box was a convenience and made the process fully programmable by the user. Which makes the machine far more flexible and useful.

I call it analog randomness because that's what I expect from the real world. For thousands of years, humans have used coins and dice to generate uncertain outcomes. And the fact that they typically generate only one of N outcomes (N=2 for coins, N=6 for common dice) is why humans use them. It is also why the Satoshi9000 uses them, and because its a kind of randomness that humans have an intuitive recognition of.

This generalizes to a die of N sides. Roll it N times. If you don't get all N distinct results, restart. If you do, then take the first result as your final outcome.

(That may take a lot of trials for large N. It can be broken down by prime factorization, like roll 2-sided and 3-sided objects separately, and combine them for a d6 result.)

* https://youtu.be/bJiOia5PoGE?si=IEhbNJk0C0-7_2Nj&t=229

* https://youtu.be/bJiOia5PoGE?si=3Se3lYFVAAkElx0w&t=245

I would take 256 quarters (sometimes fewer and accept that some might be tossed more than once) and toss them to get ones and zeroes. Tedious, and somewhat error prone (see below). Then do the calculations by hand, also somewhat tedious and error prone.

There is plenty of research that demonstrates that humans are poor at tossing coins in an unbiased way. People cheat (especially if money hangs on the outcome) and people are also lazy, so that the first toss is vigorous and diligent, and so the coin tumbles end-over-end many times before coming to rest for a result (heads or tails), but after several hundred tosses, the vigor and diligence are gone and the coin barely leaves their hand.

Part of my motivation in building the Satoshi9000 was to automate this manual process and at the same time take out human bias. Which is to say, automate away the human part and automate the math of key generation. But at the same time, make it secure by having the machine air-gapped (that is, no connection to the outside world beyond a power cord) with the ability to walk-away with anything that might leave a clue as to how, why and when the machine was last used; what I refer to as "walk-away randomness" in the video. After removing the coins, SD cards (OS and user programs) and printout, what is left is little more than a motor and some wires. An adversary looking to recover your keys would have no clue as to whether the machine had ever been used, yet alone what for. Maybe it was simply used to generate a quick-pick for tomorrow's drawing of Powerball. You would have now way of knowing.

(As an aside, you could even walk away with the remaining paper roll from the printer, so an adversary would not even know how much had been printed! Also, the printer uses no ink and has no buffer/memory, which was a deliberate choice in the design.)

I didn't think it wise for a public demo video to show everyone the private key!

Just like every aspect of the operation of the Satoshi9000, printer output is fully under the control of the user program. I simply put a "PAUSE(hit run to continue)" command between printing the key-pair properly, and printing the key-pair with the private key hashed out (the one visible in the demo video). The "PAUSE(hit run to continue)" appears in the "Log File/Debug" window while the program is paused.

The bit rate of the machine is around 4-bits per minute (time length of tossing/shaking is wholly under the control of the user - can be longer per shake), so for a 256 bit key it takes around an hour. But remember, Bitcoin keys are forever (or the remaining lifetime of the Universe, whichever is shorter), so taking an hour to generate it is short in comparison to its useful lifetime.

I hope that helps.

And, as you point out, given it generates randomness by tossing physical objects, it is naturally a low bit-rate machine.

The reason is simple. Humans are terrible sources of randomness. Especially true if money hangs on the outcome!

There are two principal components for bias of a coin or die toss/roll: 1) the coin or die itself (manufacturing defects, etc.), which if it exists is typically minuscule, and 2) the act of tossing or rolling by a human (a twist of the wrist, or a flick of the fingers), whose bias is enormous and which, as I say, is particularly pronounced if money hangs on the outcome.

The Satoshi9000 solves problem 2, the human element, by removing the human from the process altogether. Other than to press the "run" button.

And today, most physical products require a combination of mechanical, electronic and programming skills. Fortunately, I have all three. I suggest people likewise diligently acquire all three.

It's also fun to build useful machines.

I worked in banking all over the globe for 30 years. I did not acquire my useful skills in that profession. Money yes. Useful skills no.

I acquired my mechanical/electronics/software skills long, long ago while a postgraduate in experimental physicist at Oxford, building space instrumentation. Why did I go into banking then, you ask? Poverty is the answer!

Those usually don't look and sound like they were made by Doc Brown.

Value proposition: The key value proposition of the machine is that it generates analog randomness in the physical world and converts it into digital (1’s and 0’s) randomness. Especially noteworthy is that it can do so in a visibly, and to a lesser extent audibly (the sound of an agitated coin or die), way that is easily recognized and understood by humans. Other ways of generating digital randomness do not have this characteristic and in some ways have to be considered opaque to the public at large in their method of generating randomness. It comes down to whether people trust their eyes more than a black-box and whether people want this characteristic when generating randomness they are going to use.

I venture to say that anyone, from 5 years old and upwards who saw the machine in operation would understand how it is generating randomness. Dice from prehistory have been used by humans to generate random outcomes, and from the first millennium BC, when coins arose, the same can be said of coins.

Consider a randomized clinical trial. You may have patients that are not technically sophisticated, but must be convinced that the randomized aspects of the trial are done in a way they understand and are willing to give their consent. The same can be said for lawyers.

"I'm not sure what this would add over, for example, entropy derived from a hash of the image of a camera's thermal noise profile." Do you think a 95 year old grandmother will understand the principles by which this type of randomness is created?

Mistrust the machine? Then simply don't use it. ("Don't trust them lying eyes!") What I can say in its favor is it's connected to nothing (air-gapped), you fully control every important aspect of the randomness (fully programmable). Don't like the coins you have? Simply take a quarter from your own pocket and put it in the shaker. Don't like the microcontroller provided, buy (for $4) your own and plug it in. Ditto for the other components. All sensors, motor etc. are commodity parts; replace them. I think this machine is more provably back-door free than any cryptographic machine out there. As I point out in the video, all they important parts used in the generation of randomness walk-away in the palm of your hand -- what I call "walk-away randomness" in the video -- and all that's left is a motor and some wires.

As to the bitrate. Yes, it is not a high bitrate machine, the bit rate of the machine is around 4-bits per minute (time length of tossing/shaking and vigorousness of shaking is wholly under the control of the user - can be longer per shake, faster or slower, or variable during the shake), so for a 256 bit key it takes around an hour. But remember, Bitcoin keys are forever (or the remaining lifetime of the Universe, whichever is shorter), so taking an hour to generate it is short in comparison to its useful lifetime.

I hope the detail, and some background, helps.

https://en.wikipedia.org/wiki/SIGSALY

https://news.ycombinator.com/item?id=20138230

I started my working life at age sixteen as a coal miner at the Deep Navigation Colliery in South Wales.

Today, building useful and interesting machines has a lot in common with coal mining. A lot of hard work, and the perpetual risk of being crushed to death by 1,000 feet of rock above you. (The last part is perhaps a bit of a stretch, but it oftentimes feels that way!)

So what I typically do is print a warning at the top and bottom of the printout urging the user to transcribe the important parts using archival paper and pen as soon as they can.

Also, if you look at the video, you will see an "Archival Printer" port on the front of the control box because I’m developing a printer that prints the keys (plus QR codes) on metal so they last for decades and perhaps centuries. That may be useful in estate planning where the key may be locked away in a safe, or a lawyers safe, for generations. But transcribing to archival paper and pen is relatively permanent (decades) and is easy and seems to work well (lawyers like it).

I think it would be a stretch to think you could pull a random person off the street, point to a wall of lava lamps, and ask "do you see the randomness, how does it work?" Whereas, I think if you pull a random person off the street, let them watch the Satoshi9000 do its thing, and ask "do you see the randomness, how does it work?" you might get an answer that makes sense.

That, in a nutshell, is the value proposition behind the Satoshi9000.

When I showed the machine to my son, Nate, a mechanical engineer, he thought it looked like something from a 1950's sci-fi movie like "Forbidden Planet". Back then, plastics were high-tech and new, and with the acrylic domes, the Satoshi9000 would not look out of place on the set of that movie.

He suggested that every coffee table should have one!

what is the point in having a source of randomness if you need to XOR with a random source? relatedly, if you have a source of randomness, (1) please share and (2) well, there's no real need to go down this particular rabbit hole at all, well, is there?

independent of all of that, you seem to be anthropomorphizing the XOR function a bit... sure, there are some contexts where "1"s "mean" something and "0"s don't (sparse coding? and yeah, that is some pretty generous contortion, but hey: we're all friends here, right?), but in the case of "randomness"* the whole point (presumably) is that predicting "1"s and predicting "0"s are both exactly the same thing: Sisyphean.

i'm not sure that the word "random" "means" any thing beyond "distribution that we cannot model". which is a fine definition, given that models are how we attack random number generation...

* mind you i challenge the reader to pray tell what "randomness" even really means in anything other than a pseudorandom context (aka used to justify the randomness of various algorithms). isn't it oddly instructive that we use something that would pass as a proxy for "random"ness as the basis for our official definition for the second? (Cesium-133). the "second" is no more real than it is random. random is defined via a threshold of non-randomness, and all that we value as discrete and integral in the world that exists beyond our minds (-- if it does, in fact, even exist (or even "exist")--) is a house built upon sand. well, worse than that: the universe "works" because Avogadro's Number is a hell of a lot closer to infinity than it is to zero, and that's good enough for me. log(N) < 100.

https://en.wikipedia.org/wiki/Fair_coin#Fair_results_from_a_...

Not fully actually:

https://plato.stanford.edu/entries/determinism-causal/#ClaMe...

That's a quite interesting idea. I will put more thought into that.

Thanks!