0
Suppose you've created a random private key by rolling dices.
You've checked in the blockchain and nobody else has ever used the respective address of such private key.
Issue
Is this process reasonably safe to generate private keys?
Or, is there a subset of private keys that you should avoid due to known vulnerabilities in Bitcoin ECDSA (ie: something faster than brute force)?
3
Any 256-bit number between 0x1 and 0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141 is a valid private key. Assuming your random number is in that range (and it's extremely likely that is the case), it should be just as fine of a private key as any other number. In fact, you shouldn't even bother with checking if the address is already known because:
Be more concerned about how your key is generated, rather than is a particular number is vulnerable to some unknown attack. Make sure your dice rolls are done in such a way that every byte is just as likely as every other byte. I've used a D8 in conjunction with a coin flip in order to generate 4 bits at a time. If the coin is heads, I use the D8 at face value. If tails, I add 8. I count 16 (tails + 8) as 0. If you work it out, you'll see that this generates a perfectly random number between 0 and 15, or one hexit. Do this 64 times, and you have a 256-bit key.
> "[...] you shouldn't even bother with checking if the address is already known" I prefer being more cautious with that. If possible, I would also check against possible brainwallets ... – Mark Messa – 2018-01-10T04:40:25.317
1Suit yourself, but math says it's a waste of time, and logic says it doesn't give you an answer anyways. Anyone can generate a key that hasn't had its corresponding address broadcast. Also, your privacy has now been compromised. If someone checks an address that hadn't been seen on the network, it's pretty easy to associate an IP address with that address now. – Jestin – 2018-01-10T04:50:56.187
"math says it's a waste of time" Ok, I agree the chances are almost zero. However, since it is so easy to make such check, I think it is worthwhile. If any collision happens, it is an indicator that your random generator is biased and needs to be scrutinized. – Mark Messa – 2018-01-11T05:11:00.350
"your privacy has now been compromised." Your privacy will be compromised anyway as soon as you receive funds from an exchange. – Mark Messa – 2018-01-11T05:13:07.150
Nobody said anything about an exchange. Fiat has nothing to do with this. You were asking about generating numbers. I just want to make sure people understand that checking has privacy consequences. Also, it is literally more likely that an asteroid will kill us all by the time you finish reading this sentence than it is to have a key collison when using a good RNG (such as dice). If you think it's worth checking, then I'm confused why you're concerned with money more than the imminent death of our species. Seems weird. – Jestin – 2018-01-11T05:28:17.340
"I'm confused why you're concerned with money more than the imminent death of our species." As you mention: "when using a good RNG" .... one way to check your RNG is checking against collisions .... – Mark Messa – 2018-01-11T22:35:13.030
Checking a block explorer for a collision is a terrible way to check an RNG. I don't want to give anyone the impression that it's a good idea. Remember, when I respond to these comments I'm not really talking to you. I'm correcting the record for anyone who happens to stumble here. I'm sure you'll keep checking block explorers for your own piece of mind, but I want others to know this is not needed, proves nothing, and is potentially problematic. – Jestin – 2018-01-11T22:39:27.290
"Checking a block explorer for a collision is a terrible way to check an RNG." Ok, I agree. However, the other methods to check RNG are much more complicated (probably) than to check the blockchain. Therefore, the trade off might be reasonable towards blockchain check. A small step for a big relief ... – Mark Messa – 2018-01-12T01:35:03.227