Closed stepansnigirev closed 4 years ago
coinables
commented
4 years ago You believe that mixing mouse movements and CSPRNG would be more secure? The mouse movements are recorded as 0-9 for 8192 digits or 10^8192. That string is then sha256 hashed and that is used to generate the private key. Key gens with dice use only 6^99. Although I'm not opposed to using a mixture, just wondering if it genuinely increases entropy.
stepansnigirev
commented
4 years ago Generally using multiple sources of entropy is a good idea. Entropy of the mixture will always be better than any of the components. Plus using getRandomValues gives you some entropy for free - just a few lines of code and no user interaction.
I suggest to hash your mouse entropy together with CSPRNG just to be on the safe side - it doesn't harm.
coinables
commented
4 years ago Updated entropy function addMouseEntropy() to include browser CSPRNG in addition to mouse movement.
var mouseentropy = inputdata;
//Add cryptographically strong randomness to key generation
var bufferarray = new Uint32Array(64);
var csprng = crypto.getRandomValues(bufferarray);
var csprngStr = csprng.join("");
var mixedEntropy = mouseentropy + csprngStr;
var hash = bitcoin.crypto.sha256(mixedEntropy);
var d = bigi.fromBuffer(hash);
var nkeyp = new bitcoin.ECPair(d, null, {network: network});
Browsers have API for cryptographically strong random numbers - Crypto.getRandomValues(). Please don't rely only on mouse movements, include strong randomness available from the browser API. https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues