Thinking about this over the past couple of days has caused my cynicism, if not paranoia to stir a bit.
Knowing who is promoting the dice method (not only those linked in earlier posts) makes me suspect some motive other than interest in everyone else's security.
It then occurs to me that the arguments of the particular method rest on the entropy of your own "locally" rolled dice... so far so good... but is some entropy not lost in the list of words...
That entropy is encoded into a very finite
choice of words from a list someone else has published. That seems to me like a very good way to actually decrease all that wonderful roll-of-the-dice entropy
after the fact!
I have not made any attempt to actually work out real numbers, but it must involve not only
the product of the choices (as repeated in the article), but also the granularity or chunkiness of the choices which is never mentioned. Consider this...
Suppose I generate an unpredictable (as opposed to purely random) string of characters like $3cRitW355ayeG
- 14 characters out of an alphabet of say 64 choices. Even I could probably remember it, but it would be very unlikely that it could be easily "guessed", and brute force attempts would take whatever random choices from that alphabet were required before it would crack... I would consider it "safe enough" for most purposes, and I could make it arbitrarily long. Good enough.
Now, suppose I roll the dice 6 times and choose 6 words from a dictionary of 10,000. I might end up with a phrase about 30 characters long with all that good dice-generated entropy and should feel pretty good about it, right?
But in reality, I don't have 30 random unguessable characters, I have 6 random space separated chunks - and my adversary knows with good confidence the list from which those chunks were taken, AND the separator character, AND whatever distribution information can be gleaned from it (or may be encoded into it...).
On the surface, the math looks simple enough, but so did dual elliptic curve
algorithms, and we know how that has worked out!
If you know a certain property about the Dual_EC parameters, and can recover an output point,
you can predict all subsequent outputs of the generator.
So which is better, a sequence of unknown length and totally unpredictable ordering, or a much longer character sequence composed of fewer chunks, with some known properties? I don't think the same math would apply to both cases.
I seriously have to wonder if there is not some known weakness, incidental or intentional, that could be exploited by having keys generated from a finite list of known chunks... it gives me pause...
Anyone with the time and knowledge and enough interest available to give that more thought?