Nice! Is it safe to say that pick and replace is generally more foolproof or nah?
Not formally, no. I have fielded the concerns I’ve received by informal review by developing simulations, which are in the repo: https://github.com/jimbojw/seed-picker-solitaire
There are two ways to use the system: pick-and-replace or Solitaire (use the full deck as a seed). Both rest on the quality of the shuffling. Analysis of pick-and-replace is easier, because one may assume that each batch of shuffling is an independent, random sample.
Analyzing the Solitaire method is, as far as I can tell, intractable because it demands considering the joint distribution of deck orderings (of which there are 52!). My simulations use distributions in the value of the top card as a proxy for total entropy because the top (and bottom) cards change position least frequently during a traditional, riffle shuffle.
Consider. You cut the deck, then interleave the cards. The new top card will either be the previous top card, or the top card from the other half of the deck when cut. There’s a distribution of probable cut locations (we can’t assume perfect cuts), so a closed-form analysis would need to model cut location probability in addition to interleaving.
By way of these simulations, I estimate that 12 shuffles is enough for a typical person to approach 99.99% of the available entropy, as measured by top card. A deck ordering represents ~225 bits of entropy. But since not all of the 52! orderings yield a seed phrase, and only 46 cards contribute, the actual preserved entropy of the Solitaire method I estimate to be ~205 bits.
The Bitcoin signature security threshold is 128 bits, so, if the aforementioned estimates hold, the ~205 bits from a 12x shuffled, Solitare’d deck, encoded as 23 seed words, should be harder for one’s attacker to crack than creating a standard 12-word seed phrase by flipping a coin 128 times.
That is to say, I, personally, am satisfied with the Solitaire approach for generating 23-word BIP39 seed phrases. I would NOT recommend using this approach to make a 12-word seed phrase. For that, you need to use pick-and-replace, AND generate the 7 of 11 entropy bits encoded in the checksum word.
Discussion
Assuming your shuffling/picking is random, pick-and-replace is better (higher entropy).
However, I’m skeptical about pick and replace for two reasons.
1. Since many games give some cards higher value than others, I would predict that some cards get handled more or less than others. For example, in 5-card draw, people are likely to keep high-value cards and discard low-value cards. Does this unequal wear pattern make a difference when using that deck to pick single cards at random? Would an attacker be able to make use of such a pattern? It probably doesn’t matter, but it’s something I think about. Using the full deck restricts the scope of unequal-wear-pattern effects.
2. People sometimes undermine their own entropy thinking that they’re helping. For example, using pick-and-replace, chances are ~73%* that you’ll see the same card in two seed words back-to-back. People might think they’re doing themselves a favor by tossing the repeat back and picking another, when in fact they’re introducing bias. Worse, memorable (high value) cards are more likely to be tossed back than less memorable cards. Using the Solitaire method makes it impossible to see duplicates.
I designed the Solitarie method to be easy to do and hard to mess up. As mechanical as possible, to try to avoid user-introduced bias.
* Doing the math:
- Chances of neither card matching a card in the previous tuple: 50/52 * 50/51 = 0.9427
- Chances of no back-to-back repeats: 0.9427^22 = 0.2729
- Chances that you’ll see at least one back-to-back duplicated card: 1 - 0.2729 = 0.7271 = ~73%