Add Codex32 Support (Please)

[kiwihodl]

You're a wizard, Seed Signer.

Codex32 is a method of generating a bitcoin key(s), where you can split it using SSS (Shamir Secret Sharing). There is currently one wallet that has support for these keys:

https://github.com/BenWestgate/Bails

I believe, due to SeedSigners DIY fashion, where it's users want to verify as much as they can, this style of key generations is idealistically compatible. Why is it important further? I'll leave it to Blockstream's team, it's [Codex32] creators, to explain the trade-offs further:

"How does Codex32 keys compare to BIP39?

BIP39 is a train-wreck of a protocol with the following issues, shared with neither codex32 nor SLIP39:

• BIP39 is encoded using 11-bit words, making it extremely hard to convert it to any other format without use of computers.
• BIP39 has an 4- or 8-bit checksum, which is too small to provide meaningful protection against random errors, and smaller than a single word, meaning that the "checksum word" also contains key data and so cannot simply be dropped.
• Compounding this, because you can't drop the last word, BIP39 encodes 128-bit secrets in 132 bits and 256-bit secrets in 264 bits, so the data doesn't fit in normal data containers (e.g. codex32-encoded secrets).
• BIP39's checksum uses multiple SHA2 iterations so it cannot be verified without the use of electronic computers or multiple days(!!) of hand computation.
• BIP39's checksum provides zero protection against adversarial errors. It is easy to change even a single word of a BIP39 phrase in a way that it will appear to be valid and simply have no coins on it.
• Consequently BIP39 cannot provide any error correction capability.
• BIP39 seed words are converted to BIP32 seeds (what your wallet actually uses) using SHA-512 to extend the words to 512 bits, which is completely unnecessary and prevents you from simply converting the words to a BIP32 seed and forgetting about BIP39 entirely.
• BIP39 does this by hashing the words themselves even though it supports wordlists in multiple languages and provides no in-band way to indicate which language is being used. Every part of this is an independent mistake in the protocol design.
• I do not mean to disparage the authors of BIP39, who are intelligent, well-meaning, and have all made great contributions to the space. But BIP39 was designed in 2013 when the Bitcoin ecosystem as a whole was lacking the institutional knowledge that we take for granted today, and you can tell.

Unfortunately BIP39 is by far the most widely-supported mechanism for producing BIP32 seeds today, both because of its advanced age and because the aforementioned protections against converting BIP39 words into anything better." - https://secretcodex32.com/faq/index.html

Repo:
https://github.com/BlockstreamResearch/codex32

You can see pertinent resources here for wallet developers:
https://github.com/BlockstreamResearch/codex32/blob/master/docs/wallets.md
BlockstreamResearch/codex32#57

[SeedSigner]

Thank you for opening this for consideration, I will be looking at some of the material above.

[alvroble]

Hi guys! We have a draft PR (#636) which can serve as a proof of concept of SSS for SeedSigner. Maybe I could set up something up to try and build also Codex32 import and/or export.

[kdmukai]

@kiwihodl can you tldr what the inputs would be? I've only briefly flipped through the physical workbook and that was quite a while ago (TABConf 2023...?). And speaking of which, how long would a Codex32 + SeedSigner workflow take for a user? The workbook looked like it was a couple hours of work but I don't know how much of that would be offloaded to the SeedSigner's computation in this case.

So:

• What user inputs to the SeedSigner?
• Roughly how long would it take the user to prep those inputs?
• Outputs are Shamir shares? If so, same wordlist as Trezor's?

Mild apologies that I'm not going out and just reading the docs myself, but while I'm mostly open to the idea of adding this, I'm not yet interested enough to invest the time to learn all the details. Just too many different rabbit holes in bitcoin so I try to limit how many I dive into.

[BenWestgate]

can you tldr what the inputs would be?

For import: its threshold amount of codex32 strings (48 characters). The "MS1" prefix can be assumed making it 45 bech32 characters. For T-1 subsequent shares the header (threshold & identifier) can be prefilled as all shares must match.

For generation:
User chooses a threshold, 4 bech32 character identifier (or default it to the 20-MSB of BIP32 fingerprint as bech32) and quantity of shares n.

If the user rolls their entropy they need threshold*128 random uniform bits.

how much of that would be offloaded to the SeedSigner's computation in this case.

Interpolation (generate fresh shares or recover secret) can be computed by SS. For generation from debiased dice rolls SS can also compute the checksums.

• Roughly how long would it take the user to prep those inputs?

If /dev/urandom is used a minute: inputs are threshold and optional identifier otherwise that plus threshold * 16 random bytes for direct information theoretic encoding. Takes 15-30 minutes to do with a coin.

• Outputs are Shamir shares?

They're called codex32 strings they're similar to bech32 addresses so no wordlist needed.

[BenWestgate]

I just published a Python library that implements this
https://github.com/benwestgate/python-codex32