Codex32

Summary:

A message has been forwarded to the bitcoin-dev mailing list from Dr. Leon O. Curr and Professor Pearlwort Snead of the Department of Archaeocryptography at the Harry Q. Bovik Institute for the Advancement. The message discusses a secret society known as the Cult of the Bound Variable, which was recently discovered to have existed in the region around 200 BC and studied computation using sandstone "computers" with 32 glyphs. A system of cryptographic computations was operated by cult members to safeguard their secrets, which could be carved into multiple tablets and scattered across the earth.The email also introduces a proposal for a new BIP standard called codex32, which describes a method for backing up and restoring the master seed of a hierarchical deterministic wallet using Shamir's secret sharing. The proposed standard includes an encoding format, BCH error-correcting checksum, and algorithms for share generation and secret recovery. Codex32 allows secret data to be split into up to 31 shares, each consisting of a string that is similar to a Bech32 string. The standard also aims to be simple enough for hand computation, but this is optional and outside the scope of the standard. In this context, codex32 is presented as an alternative to BIP-0039 and SLIP-0039 for generating seed words. The regular 13 character checksum can accommodate up to 93 characters of data, corresponding to a 400-bit secret. However, the prefix MS1 is not covered by the checksum at this length, but the user can enter the available data explicitly using the suspected MS1 prefix if damaged. Regarding backward compatibility, it is possible to derive the BIP32 master seed from seed words encoded in BIP-0039 or SLIP-0039 and encode it in codex32. Test vectors are provided to illustrate the use of codex32. Test vector 1 shows the codex32 format with no splitting of the secret into any shares. The data part contains 26 Bech32 characters, which corresponds to 128 bits of master seed. Test vector 2 generates a new master seed using "random" codex32 shares, including deriving an additional codex32 share. Test vector 3 shows how to split an existing 128-bit master seed into "random" codex32 shares. Any three of the five shares can be used to recover the secret. Test vector 4 demonstrates how to convert a 256-bit secret into a codex32 secret. Finally, test vector 5 generates a new 512-bit master seed using "random" codex32 characters and appending a checksum.The document describes a new Bech32-based format for encoding BIP-0032 HD master seeds and shares, called codex32. It defines how to convert a valid codex32 string into an HD master seed, how to split a master seed into multiple codex32 shares, and how to recover the master seed from a set of shares. The scheme is based on the observation that the Lagrange interpolation of valid codewords in a BCH code will always be a valid codeword. It allows for both regular and long codex32 strings, with the latter being necessary to support seeds longer than 80 characters.The checksum size and identifier size have been chosen so that the encoding of 128-bit seeds and shares fit within 48 characters, while 256-bit seeds and shares fit into 74 characters. The document provides implementation details for verifying and creating checksums, as well as functions for deriving additional shares and interpolating shares to recover the master seed. The proposed codex32 standard offers more advantages over SLIP-0039, which encodes shares of exactly 200 or 330 bits and does not have error-correcting ability, support for versioning or metadata, or support for secret sharing.The Bech32 format uses the letter Q to denote zero and P to denote one, while the digits 0 and 2 through 9 do not denote their numeric values but rather represent elements of GF[32]. The generating polynomial for the BCH code is extended from GF[32] to GF[1024] by adjoining a primitive cube root of unity, ζ. The resulting polynomial generates a 13-character checksum. For long strings, a 15-character checksum is generated using a different polynomial constructed from a selected value γ and a product of (x - γ^i) for specific i values. The character 0 does not represent the zero of the field. Pavol "Stick" Rusnak, Co-Founder of SatoshiLabs, provided this information on the bitcoin-dev mailing list. Furthermore, reference PostScript implementation and test vectors are given, but implementations in Python and Rust are expected to be added in the future.

Updated on: 2023-06-16T15:51:58.865522+00:00