Add Codex32 Support (Please)

[kiwihodl]

You're a wizard, Seed Signer.

Codex32 is a method of generating a bitcoin key(s), where you can split it using SSS (Shamir Secret Sharing). There is currently one wallet that has support for these keys:

https://github.com/BenWestgate/Bails

I believe, due to SeedSigners DIY fashion, where it's users want to verify as much as they can, this style of key generations is idealistically compatible. Why is it important further? I'll leave it to Blockstream's team, it's [Codex32] creators, to explain the trade-offs further:

"How does Codex32 keys compare to BIP39?

BIP39 is a train-wreck of a protocol with the following issues, shared with neither codex32 nor SLIP39:

• BIP39 is encoded using 11-bit words, making it extremely hard to convert it to any other format without use of computers.
• BIP39 has an 4- or 8-bit checksum, which is too small to provide meaningful protection against random errors, and smaller than a single word, meaning that the "checksum word" also contains key data and so cannot simply be dropped.
• Compounding this, because you can't drop the last word, BIP39 encodes 128-bit secrets in 132 bits and 256-bit secrets in 264 bits, so the data doesn't fit in normal data containers (e.g. codex32-encoded secrets).
• BIP39's checksum uses multiple SHA2 iterations so it cannot be verified without the use of electronic computers or multiple days(!!) of hand computation.
• BIP39's checksum provides zero protection against adversarial errors. It is easy to change even a single word of a BIP39 phrase in a way that it will appear to be valid and simply have no coins on it.
• Consequently BIP39 cannot provide any error correction capability.
• BIP39 seed words are converted to BIP32 seeds (what your wallet actually uses) using SHA-512 to extend the words to 512 bits, which is completely unnecessary and prevents you from simply converting the words to a BIP32 seed and forgetting about BIP39 entirely.
• BIP39 does this by hashing the words themselves even though it supports wordlists in multiple languages and provides no in-band way to indicate which language is being used. Every part of this is an independent mistake in the protocol design.
• I do not mean to disparage the authors of BIP39, who are intelligent, well-meaning, and have all made great contributions to the space. But BIP39 was designed in 2013 when the Bitcoin ecosystem as a whole was lacking the institutional knowledge that we take for granted today, and you can tell.

Unfortunately BIP39 is by far the most widely-supported mechanism for producing BIP32 seeds today, both because of its advanced age and because the aforementioned protections against converting BIP39 words into anything better." - https://secretcodex32.com/faq/index.html

Repo:
https://github.com/BlockstreamResearch/codex32

You can see pertinent resources here for wallet developers:
https://github.com/BlockstreamResearch/codex32/blob/master/docs/wallets.md
BlockstreamResearch/codex32#57

[SeedSigner]

Thank you for opening this for consideration, I will be looking at some of the material above.

[alvroble]

Hi guys! We have a draft PR (#636) which can serve as a proof of concept of SSS for SeedSigner. Maybe I could set up something up to try and build also Codex32 import and/or export.

[kdmukai]

@kiwihodl can you tldr what the inputs would be? I've only briefly flipped through the physical workbook and that was quite a while ago (TABConf 2023...?). And speaking of which, how long would a Codex32 + SeedSigner workflow take for a user? The workbook looked like it was a couple hours of work but I don't know how much of that would be offloaded to the SeedSigner's computation in this case.

So:

• What user inputs to the SeedSigner?
• Roughly how long would it take the user to prep those inputs?
• Outputs are Shamir shares? If so, same wordlist as Trezor's?

Mild apologies that I'm not going out and just reading the docs myself, but while I'm mostly open to the idea of adding this, I'm not yet interested enough to invest the time to learn all the details. Just too many different rabbit holes in bitcoin so I try to limit how many I dive into.