|
| 1 | +# For Wallet Developers |
| 2 | + |
| 3 | +Codex32 is a new format for BIP32 master seeds. It is essentially a replacement for |
| 4 | +BIP39 or SLIP39 seed words, and the user workflow should be much the same, except |
| 5 | +that: |
| 6 | + |
| 7 | +* The character set is different (bech32 characters rather than a wordlist). |
| 8 | +* Seeds may be split across multiple shares, rather than encoded as a single string. |
| 9 | +* It is possible to do specific error detection/correction during entry. |
| 10 | + |
| 11 | +There are two levels of wallet support: |
| 12 | + |
| 13 | +* The ability to import seeds/shares; here we essentially just have recommendations about dealing with errors. |
| 14 | +* The ability to generate seeds/shares on the device; here our guidance is more involved. |
| 15 | + |
| 16 | +We encourage every wallet to support importing seeds and shares, since |
| 17 | +* the technical difficulty is low (roughly on par with that of supporting Segwit addresses, plus optional error-correction support); |
| 18 | +* the added functionality is isolated from the rest of the wallet (once the seed is imported you don't care where it came from); and |
| 19 | +* beyond correctness of the code, there is little risk (no need to source randomness or execute potentially variable-time algorithms). |
| 20 | + |
| 21 | +Supporting seed generation is a little more involved so the tradeoff between |
| 22 | +implementation complexity and user value is less clear, especially since the |
| 23 | +Codex provides users instructions on doing generation themselves. |
| 24 | + |
| 25 | +## Error Detection and Correction |
| 26 | + |
| 27 | +Wallets MUST support detection of errors using the codex32 checksum algorithm. |
| 28 | +Wallets MAY additionally support error correction; such wallets are referred to as "error-correcting wallets (ECWs)" and have additional requirements. |
| 29 | + |
| 30 | +An ECW |
| 31 | + |
| 32 | +* MUST support correction of up to 4 substitution errors; |
| 33 | +* MAY also support correction of up to 8 erasures; |
| 34 | +* MAY support correction of further errors, including insertion or deletion errors. |
| 35 | + |
| 36 | +If a wallet is unable to meet these specifications, it is not an ECW and it SHOULD NOT expose error-correction functionality to the user. |
| 37 | + |
| 38 | +## Import Support |
| 39 | + |
| 40 | +Wallets MAY accept seeds whose length is any multiple of 8 between 128 and 512 bits, inclusive. |
| 41 | +Wallets SHOULD support import of 128- and 256-bit seeds; other lengths are optional. |
| 42 | + |
| 43 | +128-bit seeds encode as 48-character codex32 strings, including the `MS1` prefix. |
| 44 | +256-bit seeds encode as 74-character codex32 strings. For other bit-lengths, see the BIP. |
| 45 | + |
| 46 | +The process for entering codex32 strings is: |
| 47 | + |
| 48 | +1. The user should enter the first string. To the extent possible given screen limitations, data should be displayed in uppercase with visually distinct four-character windows. The first four-character window should include the `MS1` prefix, which should be pre-filled. |
| 49 | + * The user should not be able to enter mixed-case characters. The user MUST be able to enter all bech32 characters. ECWs MUST also allow entry of `?` which indicates an erasure (unknown character). Wallets MAY allow users to enter non-bech32 characters, at their discretion. (This may be useful to guide error correction, by attempting to replace commonly confused characters.) |
| 50 | + * If the header is invalid, the wallet SHOULD highlight this and request confirmation from the user before allowing additional data to be entered. An invalid header is one that starts with a character other than `0` or `2` through `9`, or one which starts with `0` but whose share index is not `S`. For shares after the first, a header is also invalid if its threshold and identifier do not match those of the first share. |
| 51 | +1. Once the first string is fully entered, the wallet MUST validate the checksum and header before accepting it. |
| 52 | + * If the checksum does not pass, then an ECW |
| 53 | + * MUST attempt error correction of substitution and erasure errors. |
| 54 | + * MAY attempt correction by deleting and/or inserting characters, as long as the resulting string has a valid length for a codex32 string. |
| 55 | + * If a valid candidate correction is found, the wallet MUST show it to the user for confirmation rather than silently applying it. |
| 56 | + * When displaying a candidate correction, wallets MAY highlight the corrected 4-character windows and/or the specific locations of substitution, insertion and/or deletion corrections. |
| 57 | +1. After the first string has been entered and accepted, the wallet now knows the identifier, threshold value and valid length. |
| 58 | + * If the first string had index `S`, this was the codex32 secret and the import process is complete. |
| 59 | + * Otherwise, the fourth character of the share will be a numeric character between `2` and `9` inclusive. The user must enter this many shares in total. |
| 60 | + * Wallets MAY encrypt and store recovery progress, to allow recovery without having all shares available at once. The details of this are currently outside of the scope of this specification. |
| 61 | +1. The user should then enter the remaining shares, in the same manner as the first. |
| 62 | + * The wallet SHOULD pre-fill the header (threshold value and identifier). |
| 63 | + * If the user tries to repeat an already-entered share index, they should be prevented from entering additional data until it is corrected, with the exception that `?` may be used as a share index arbitrarily many times. The wallet may guide the user by indicating that a share index has been repeated; if the user indicates that they are not repeating the share, the share index SHOULD be replaced by `?`. |
| 64 | + * If the checksum fails, the wallet MAY attempt correction by deleting and/or inserting characters. However, the wallet MUST assume the valid length of all subsequent shares is equal to the valid length of the first share, so the number of characters inserted and deleted must net out to the correct length. |
| 65 | +1. For all codex32 strings, if the entered string does not pass the checksum but the wallet is able to correct the errors (by substitution, insertion and/or deletion), the wallet MUST show the corrected string to the user and request confirmation that the corrected string **exactly matches** the user's copy of the data. The wallet MAY highlight the locations of changed characters. The wallet MUST NOT silently apply corrections without approval from the user. |
| 66 | +1. Once all shares are entered, the wallet should recover the master seed and import this. |
| 67 | + |
| 68 | +**The master seed should be used directly as a master seed, as specified in BIP32.** |
| 69 | +Unlike in BIP39 or other specifications, no PBKDF or other pre-processing should be applied. |
| 70 | + |
| 71 | +## Generate Support |
| 72 | + |
| 73 | +TODO |
| 74 | + |
0 commit comments