The Sovereign Cypher -

Codex32 Mirrored Analog Computers

Greetings intrepid Bitcoiner. I’m glad your trip brought you here. We’re going to take a deep dive into Codex32. What is it? How does it work? Why is it useful? How can I create, verify, split, and recombine Bitcoin secret keys all by hand with no digital hardware or software, completely offline? How can I make my own Codex32 paper computers for free? And what are the current limitations of Codex32?

Don’t Trust. Verify.

These mirrored analog computers can be used to calculate bitcoin seeds, out in nature, far from any computers or electronic devices. You do all the math. No trust in hardware, software, or code you can’t read is required, only the hard assurances of math you can easily verify by hand. But why would anyone want to do this?

From Andrew Polestra, the developer behind Codex32;

“Computers can be infected by malware, their code could be malicious, they may leak secret data through side channels or by failing to delete things, and they may be buggy. These problems are nearly intractable when it comes to software, but they also apply to hardware, where verification requires complex tools and expertise. And as detailed inThe Age of Surveillance Capitalism, even computers that are "working correctly" are likely to be working against their users' interests.

By computing with pen and paper, we can be assured that no secret data appears anywhere we did not write it. We can create our own random data in a transparent way. We can choose how long we want to take to do various operations, confounding timing attacks. We can be assured that as long as our instructions are written somewhere, perhaps printed and stored in a safe, that our processes will remain compatible. And these assurances are not only real, but they feel real, giving us a peace of mind that electronic computers never can.” (Link to full article)

What about using hardware wallets? Here are some bullet points from the Codex32 book;

Even hardware wallets are opaque and imperfect:

• If tasked with generating random data, it may do so insecurely.
• It may have bugs that cause key leakage, either now or as a consequence of some future software update.
• Key material stored in physical form can be extracted by an attacker with physical access, even if the wallet has "deleted" it.
• It may expose secret data through side channels, such as the electromagnetic waves emitted by processor activity, or by the varying power draw from a USB hub.
• These risks have varying degrees of plausibility, but for a Bitcoin secret, which may exceed any one person’s lifetime, even "trivial" risks add up to become very serious.

A few more important points from the linked article above before we get into how to use Codex32 to generate bitcoin seeds, calculate and verify the checksums, and use Shamir Secret Sharing to split and recover the secret keys.

Verify backup integrity. Long-term storage media might become corrupted or worn down so that they become unreadable. There is a mechanism to detect and fix small numbers of independent errors, called an error correction code or checksum. The codex provides worksheets enabling users to create and verify checksums on their data. If the checksum passes, everything is good. If it does not you know you have a mistake. The process of creating a checksum takes 30-60 minutes, and needs to be done twice to catch mistakes made the first time. Verifying a checksum takes the same amount of time, and only needs to be done once.

Split and re-split the backup. This is the most interesting and powerful feature of codex32. The codex provides the tools to create a secret split across several "shares" such that the secret can be recovered by a threshold number of them. Typical threshold values are 2 or 3. If an attacker has fewer shares than this, they learn nothing about the secret.

With codex32, the process is that a user generates threshold-many random initial shares, then using these shares, derives additional shares as needed, up to 31 in total. Later, given enough shares, they can reconstruct the secret.

The derivation process ensures that if your initial shares have valid checksums, then the derived shares and final secret automatically will as well. This means that you can create your initial shares, compute their checksums, derive additional shares, and verify their checksums—and if you make any mistakes during this tedious process, the checksum worksheet will catch it.

How to Use Codex32 to

Create and Verify Bitcoin keys?

So how can you use Codex32 and these analog computers to do all this magic? First I’ll outline the steps and then we’ll get into them more deeply.

1. Choose if you want to split your seed, and into how many parts (2-of-3, 3-of-5, etc.)
2. Generate your Bitcoin key using 20-sided dice, the dice-debiasing worksheet, and the decision tree.
3. Calculate your checksum using the “Addition” wheel and checksum worksheet.
4. Verify your checksum.
5. Create your additional split Shamir Secret Shares using the Translation & Fusion wheels derivation tables, and the translation worksheet.
6. To recover your secret, use the Recovery Wheel and Translation Worksheet, or directly enter your seeds into a codex32-enabled wallet.

Here is a video that outlines the entire process:

Advanced users are encouraged to check out the git repo for the booklet, which is implemented in hand-written PostScript, or to read the mathematical companion for the underlying theory.

Let’s create some Bitcoin Keys and split them using Shamir Secret Sharing.

First, we need to decide if we want to split our Bitcoin secret key into Shamir Secret Shares or not. For this example, we will split the keys into a 2-of-3 setup. The number “2” becomes the 4th character in our key. Below you can see this is (k), our Recovery Threshold. This means we need at least 2 shares to reconstruct the secret key.

Next, we get to choose any four characters we’d like. Above in the picture “NAME” was chosen for these characters. These can be any Bech32 characters we choose. Below we can see a mapping of the characters to their binary numbers.

Once we have the first characters of the secret key created, we need to generate 26 characters of random data. To do this, we need our dice (from 6-sided up to 20-sided, the more sides, the easier to de-bias), our Addition computer, and the decision tree. Each dice should be a different color, and you’ll need 5 paper markers, one for each dice. It helps to make the marker the same color as the dice.

The way it works is like this. We need to make sure our dice rolls are truly random. Many times dice have imbalances that reduce the randomness of their rolls. Take 5 dice and roll them. Place a marker in the die pads for each die. Roll all 5 dice again and place the dice on the dice pads on the number they roll. If any roll the same number twice, you re-do both rolls.

Now you should have 5 dice and 5 markers on the 5 dice pads. We use the placement of the dice to follow the decision tree and arrive at a character of our secret key. If the die is to the right of the marker, take the right branch of the tree. If the die is to the left, go left. By the 5th branch, you arrive at a character. Do this 25 more times.

Here is the worksheet from the Codex32 book.

Now that we have the secret key generated, we need to calculate and verify the checksum. This is a special set of characters at the end of your key that verify the integrity of the key. We need to complete each checksum worksheet twice. Once to calculate the checksum and a second time to verify we haven’t made any mistakes in our math.

The amazing and beautiful thing is that if you make ANY mistakes at all in the math, you’ll see it immediately upon completing the final row of the worksheet. If the math doesn’t resolve to “SECRETSHARE32” you’ve made a mistake and need to do it again. If you see “SECRETSHARE32” you can be sure you’ve done the math correctly. It is a very easy-to-understand process. It takes about 1-2 hours to complete a checksum worksheet.

Here you can see the Translation worksheets (for k=2 and k=3), the checksum worksheet, the dice pads, and the decision tree.

Here are the checksum worksheet instructions from the Codex32 book;

Now that we have our first share completed, we can use that share to derive up to 31 more shares (and any 2 of these could unlock our secret key).

To do this we need the derivation tables and the Translation worksheet. The k=2 and k=3 tables are on the left and right sides of the Translation & Fusion computer.

Here are the Translation Worksheet instructions from the Codex32 book;

Once you have derived your additional shares, you need to complete a Checksum Verification Worksheet for each share to verify its integrity. If shares resolve to “SECRETSHARE32” you can be sure they are correct. If not, you need to go back over your work and find the errors. There is some error-correcting capability within Codex32, and I’ve successfully used it to correct a single-character mistake.

Fantastic! We’ve now created and Shamir Secret Split our Bitcoin key into a 2-of-3 setup.

We can now stamp these seed shares into steel, and burn all our paper worksheets. Ensure you’ve completely burned the paper to white ash and mix it up.

Okay, it’s 1000 years later and our descendants want to access the Bitcoin. Well, they need at least 2 of the 3 shares and the recovery computer.

Here are the instructions from the Codex32 book on recovering the secret using the mirrored computer;