QR code data: shorter is better

A QR code can contain up to 4,296 alphanumerical characters. However, the larger the data, the more complex the QR code grid of black and white squares (modules) becomes, and the more difficult it is to scan.

QR code Encoded information
QR code for “Hello, World” Hello, World
QR code for a long text It is a truth universally acknowledged, that a single man in possession of a good fortune must be in want of a wife. However little known the feelings or views of such a man may be on his first entering a neighbourhood, this truth is so well fixed in the minds of the surrounding families, that he is considered as the rightful property of some one or other of their daughters.

QR codes containing a URL are usually fine, as the size of a URL is typically between 20 and 150 characters. Even for encoding URLs, it is still useful to leverage a URL shortener, and then encode the shortened URL in the QR code. The more simple QR code leads to a better user experience, as it is faster to scan.

QR code Encoded information
QR code for a long URL https://blog.coolmaze.io/posts/004-qr-code-shorter-data/#extra-long-list-of-parameters-making-the-qr-code-harder-to-read
QR code for a URL shortened with Bitly http://bit.ly/4g1WEGF

The Cool Maze QR code

For Cool Maze, being fast is a crucial feature. Thus, we strive to encode as little information as possible in the QR code.

Cool Maze QR code with annotated parts

The prefix cmaz.io/ is not strictly necessary to make a transfer. As explained in the previous post, it is a convenience just in case someone reads it with a standard QR code scanner app. It is a very short domain name. Shorter is better.

The # symbol ensures that the text following it is never sent to the Cool Maze server, even when using a standard QR code scanner app, and opening its value as a URL in a web browser. In rare edge cases, this # provides better protection for the end-to-end encryption system.

The fragment a/ identifies the client displaying the QR code as “the coolmaze.io web page”. Other clients may coexist.

The last fragment is randomly generated by the web page coolmaze.io. It encodes a one-off routing ID, and a one-off cryptographic secret key.

The routing ID is a virtual address: this is where the cloud server will deliver the encrypted data. For this, the server needs to know the routing ID. Similarly, a postal worker needs the recipient’s address to deliver a letter, even if the letter is sealed. After the transfer, the routing ID is discarded and not reused.

The secret key is an AES symmetric key used to implement end-to-end encryption. For this to work, the cloud server must not know the value of the key. The key is known only by the computer browser that creates it, and by the mobile device that scans the QR-code. After the transfer, the secret key is discarded and not reused.

The size tradeoff

There is a tradeoff between making the routing ID and secret key “too short” or “too long”.

It is desirable to make them as short as possible, to make the QR code simple and fast to scan. It is also necessary to make them long enough to minimize the risk of accidental or malicious collisions.
The probability of collisions is calculated using the math of the Birthday problem, which states there is a 50% chance, in a group of 23 people, of 2 people sharing the same birthday. QR code for “Hello, World”

If the routing ID were too short, then the total number of possible values would be too low, and two users may be using the same ID approximately at the same time. How bad is that? Delivering an encrypted resource to the “wrong” client would not compromise privacy, as the client would not be able to decipher it. However, the current transfer would fail for at least one of the users.

If the secret key were too short, then it would be possible for the server to guess it via a brute force attack, trying a few million possible values, which would defeat the purpose of end-to-end encryption. To prevent this, we settled on a secret key containing 126 bits of randomness.

Scanning from afar

By default, the QR code displayed at coolmaze.io appears small. This is a good setting to let the user scan the computer screen, without having to move backwards with their mobile.

Clicking on the QR code enlarges it, which is more comfortable to scan from the back of a meeting room.

Size Page aspect Encoded information
Small Small QR code at coolmaze.io  cmaz.io/#a/3JNpGSTXapwHmoAJdxkZ0
Medium Medium QR code at coolmaze.io  cmaz.io/#a/3JNpGSTXapwHmoAJdxkZ0
Large Large QR code at coolmaze.io  a/3JNpGSTXapwHmoAJdxkZ0

In its largest version, the QR code contains a slightly different information, omitting the domain name cmaz.io. This further reduces the encoded string’s size, allowing for either a lower-resolution grid (fewer squares) or the same resolution with more squares dedicated to error correction. A user who clicks twice typically needs a QR code that is easiest to scan with the Cool Maze mobile app, and does not require a fully qualified URL.