Line data Source code
1 : // Copyright (c) 2017, 2021 Pieter Wuille
2 : // Distributed under the MIT software license, see the accompanying
3 : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 :
5 : #include <bech32.h>
6 : #include <util/vector.h>
7 :
8 : #include <assert.h>
9 :
10 : namespace bech32
11 : {
12 :
13 : namespace
14 : {
15 :
16 : typedef std::vector<uint8_t> data;
17 :
18 : /** The Bech32 and Bech32m character set for encoding. */
19 : const char* CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
20 :
21 : /** The Bech32 and Bech32m character set for decoding. */
22 : const int8_t CHARSET_REV[128] = {
23 : -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
24 : -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
25 : -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
26 : 15, -1, 10, 17, 21, 20, 26, 30, 7, 5, -1, -1, -1, -1, -1, -1,
27 : -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1,
28 : 1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1,
29 : -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1,
30 : 1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1
31 : };
32 :
33 : /* Determine the final constant to use for the specified encoding. */
34 75 : uint32_t EncodingConstant(Encoding encoding) {
35 75 : assert(encoding == Encoding::BECH32 || encoding == Encoding::BECH32M);
36 75 : return encoding == Encoding::BECH32 ? 1 : 0x2bc830a3;
37 : }
38 :
39 : /** This function will compute what 6 5-bit values to XOR into the last 6 input values, in order to
40 : * make the checksum 0. These 6 values are packed together in a single 30-bit integer. The higher
41 : * bits correspond to earlier values. */
42 54 : uint32_t PolyMod(const data& v)
43 : {
44 : // The input is interpreted as a list of coefficients of a polynomial over F = GF(32), with an
45 : // implicit 1 in front. If the input is [v0,v1,v2,v3,v4], that polynomial is v(x) =
46 : // 1*x^5 + v0*x^4 + v1*x^3 + v2*x^2 + v3*x + v4. The implicit 1 guarantees that
47 : // [v0,v1,v2,...] has a distinct checksum from [0,v0,v1,v2,...].
48 :
49 : // The output is a 30-bit integer whose 5-bit groups are the coefficients of the remainder of
50 : // v(x) mod g(x), where g(x) is the Bech32 generator,
51 : // x^6 + {29}x^5 + {22}x^4 + {20}x^3 + {21}x^2 + {29}x + {18}. g(x) is chosen in such a way
52 : // that the resulting code is a BCH code, guaranteeing detection of up to 3 errors within a
53 : // window of 1023 characters. Among the various possible BCH codes, one was selected to in
54 : // fact guarantee detection of up to 4 errors within a window of 89 characters.
55 :
56 : // Note that the coefficients are elements of GF(32), here represented as decimal numbers
57 : // between {}. In this finite field, addition is just XOR of the corresponding numbers. For
58 : // example, {27} + {13} = {27 ^ 13} = {22}. Multiplication is more complicated, and requires
59 : // treating the bits of values themselves as coefficients of a polynomial over a smaller field,
60 : // GF(2), and multiplying those polynomials mod a^5 + a^3 + 1. For example, {5} * {26} =
61 : // (a^2 + 1) * (a^4 + a^3 + a) = (a^4 + a^3 + a) * a^2 + (a^4 + a^3 + a) = a^6 + a^5 + a^4 + a
62 : // = a^3 + 1 (mod a^5 + a^3 + 1) = {9}.
63 :
64 : // During the course of the loop below, `c` contains the bitpacked coefficients of the
65 : // polynomial constructed from just the values of v that were processed so far, mod g(x). In
66 : // the above example, `c` initially corresponds to 1 mod g(x), and after processing 2 inputs of
67 : // v, it corresponds to x^2 + v0*x + v1 mod g(x). As 1 mod g(x) = 1, that is the starting value
68 : // for `c`.
69 :
70 : // The following Sage code constructs the generator used:
71 : //
72 : // B = GF(2) # Binary field
73 : // BP.<b> = B[] # Polynomials over the binary field
74 : // F_mod = b**5 + b**3 + 1
75 : // F.<f> = GF(32, modulus=F_mod, repr='int') # GF(32) definition
76 : // FP.<x> = F[] # Polynomials over GF(32)
77 : // E_mod = x**2 + F.fetch_int(9)*x + F.fetch_int(23)
78 : // E.<e> = F.extension(E_mod) # GF(1024) extension field definition
79 : // for p in divisors(E.order() - 1): # Verify e has order 1023.
80 : // assert((e**p == 1) == (p % 1023 == 0))
81 : // G = lcm([(e**i).minpoly() for i in range(997,1000)])
82 : // print(G) # Print out the generator
83 : //
84 : // It demonstrates that g(x) is the least common multiple of the minimal polynomials
85 : // of 3 consecutive powers (997,998,999) of a primitive element (e) of GF(1024).
86 : // That guarantees it is, in fact, the generator of a primitive BCH code with cycle
87 : // length 1023 and distance 4. See https://en.wikipedia.org/wiki/BCH_code for more details.
88 :
89 54 : uint32_t c = 1;
90 2890 : for (const auto v_i : v) {
91 : // We want to update `c` to correspond to a polynomial with one extra term. If the initial
92 : // value of `c` consists of the coefficients of c(x) = f(x) mod g(x), we modify it to
93 : // correspond to c'(x) = (f(x) * x + v_i) mod g(x), where v_i is the next input to
94 : // process. Simplifying:
95 : // c'(x) = (f(x) * x + v_i) mod g(x)
96 : // ((f(x) mod g(x)) * x + v_i) mod g(x)
97 : // (c(x) * x + v_i) mod g(x)
98 : // If c(x) = c0*x^5 + c1*x^4 + c2*x^3 + c3*x^2 + c4*x + c5, we want to compute
99 : // c'(x) = (c0*x^5 + c1*x^4 + c2*x^3 + c3*x^2 + c4*x + c5) * x + v_i mod g(x)
100 : // = c0*x^6 + c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i mod g(x)
101 : // = c0*(x^6 mod g(x)) + c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i
102 : // If we call (x^6 mod g(x)) = k(x), this can be written as
103 : // c'(x) = (c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i) + c0*k(x)
104 :
105 : // First, determine the value of c0:
106 2836 : uint8_t c0 = c >> 25;
107 :
108 : // Then compute c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i:
109 2836 : c = ((c & 0x1ffffff) << 5) ^ v_i;
110 :
111 : // Finally, for each set bit n in c0, conditionally add {2^n}k(x). These constants can be
112 : // computed using the following Sage code (continuing the code above):
113 : //
114 : // for i in [1,2,4,8,16]: # Print out {1,2,4,8,16}*(g(x) mod x^6), packed in hex integers.
115 : // v = 0
116 : // for coef in reversed((F.fetch_int(i)*(G % x**6)).coefficients(sparse=True)):
117 : // v = v*32 + coef.integer_representation()
118 : // print("0x%x" % v)
119 : //
120 2836 : if (c0 & 1) c ^= 0x3b6a57b2; // k(x) = {29}x^5 + {22}x^4 + {20}x^3 + {21}x^2 + {29}x + {18}
121 2836 : if (c0 & 2) c ^= 0x26508e6d; // {2}k(x) = {19}x^5 + {5}x^4 + x^3 + {3}x^2 + {19}x + {13}
122 2836 : if (c0 & 4) c ^= 0x1ea119fa; // {4}k(x) = {15}x^5 + {10}x^4 + {2}x^3 + {6}x^2 + {15}x + {26}
123 2836 : if (c0 & 8) c ^= 0x3d4233dd; // {8}k(x) = {30}x^5 + {20}x^4 + {4}x^3 + {12}x^2 + {30}x + {29}
124 2836 : if (c0 & 16) c ^= 0x2a1462b3; // {16}k(x) = {21}x^5 + x^4 + {8}x^3 + {24}x^2 + {21}x + {19}
125 :
126 : }
127 54 : return c;
128 : }
129 :
130 : /** Convert to lower case. */
131 255 : inline unsigned char LowerCase(unsigned char c)
132 : {
133 255 : return (c >= 'A' && c <= 'Z') ? (c - 'A') + 'a' : c;
134 : }
135 :
136 : /** Expand a HRP for use in checksum computation. */
137 54 : data ExpandHRP(const std::string& hrp)
138 : {
139 54 : data ret;
140 54 : ret.reserve(hrp.size() + 90);
141 54 : ret.resize(hrp.size() * 2 + 1);
142 553 : for (size_t i = 0; i < hrp.size(); ++i) {
143 499 : unsigned char c = hrp[i];
144 499 : ret[i] = c >> 5;
145 499 : ret[i + hrp.size() + 1] = c & 0x1f;
146 499 : }
147 54 : ret[hrp.size()] = 0;
148 54 : return ret;
149 54 : }
150 :
151 : /** Verify a checksum. */
152 29 : Encoding VerifyChecksum(const std::string& hrp, const data& values)
153 : {
154 : // PolyMod computes what value to xor into the final values to make the checksum 0. However,
155 : // if we required that the checksum was 0, it would be the case that appending a 0 to a valid
156 : // list of values would result in a new valid list. For that reason, Bech32 requires the
157 : // resulting checksum to be 1 instead. In Bech32m, this constant was amended. See
158 : // https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e for details.
159 29 : const uint32_t check = PolyMod(Cat(ExpandHRP(hrp), values));
160 29 : if (check == EncodingConstant(Encoding::BECH32)) return Encoding::BECH32;
161 21 : if (check == EncodingConstant(Encoding::BECH32M)) return Encoding::BECH32M;
162 2 : return Encoding::INVALID;
163 29 : }
164 :
165 : /** Create a checksum. */
166 25 : data CreateChecksum(Encoding encoding, const std::string& hrp, const data& values)
167 : {
168 25 : data enc = Cat(ExpandHRP(hrp), values);
169 25 : enc.resize(enc.size() + 6); // Append 6 zeroes
170 25 : uint32_t mod = PolyMod(enc) ^ EncodingConstant(encoding); // Determine what to XOR into those 6 zeroes.
171 25 : data ret(6);
172 175 : for (size_t i = 0; i < 6; ++i) {
173 : // Convert the 5-bit groups in mod to checksum values.
174 150 : ret[i] = (mod >> (5 * (5 - i))) & 31;
175 150 : }
176 25 : return ret;
177 25 : }
178 :
179 : } // namespace
180 :
181 : /** Encode a Bech32 or Bech32m string. */
182 25 : std::string Encode(Encoding encoding, const std::string& hrp, const data& values) {
183 : // First ensure that the HRP is all lowercase. BIP-173 and BIP350 require an encoder
184 : // to return a lowercase Bech32/Bech32m string, but if given an uppercase HRP, the
185 : // result will always be invalid.
186 269 : for (const char& c : hrp) assert(c < 'A' || c > 'Z');
187 25 : data checksum = CreateChecksum(encoding, hrp, values);
188 25 : data combined = Cat(values, checksum);
189 25 : std::string ret = hrp + '1';
190 25 : ret.reserve(ret.size() + combined.size());
191 871 : for (const auto c : combined) {
192 846 : ret += CHARSET[c];
193 : }
194 25 : return ret;
195 25 : }
196 :
197 : /** Decode a Bech32 or Bech32m string. */
198 58 : DecodeResult Decode(const std::string& str) {
199 58 : bool lower = false, upper = false;
200 1687 : for (size_t i = 0; i < str.size(); ++i) {
201 1636 : unsigned char c = str[i];
202 1636 : if (c >= 'a' && c <= 'z') lower = true;
203 346 : else if (c >= 'A' && c <= 'Z') upper = true;
204 314 : else if (c < 33 || c > 126) return {};
205 1629 : }
206 51 : if (lower && upper) return {};
207 48 : size_t pos = str.rfind('1');
208 48 : if (str.size() > 90 || pos == str.npos || pos == 0 || pos + 7 > str.size()) {
209 14 : return {};
210 : }
211 34 : data values(str.size() - 1 - pos);
212 981 : for (size_t i = 0; i < str.size() - 1 - pos; ++i) {
213 952 : unsigned char c = str[i + pos + 1];
214 952 : int8_t rev = CHARSET_REV[c];
215 :
216 952 : if (rev == -1) {
217 5 : return {};
218 : }
219 947 : values[i] = rev;
220 947 : }
221 29 : std::string hrp;
222 284 : for (size_t i = 0; i < pos; ++i) {
223 255 : hrp += LowerCase(str[i]);
224 255 : }
225 29 : Encoding result = VerifyChecksum(hrp, values);
226 29 : if (result == Encoding::INVALID) return {};
227 27 : return {result, std::move(hrp), data(values.begin(), values.end() - 6)};
228 58 : }
229 :
230 : } // namespace bech32
|
