Bitcoin Core  21.99.0
P2P Digital Currency
bech32.cpp
Go to the documentation of this file.
1 // Copyright (c) 2017, 2021 Pieter Wuille
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <bech32.h>
6 #include <util/vector.h>
7 
8 #include <assert.h>
9 
10 namespace bech32
11 {
12 
13 namespace
14 {
15 
16 typedef std::vector<uint8_t> data;
17 
19 const char* CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
20 
22 const int8_t CHARSET_REV[128] = {
23  -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
24  -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
25  -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
26  15, -1, 10, 17, 21, 20, 26, 30, 7, 5, -1, -1, -1, -1, -1, -1,
27  -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1,
28  1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1,
29  -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1,
30  1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1
31 };
32 
33 /* Determine the final constant to use for the specified encoding. */
34 uint32_t EncodingConstant(Encoding encoding) {
35  assert(encoding == Encoding::BECH32 || encoding == Encoding::BECH32M);
36  return encoding == Encoding::BECH32 ? 1 : 0x2bc830a3;
37 }
38 
42 uint32_t PolyMod(const data& v)
43 {
44  // The input is interpreted as a list of coefficients of a polynomial over F = GF(32), with an
45  // implicit 1 in front. If the input is [v0,v1,v2,v3,v4], that polynomial is v(x) =
46  // 1*x^5 + v0*x^4 + v1*x^3 + v2*x^2 + v3*x + v4. The implicit 1 guarantees that
47  // [v0,v1,v2,...] has a distinct checksum from [0,v0,v1,v2,...].
48 
49  // The output is a 30-bit integer whose 5-bit groups are the coefficients of the remainder of
50  // v(x) mod g(x), where g(x) is the Bech32 generator,
51  // x^6 + {29}x^5 + {22}x^4 + {20}x^3 + {21}x^2 + {29}x + {18}. g(x) is chosen in such a way
52  // that the resulting code is a BCH code, guaranteeing detection of up to 3 errors within a
53  // window of 1023 characters. Among the various possible BCH codes, one was selected to in
54  // fact guarantee detection of up to 4 errors within a window of 89 characters.
55 
56  // Note that the coefficients are elements of GF(32), here represented as decimal numbers
57  // between {}. In this finite field, addition is just XOR of the corresponding numbers. For
58  // example, {27} + {13} = {27 ^ 13} = {22}. Multiplication is more complicated, and requires
59  // treating the bits of values themselves as coefficients of a polynomial over a smaller field,
60  // GF(2), and multiplying those polynomials mod a^5 + a^3 + 1. For example, {5} * {26} =
61  // (a^2 + 1) * (a^4 + a^3 + a) = (a^4 + a^3 + a) * a^2 + (a^4 + a^3 + a) = a^6 + a^5 + a^4 + a
62  // = a^3 + 1 (mod a^5 + a^3 + 1) = {9}.
63 
64  // During the course of the loop below, `c` contains the bitpacked coefficients of the
65  // polynomial constructed from just the values of v that were processed so far, mod g(x). In
66  // the above example, `c` initially corresponds to 1 mod g(x), and after processing 2 inputs of
67  // v, it corresponds to x^2 + v0*x + v1 mod g(x). As 1 mod g(x) = 1, that is the starting value
68  // for `c`.
69  uint32_t c = 1;
70  for (const auto v_i : v) {
71  // We want to update `c` to correspond to a polynomial with one extra term. If the initial
72  // value of `c` consists of the coefficients of c(x) = f(x) mod g(x), we modify it to
73  // correspond to c'(x) = (f(x) * x + v_i) mod g(x), where v_i is the next input to
74  // process. Simplifying:
75  // c'(x) = (f(x) * x + v_i) mod g(x)
76  // ((f(x) mod g(x)) * x + v_i) mod g(x)
77  // (c(x) * x + v_i) mod g(x)
78  // If c(x) = c0*x^5 + c1*x^4 + c2*x^3 + c3*x^2 + c4*x + c5, we want to compute
79  // c'(x) = (c0*x^5 + c1*x^4 + c2*x^3 + c3*x^2 + c4*x + c5) * x + v_i mod g(x)
80  // = c0*x^6 + c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i mod g(x)
81  // = c0*(x^6 mod g(x)) + c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i
82  // If we call (x^6 mod g(x)) = k(x), this can be written as
83  // c'(x) = (c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i) + c0*k(x)
84 
85  // First, determine the value of c0:
86  uint8_t c0 = c >> 25;
87 
88  // Then compute c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i:
89  c = ((c & 0x1ffffff) << 5) ^ v_i;
90 
91  // Finally, for each set bit n in c0, conditionally add {2^n}k(x):
92  if (c0 & 1) c ^= 0x3b6a57b2; // k(x) = {29}x^5 + {22}x^4 + {20}x^3 + {21}x^2 + {29}x + {18}
93  if (c0 & 2) c ^= 0x26508e6d; // {2}k(x) = {19}x^5 + {5}x^4 + x^3 + {3}x^2 + {19}x + {13}
94  if (c0 & 4) c ^= 0x1ea119fa; // {4}k(x) = {15}x^5 + {10}x^4 + {2}x^3 + {6}x^2 + {15}x + {26}
95  if (c0 & 8) c ^= 0x3d4233dd; // {8}k(x) = {30}x^5 + {20}x^4 + {4}x^3 + {12}x^2 + {30}x + {29}
96  if (c0 & 16) c ^= 0x2a1462b3; // {16}k(x) = {21}x^5 + x^4 + {8}x^3 + {24}x^2 + {21}x + {19}
97  }
98  return c;
99 }
100 
102 inline unsigned char LowerCase(unsigned char c)
103 {
104  return (c >= 'A' && c <= 'Z') ? (c - 'A') + 'a' : c;
105 }
106 
108 data ExpandHRP(const std::string& hrp)
109 {
110  data ret;
111  ret.reserve(hrp.size() + 90);
112  ret.resize(hrp.size() * 2 + 1);
113  for (size_t i = 0; i < hrp.size(); ++i) {
114  unsigned char c = hrp[i];
115  ret[i] = c >> 5;
116  ret[i + hrp.size() + 1] = c & 0x1f;
117  }
118  ret[hrp.size()] = 0;
119  return ret;
120 }
121 
123 Encoding VerifyChecksum(const std::string& hrp, const data& values)
124 {
125  // PolyMod computes what value to xor into the final values to make the checksum 0. However,
126  // if we required that the checksum was 0, it would be the case that appending a 0 to a valid
127  // list of values would result in a new valid list. For that reason, Bech32 requires the
128  // resulting checksum to be 1 instead. In Bech32m, this constant was amended.
129  const uint32_t check = PolyMod(Cat(ExpandHRP(hrp), values));
130  if (check == EncodingConstant(Encoding::BECH32)) return Encoding::BECH32;
131  if (check == EncodingConstant(Encoding::BECH32M)) return Encoding::BECH32M;
132  return Encoding::INVALID;
133 }
134 
136 data CreateChecksum(Encoding encoding, const std::string& hrp, const data& values)
137 {
138  data enc = Cat(ExpandHRP(hrp), values);
139  enc.resize(enc.size() + 6); // Append 6 zeroes
140  uint32_t mod = PolyMod(enc) ^ EncodingConstant(encoding); // Determine what to XOR into those 6 zeroes.
141  data ret(6);
142  for (size_t i = 0; i < 6; ++i) {
143  // Convert the 5-bit groups in mod to checksum values.
144  ret[i] = (mod >> (5 * (5 - i))) & 31;
145  }
146  return ret;
147 }
148 
149 } // namespace
150 
152 std::string Encode(Encoding encoding, const std::string& hrp, const data& values) {
153  // First ensure that the HRP is all lowercase. BIP-173 and BIP350 require an encoder
154  // to return a lowercase Bech32/Bech32m string, but if given an uppercase HRP, the
155  // result will always be invalid.
156  for (const char& c : hrp) assert(c < 'A' || c > 'Z');
157  data checksum = CreateChecksum(encoding, hrp, values);
158  data combined = Cat(values, checksum);
159  std::string ret = hrp + '1';
160  ret.reserve(ret.size() + combined.size());
161  for (const auto c : combined) {
162  ret += CHARSET[c];
163  }
164  return ret;
165 }
166 
168 DecodeResult Decode(const std::string& str) {
169  bool lower = false, upper = false;
170  for (size_t i = 0; i < str.size(); ++i) {
171  unsigned char c = str[i];
172  if (c >= 'a' && c <= 'z') lower = true;
173  else if (c >= 'A' && c <= 'Z') upper = true;
174  else if (c < 33 || c > 126) return {};
175  }
176  if (lower && upper) return {};
177  size_t pos = str.rfind('1');
178  if (str.size() > 90 || pos == str.npos || pos == 0 || pos + 7 > str.size()) {
179  return {};
180  }
181  data values(str.size() - 1 - pos);
182  for (size_t i = 0; i < str.size() - 1 - pos; ++i) {
183  unsigned char c = str[i + pos + 1];
184  int8_t rev = CHARSET_REV[c];
185 
186  if (rev == -1) {
187  return {};
188  }
189  values[i] = rev;
190  }
191  std::string hrp;
192  for (size_t i = 0; i < pos; ++i) {
193  hrp += LowerCase(str[i]);
194  }
195  Encoding result = VerifyChecksum(hrp, values);
196  if (result == Encoding::INVALID) return {};
197  return {result, std::move(hrp), data(values.begin(), values.end() - 6)};
198 }
199 
200 } // namespace bech32
bech32::Decode
DecodeResult Decode(const std::string &str)
Decode a Bech32 or Bech32m string.
Definition: bech32.cpp:168
Cat
V Cat(V v1, V &&v2)
Concatenate two vectors, moving elements.
Definition: vector.h:31
bech32::DecodeResult
Definition: bech32.h:34
bech32::Encoding::BECH32
@ BECH32
Bech32 encoding as defined in BIP173.
bech32::Encoding::INVALID
@ INVALID
Failed decoding.
bech32
Definition: bech32.cpp:10
bech32::Encoding
Encoding
Definition: bech32.h:23
bech32::Encoding::BECH32M
@ BECH32M
Bech32m encoding as defined in BIP350.
vector.h
bech32.h
bech32::Encode
std::string Encode(Encoding encoding, const std::string &hrp, const data &values)
Encode a Bech32 or Bech32m string.
Definition: bech32.cpp:152
assert
assert(std::addressof(::ChainstateActive().CoinsTip())==std::addressof(coins_cache))