Bitcoin Core 29.99.0
P2P Digital Currency
bech32.cpp
Go to the documentation of this file.
1// Copyright (c) 2017, 2021 Pieter Wuille
2// Copyright (c) 2021-present The Bitcoin Core developers
3// Distributed under the MIT software license, see the accompanying
4// file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6#include <bech32.h>
7#include <util/vector.h>
8
9#include <array>
10#include <cassert>
11#include <numeric>
12#include <optional>
13
14namespace bech32
15{
16
17namespace
18{
19
20typedef std::vector<uint8_t> data;
21
23const char* CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
24
26const int8_t CHARSET_REV[128] = {
27 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
28 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
29 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
30 15, -1, 10, 17, 21, 20, 26, 30, 7, 5, -1, -1, -1, -1, -1, -1,
31 -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1,
32 1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1,
33 -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1,
34 1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1
35};
36
46constexpr std::pair<std::array<int16_t, 1023>, std::array<int16_t, 1024>> GenerateGFTables()
47{
48 // Build table for GF(32).
49 // We use these tables to perform arithmetic in GF(32) below, when constructing the
50 // tables for GF(1024).
51 std::array<int8_t, 31> GF32_EXP{};
52 std::array<int8_t, 32> GF32_LOG{};
53
54 // fmod encodes the defining polynomial of GF(32) over GF(2), x^5 + x^3 + 1.
55 // Because coefficients in GF(2) are binary digits, the coefficients are packed as 101001.
56 const int fmod = 41;
57
58 // Elements of GF(32) are encoded as vectors of length 5 over GF(2), that is,
59 // 5 binary digits. Each element (b_4, b_3, b_2, b_1, b_0) encodes a polynomial
60 // b_4*x^4 + b_3*x^3 + b_2*x^2 + b_1*x^1 + b_0 (modulo fmod).
61 // For example, 00001 = 1 is the multiplicative identity.
62 GF32_EXP[0] = 1;
63 GF32_LOG[0] = -1;
64 GF32_LOG[1] = 0;
65 int v = 1;
66 for (int i = 1; i < 31; ++i) {
67 // Multiplication by x is the same as shifting left by 1, as
68 // every coefficient of the polynomial is moved up one place.
69 v = v << 1;
70 // If the polynomial now has an x^5 term, we subtract fmod from it
71 // to remain working modulo fmod. Subtraction is the same as XOR in characteristic
72 // 2 fields.
73 if (v & 32) v ^= fmod;
74 GF32_EXP[i] = v;
75 GF32_LOG[v] = i;
76 }
77
78 // Build table for GF(1024)
79 std::array<int16_t, 1023> GF1024_EXP{};
80 std::array<int16_t, 1024> GF1024_LOG{};
81
82 GF1024_EXP[0] = 1;
83 GF1024_LOG[0] = -1;
84 GF1024_LOG[1] = 0;
85
86 // Each element v of GF(1024) is encoded as a 10 bit integer in the following way:
87 // v = v1 || v0 where v0, v1 are 5-bit integers (elements of GF(32)).
88 // The element (e) is encoded as 1 || 0, to represent 1*(e) + 0. Every other element
89 // a*(e) + b is represented as a || b (a and b are both GF(32) elements). Given (v),
90 // we compute (e)*(v) by multiplying in the following way:
91 //
92 // v0' = 23*v1
93 // v1' = 9*v1 + v0
94 // e*v = v1' || v0'
95 //
96 // Where 23, 9 are GF(32) elements encoded as described above. Multiplication in GF(32)
97 // is done using the log/exp tables:
98 // e^x * e^y = e^(x + y) so a * b = EXP[ LOG[a] + LOG [b] ]
99 // for non-zero a and b.
100
101 v = 1;
102 for (int i = 1; i < 1023; ++i) {
103 int v0 = v & 31;
104 int v1 = v >> 5;
105
106 int v0n = v1 ? GF32_EXP.at((GF32_LOG.at(v1) + GF32_LOG.at(23)) % 31) : 0;
107 int v1n = (v1 ? GF32_EXP.at((GF32_LOG.at(v1) + GF32_LOG.at(9)) % 31) : 0) ^ v0;
108
109 v = v1n << 5 | v0n;
110 GF1024_EXP[i] = v;
111 GF1024_LOG[v] = i;
112 }
113
114 return std::make_pair(GF1024_EXP, GF1024_LOG);
115}
116
117constexpr auto tables = GenerateGFTables();
118constexpr const std::array<int16_t, 1023>& GF1024_EXP = tables.first;
119constexpr const std::array<int16_t, 1024>& GF1024_LOG = tables.second;
120
121/* Determine the final constant to use for the specified encoding. */
122uint32_t EncodingConstant(Encoding encoding) {
123 assert(encoding == Encoding::BECH32 || encoding == Encoding::BECH32M);
124 return encoding == Encoding::BECH32 ? 1 : 0x2bc830a3;
125}
126
130uint32_t PolyMod(const data& v)
131{
132 // The input is interpreted as a list of coefficients of a polynomial over F = GF(32), with an
133 // implicit 1 in front. If the input is [v0,v1,v2,v3,v4], that polynomial is v(x) =
134 // 1*x^5 + v0*x^4 + v1*x^3 + v2*x^2 + v3*x + v4. The implicit 1 guarantees that
135 // [v0,v1,v2,...] has a distinct checksum from [0,v0,v1,v2,...].
136
137 // The output is a 30-bit integer whose 5-bit groups are the coefficients of the remainder of
138 // v(x) mod g(x), where g(x) is the Bech32 generator,
139 // x^6 + {29}x^5 + {22}x^4 + {20}x^3 + {21}x^2 + {29}x + {18}. g(x) is chosen in such a way
140 // that the resulting code is a BCH code, guaranteeing detection of up to 3 errors within a
141 // window of 1023 characters. Among the various possible BCH codes, one was selected to in
142 // fact guarantee detection of up to 4 errors within a window of 89 characters.
143
144 // Note that the coefficients are elements of GF(32), here represented as decimal numbers
145 // between {}. In this finite field, addition is just XOR of the corresponding numbers. For
146 // example, {27} + {13} = {27 ^ 13} = {22}. Multiplication is more complicated, and requires
147 // treating the bits of values themselves as coefficients of a polynomial over a smaller field,
148 // GF(2), and multiplying those polynomials mod a^5 + a^3 + 1. For example, {5} * {26} =
149 // (a^2 + 1) * (a^4 + a^3 + a) = (a^4 + a^3 + a) * a^2 + (a^4 + a^3 + a) = a^6 + a^5 + a^4 + a
150 // = a^3 + 1 (mod a^5 + a^3 + 1) = {9}.
151
152 // During the course of the loop below, `c` contains the bitpacked coefficients of the
153 // polynomial constructed from just the values of v that were processed so far, mod g(x). In
154 // the above example, `c` initially corresponds to 1 mod g(x), and after processing 2 inputs of
155 // v, it corresponds to x^2 + v0*x + v1 mod g(x). As 1 mod g(x) = 1, that is the starting value
156 // for `c`.
157
158 // The following Sage code constructs the generator used:
159 //
160 // B = GF(2) # Binary field
161 // BP.<b> = B[] # Polynomials over the binary field
162 // F_mod = b**5 + b**3 + 1
163 // F.<f> = GF(32, modulus=F_mod, repr='int') # GF(32) definition
164 // FP.<x> = F[] # Polynomials over GF(32)
165 // E_mod = x**2 + F.fetch_int(9)*x + F.fetch_int(23)
166 // E.<e> = F.extension(E_mod) # GF(1024) extension field definition
167 // for p in divisors(E.order() - 1): # Verify e has order 1023.
168 // assert((e**p == 1) == (p % 1023 == 0))
169 // G = lcm([(e**i).minpoly() for i in range(997,1000)])
170 // print(G) # Print out the generator
171 //
172 // It demonstrates that g(x) is the least common multiple of the minimal polynomials
173 // of 3 consecutive powers (997,998,999) of a primitive element (e) of GF(1024).
174 // That guarantees it is, in fact, the generator of a primitive BCH code with cycle
175 // length 1023 and distance 4. See https://en.wikipedia.org/wiki/BCH_code for more details.
176
177 uint32_t c = 1;
178 for (const auto v_i : v) {
179 // We want to update `c` to correspond to a polynomial with one extra term. If the initial
180 // value of `c` consists of the coefficients of c(x) = f(x) mod g(x), we modify it to
181 // correspond to c'(x) = (f(x) * x + v_i) mod g(x), where v_i is the next input to
182 // process. Simplifying:
183 // c'(x) = (f(x) * x + v_i) mod g(x)
184 // ((f(x) mod g(x)) * x + v_i) mod g(x)
185 // (c(x) * x + v_i) mod g(x)
186 // If c(x) = c0*x^5 + c1*x^4 + c2*x^3 + c3*x^2 + c4*x + c5, we want to compute
187 // c'(x) = (c0*x^5 + c1*x^4 + c2*x^3 + c3*x^2 + c4*x + c5) * x + v_i mod g(x)
188 // = c0*x^6 + c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i mod g(x)
189 // = c0*(x^6 mod g(x)) + c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i
190 // If we call (x^6 mod g(x)) = k(x), this can be written as
191 // c'(x) = (c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i) + c0*k(x)
192
193 // First, determine the value of c0:
194 uint8_t c0 = c >> 25;
195
196 // Then compute c1*x^5 + c2*x^4 + c3*x^3 + c4*x^2 + c5*x + v_i:
197 c = ((c & 0x1ffffff) << 5) ^ v_i;
198
199 // Finally, for each set bit n in c0, conditionally add {2^n}k(x). These constants can be
200 // computed using the following Sage code (continuing the code above):
201 //
202 // for i in [1,2,4,8,16]: # Print out {1,2,4,8,16}*(g(x) mod x^6), packed in hex integers.
203 // v = 0
204 // for coef in reversed((F.fetch_int(i)*(G % x**6)).coefficients(sparse=True)):
205 // v = v*32 + coef.integer_representation()
206 // print("0x%x" % v)
207 //
208 if (c0 & 1) c ^= 0x3b6a57b2; // k(x) = {29}x^5 + {22}x^4 + {20}x^3 + {21}x^2 + {29}x + {18}
209 if (c0 & 2) c ^= 0x26508e6d; // {2}k(x) = {19}x^5 + {5}x^4 + x^3 + {3}x^2 + {19}x + {13}
210 if (c0 & 4) c ^= 0x1ea119fa; // {4}k(x) = {15}x^5 + {10}x^4 + {2}x^3 + {6}x^2 + {15}x + {26}
211 if (c0 & 8) c ^= 0x3d4233dd; // {8}k(x) = {30}x^5 + {20}x^4 + {4}x^3 + {12}x^2 + {30}x + {29}
212 if (c0 & 16) c ^= 0x2a1462b3; // {16}k(x) = {21}x^5 + x^4 + {8}x^3 + {24}x^2 + {21}x + {19}
213
214 }
215 return c;
216}
217
240constexpr std::array<uint32_t, 25> GenerateSyndromeConstants() {
241 std::array<uint32_t, 25> SYNDROME_CONSTS{};
242 for (int k = 1; k < 6; ++k) {
243 for (int shift = 0; shift < 5; ++shift) {
244 int16_t b = GF1024_LOG.at(size_t{1} << shift);
245 int16_t c0 = GF1024_EXP.at((997*k + b) % 1023);
246 int16_t c1 = GF1024_EXP.at((998*k + b) % 1023);
247 int16_t c2 = GF1024_EXP.at((999*k + b) % 1023);
248 uint32_t c = c2 << 20 | c1 << 10 | c0;
249 int ind = 5*(k-1) + shift;
250 SYNDROME_CONSTS[ind] = c;
251 }
252 }
253 return SYNDROME_CONSTS;
254}
255constexpr std::array<uint32_t, 25> SYNDROME_CONSTS = GenerateSyndromeConstants();
256
261uint32_t Syndrome(const uint32_t residue) {
262 // low is the first 5 bits, corresponding to the r6 in the residue
263 // (the constant term of the polynomial).
264 uint32_t low = residue & 0x1f;
265
266 // We begin by setting s_j = low = r6 for all three values of j, because these are unconditional.
267 uint32_t result = low ^ (low << 10) ^ (low << 20);
268
269 // Then for each following bit, we add the corresponding precomputed constant if the bit is 1.
270 // For example, 0x31edd3c4 is 1100011110 1101110100 1111000100 when unpacked in groups of 10
271 // bits, corresponding exactly to a^999 || a^998 || a^997 (matching the corresponding values in
272 // GF1024_EXP above). In this way, we compute all three values of s_j for j in (997, 998, 999)
273 // simultaneously. Recall that XOR corresponds to addition in a characteristic 2 field.
274 for (int i = 0; i < 25; ++i) {
275 result ^= ((residue >> (5+i)) & 1 ? SYNDROME_CONSTS.at(i) : 0);
276 }
277 return result;
278}
279
281inline unsigned char LowerCase(unsigned char c)
282{
283 return (c >= 'A' && c <= 'Z') ? (c - 'A') + 'a' : c;
284}
285
287bool CheckCharacters(const std::string& str, std::vector<int>& errors)
288{
289 bool lower = false, upper = false;
290 for (size_t i = 0; i < str.size(); ++i) {
291 unsigned char c{(unsigned char)(str[i])};
292 if (c >= 'a' && c <= 'z') {
293 if (upper) {
294 errors.push_back(i);
295 } else {
296 lower = true;
297 }
298 } else if (c >= 'A' && c <= 'Z') {
299 if (lower) {
300 errors.push_back(i);
301 } else {
302 upper = true;
303 }
304 } else if (c < 33 || c > 126) {
305 errors.push_back(i);
306 }
307 }
308 return errors.empty();
309}
310
311std::vector<unsigned char> PreparePolynomialCoefficients(const std::string& hrp, const data& values)
312{
313 data ret;
314 ret.reserve(hrp.size() + 1 + hrp.size() + values.size() + CHECKSUM_SIZE);
315
317 for (size_t i = 0; i < hrp.size(); ++i) ret.push_back(hrp[i] >> 5);
318 ret.push_back(0);
319 for (size_t i = 0; i < hrp.size(); ++i) ret.push_back(hrp[i] & 0x1f);
320
321 ret.insert(ret.end(), values.begin(), values.end());
322
323 return ret;
324}
325
327Encoding VerifyChecksum(const std::string& hrp, const data& values)
328{
329 // PolyMod computes what value to xor into the final values to make the checksum 0. However,
330 // if we required that the checksum was 0, it would be the case that appending a 0 to a valid
331 // list of values would result in a new valid list. For that reason, Bech32 requires the
332 // resulting checksum to be 1 instead. In Bech32m, this constant was amended. See
333 // https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e for details.
334 auto enc = PreparePolynomialCoefficients(hrp, values);
335 const uint32_t check = PolyMod(enc);
336 if (check == EncodingConstant(Encoding::BECH32)) return Encoding::BECH32;
337 if (check == EncodingConstant(Encoding::BECH32M)) return Encoding::BECH32M;
338 return Encoding::INVALID;
339}
340
342data CreateChecksum(Encoding encoding, const std::string& hrp, const data& values)
343{
344 auto enc = PreparePolynomialCoefficients(hrp, values);
345 enc.insert(enc.end(), CHECKSUM_SIZE, 0x00);
346 uint32_t mod = PolyMod(enc) ^ EncodingConstant(encoding); // Determine what to XOR into those 6 zeroes.
347 data ret(CHECKSUM_SIZE);
348 for (size_t i = 0; i < CHECKSUM_SIZE; ++i) {
349 // Convert the 5-bit groups in mod to checksum values.
350 ret[i] = (mod >> (5 * (5 - i))) & 31;
351 }
352 return ret;
353}
354
355} // namespace
356
358std::string Encode(Encoding encoding, const std::string& hrp, const data& values) {
359 // First ensure that the HRP is all lowercase. BIP-173 and BIP350 require an encoder
360 // to return a lowercase Bech32/Bech32m string, but if given an uppercase HRP, the
361 // result will always be invalid.
362 for (const char& c : hrp) assert(c < 'A' || c > 'Z');
363
364 std::string ret;
365 ret.reserve(hrp.size() + 1 + values.size() + CHECKSUM_SIZE);
366 ret += hrp;
367 ret += SEPARATOR;
368 for (const uint8_t& i : values) ret += CHARSET[i];
369 for (const uint8_t& i : CreateChecksum(encoding, hrp, values)) ret += CHARSET[i];
370 return ret;
371}
372
374DecodeResult Decode(const std::string& str, CharLimit limit) {
375 std::vector<int> errors;
376 if (!CheckCharacters(str, errors)) return {};
377 size_t pos = str.rfind(SEPARATOR);
378 if (str.size() > limit) return {};
379 if (pos == str.npos || pos == 0 || pos + CHECKSUM_SIZE >= str.size()) {
380 return {};
381 }
382 data values(str.size() - 1 - pos);
383 for (size_t i = 0; i < str.size() - 1 - pos; ++i) {
384 unsigned char c = str[i + pos + 1];
385 int8_t rev = CHARSET_REV[c];
386
387 if (rev == -1) {
388 return {};
389 }
390 values[i] = rev;
391 }
392 std::string hrp;
393 hrp.reserve(pos);
394 for (size_t i = 0; i < pos; ++i) {
395 hrp += LowerCase(str[i]);
396 }
397 Encoding result = VerifyChecksum(hrp, values);
398 if (result == Encoding::INVALID) return {};
399 return {result, std::move(hrp), data(values.begin(), values.end() - CHECKSUM_SIZE)};
400}
401
403std::pair<std::string, std::vector<int>> LocateErrors(const std::string& str, CharLimit limit) {
404 std::vector<int> error_locations{};
405
406 if (str.size() > limit) {
407 error_locations.resize(str.size() - limit);
408 std::iota(error_locations.begin(), error_locations.end(), static_cast<int>(limit));
409 return std::make_pair("Bech32 string too long", std::move(error_locations));
410 }
411
412 if (!CheckCharacters(str, error_locations)){
413 return std::make_pair("Invalid character or mixed case", std::move(error_locations));
414 }
415
416 size_t pos = str.rfind(SEPARATOR);
417 if (pos == str.npos) {
418 return std::make_pair("Missing separator", std::vector<int>{});
419 }
420 if (pos == 0 || pos + CHECKSUM_SIZE >= str.size()) {
421 error_locations.push_back(pos);
422 return std::make_pair("Invalid separator position", std::move(error_locations));
423 }
424
425 std::string hrp;
426 hrp.reserve(pos);
427 for (size_t i = 0; i < pos; ++i) {
428 hrp += LowerCase(str[i]);
429 }
430
431 size_t length = str.size() - 1 - pos; // length of data part
432 data values(length);
433 for (size_t i = pos + 1; i < str.size(); ++i) {
434 unsigned char c = str[i];
435 int8_t rev = CHARSET_REV[c];
436 if (rev == -1) {
437 error_locations.push_back(i);
438 return std::make_pair("Invalid Base 32 character", std::move(error_locations));
439 }
440 values[i - pos - 1] = rev;
441 }
442
443 // We attempt error detection with both bech32 and bech32m, and choose the one with the fewest errors
444 // We can't simply use the segwit version, because that may be one of the errors
445 std::optional<Encoding> error_encoding;
446 for (Encoding encoding : {Encoding::BECH32, Encoding::BECH32M}) {
447 std::vector<int> possible_errors;
448 // Recall that (expanded hrp + values) is interpreted as a list of coefficients of a polynomial
449 // over GF(32). PolyMod computes the "remainder" of this polynomial modulo the generator G(x).
450 auto enc = PreparePolynomialCoefficients(hrp, values);
451 uint32_t residue = PolyMod(enc) ^ EncodingConstant(encoding);
452
453 // All valid codewords should be multiples of G(x), so this remainder (after XORing with the encoding
454 // constant) should be 0 - hence 0 indicates there are no errors present.
455 if (residue != 0) {
456 // If errors are present, our polynomial must be of the form C(x) + E(x) where C is the valid
457 // codeword (a multiple of G(x)), and E encodes the errors.
458 uint32_t syn = Syndrome(residue);
459
460 // Unpack the three 10-bit syndrome values
461 int s0 = syn & 0x3FF;
462 int s1 = (syn >> 10) & 0x3FF;
463 int s2 = syn >> 20;
464
465 // Get the discrete logs of these values in GF1024 for more efficient computation
466 int l_s0 = GF1024_LOG.at(s0);
467 int l_s1 = GF1024_LOG.at(s1);
468 int l_s2 = GF1024_LOG.at(s2);
469
470 // First, suppose there is only a single error. Then E(x) = e1*x^p1 for some position p1
471 // Then s0 = E((e)^997) = e1*(e)^(997*p1) and s1 = E((e)^998) = e1*(e)^(998*p1)
472 // Therefore s1/s0 = (e)^p1, and by the same logic, s2/s1 = (e)^p1 too.
473 // Hence, s1^2 == s0*s2, which is exactly the condition we check first:
474 if (l_s0 != -1 && l_s1 != -1 && l_s2 != -1 && (2 * l_s1 - l_s2 - l_s0 + 2046) % 1023 == 0) {
475 // Compute the error position p1 as l_s1 - l_s0 = p1 (mod 1023)
476 size_t p1 = (l_s1 - l_s0 + 1023) % 1023; // the +1023 ensures it is positive
477 // Now because s0 = e1*(e)^(997*p1), we get e1 = s0/((e)^(997*p1)). Remember that (e)^1023 = 1,
478 // so 1/((e)^997) = (e)^(1023-997).
479 int l_e1 = l_s0 + (1023 - 997) * p1;
480 // Finally, some sanity checks on the result:
481 // - The error position should be within the length of the data
482 // - e1 should be in GF(32), which implies that e1 = (e)^(33k) for some k (the 31 non-zero elements
483 // of GF(32) form an index 33 subgroup of the 1023 non-zero elements of GF(1024)).
484 if (p1 < length && !(l_e1 % 33)) {
485 // Polynomials run from highest power to lowest, so the index p1 is from the right.
486 // We don't return e1 because it is dangerous to suggest corrections to the user,
487 // the user should check the address themselves.
488 possible_errors.push_back(str.size() - p1 - 1);
489 }
490 // Otherwise, suppose there are two errors. Then E(x) = e1*x^p1 + e2*x^p2.
491 } else {
492 // For all possible first error positions p1
493 for (size_t p1 = 0; p1 < length; ++p1) {
494 // We have guessed p1, and want to solve for p2. Recall that E(x) = e1*x^p1 + e2*x^p2, so
495 // s0 = E((e)^997) = e1*(e)^(997^p1) + e2*(e)^(997*p2), and similar for s1 and s2.
496 //
497 // Consider s2 + s1*(e)^p1
498 // = 2e1*(e)^(999^p1) + e2*(e)^(999*p2) + e2*(e)^(998*p2)*(e)^p1
499 // = e2*(e)^(999*p2) + e2*(e)^(998*p2)*(e)^p1
500 // (Because we are working in characteristic 2.)
501 // = e2*(e)^(998*p2) ((e)^p2 + (e)^p1)
502 //
503 int s2_s1p1 = s2 ^ (s1 == 0 ? 0 : GF1024_EXP.at((l_s1 + p1) % 1023));
504 if (s2_s1p1 == 0) continue;
505 int l_s2_s1p1 = GF1024_LOG.at(s2_s1p1);
506
507 // Similarly, s1 + s0*(e)^p1
508 // = e2*(e)^(997*p2) ((e)^p2 + (e)^p1)
509 int s1_s0p1 = s1 ^ (s0 == 0 ? 0 : GF1024_EXP.at((l_s0 + p1) % 1023));
510 if (s1_s0p1 == 0) continue;
511 int l_s1_s0p1 = GF1024_LOG.at(s1_s0p1);
512
513 // So, putting these together, we can compute the second error position as
514 // (e)^p2 = (s2 + s1^p1)/(s1 + s0^p1)
515 // p2 = log((e)^p2)
516 size_t p2 = (l_s2_s1p1 - l_s1_s0p1 + 1023) % 1023;
517
518 // Sanity checks that p2 is a valid position and not the same as p1
519 if (p2 >= length || p1 == p2) continue;
520
521 // Now we want to compute the error values e1 and e2.
522 // Similar to above, we compute s1 + s0*(e)^p2
523 // = e1*(e)^(997*p1) ((e)^p1 + (e)^p2)
524 int s1_s0p2 = s1 ^ (s0 == 0 ? 0 : GF1024_EXP.at((l_s0 + p2) % 1023));
525 if (s1_s0p2 == 0) continue;
526 int l_s1_s0p2 = GF1024_LOG.at(s1_s0p2);
527
528 // And compute (the log of) 1/((e)^p1 + (e)^p2))
529 int inv_p1_p2 = 1023 - GF1024_LOG.at(GF1024_EXP.at(p1) ^ GF1024_EXP.at(p2));
530
531 // Then (s1 + s0*(e)^p1) * (1/((e)^p1 + (e)^p2)))
532 // = e2*(e)^(997*p2)
533 // Then recover e2 by dividing by (e)^(997*p2)
534 int l_e2 = l_s1_s0p1 + inv_p1_p2 + (1023 - 997) * p2;
535 // Check that e2 is in GF(32)
536 if (l_e2 % 33) continue;
537
538 // In the same way, (s1 + s0*(e)^p2) * (1/((e)^p1 + (e)^p2)))
539 // = e1*(e)^(997*p1)
540 // So recover e1 by dividing by (e)^(997*p1)
541 int l_e1 = l_s1_s0p2 + inv_p1_p2 + (1023 - 997) * p1;
542 // Check that e1 is in GF(32)
543 if (l_e1 % 33) continue;
544
545 // Again, we do not return e1 or e2 for safety.
546 // Order the error positions from the left of the string and return them
547 if (p1 > p2) {
548 possible_errors.push_back(str.size() - p1 - 1);
549 possible_errors.push_back(str.size() - p2 - 1);
550 } else {
551 possible_errors.push_back(str.size() - p2 - 1);
552 possible_errors.push_back(str.size() - p1 - 1);
553 }
554 break;
555 }
556 }
557 } else {
558 // No errors
559 return std::make_pair("", std::vector<int>{});
560 }
561
562 if (error_locations.empty() || (!possible_errors.empty() && possible_errors.size() < error_locations.size())) {
563 error_locations = std::move(possible_errors);
564 if (!error_locations.empty()) error_encoding = encoding;
565 }
566 }
567 std::string error_message = error_encoding == Encoding::BECH32M ? "Invalid Bech32m checksum"
568 : error_encoding == Encoding::BECH32 ? "Invalid Bech32 checksum"
569 : "Invalid checksum";
570
571 return std::make_pair(error_message, std::move(error_locations));
572}
573
574} // namespace bech32
ret
int ret
Definition: bitcoin-cli.cpp:1340
bech32::LocateErrors
std::pair< std::string, std::vector< int > > LocateErrors(const std::string &str, CharLimit limit)
Find index of an incorrect character in a Bech32 string.
Definition: bech32.cpp:403
bech32::Encoding
Encoding
Definition: bech32.h:27
bech32::Encoding::INVALID
@ INVALID
Failed decoding.
bech32::Encoding::BECH32
@ BECH32
Bech32 encoding as defined in BIP173.
bech32::Encoding::BECH32M
@ BECH32M
Bech32m encoding as defined in BIP350.
bech32::CharLimit
CharLimit
Character limits for Bech32(m) encoded strings.
Definition: bech32.h:38
bech32::Decode
DecodeResult Decode(const std::string &str, CharLimit limit)
Decode a Bech32 or Bech32m string.
Definition: bech32.cpp:374
bech32::Encode
std::string Encode(Encoding encoding, const std::string &hrp, const data &values)
Encode a Bech32 or Bech32m string.
Definition: bech32.cpp:358
bech32::CHECKSUM_SIZE
static constexpr size_t CHECKSUM_SIZE
Definition: bech32.h:24
bech32::SEPARATOR
static constexpr char SEPARATOR
Definition: bech32.h:25
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
values
static const int64_t values[]
A selection of numbers that do not trigger int64_t overflow when added/subtracted.
Definition: scriptnum_tests.cpp:17
PolyMod
void PolyMod(const std::vector< typename F::Elem > &mod, std::vector< typename F::Elem > &val, const F &field)
Compute the remainder of a polynomial division of val by mod, putting the result in mod.
Definition: sketch_impl.h:18
assert
assert(!tx.IsCoinBase())
Generated on Thu Jun 26 2025 20:00:13 for Bitcoin Core by doxygen 1.9.4