Add support for Bech32m

Author: sipa

demo/demo.html

@@ -30,13 +30,13 @@
 function update_status() {
     var address = document.getElementById("address").value;
     var res = segwit_addr_ecc.check(address, ["bc", "tb"]);
-    var cp = "";
+    var cp = "<br/>";
     if (res.error === null) {
         document.getElementById("result").innerHTML = "<a style=\"color:green\">Ok, witness version " + res.version + ", program " + toHexString(res.program) + "</a>";
-        cp = "<br/>";
     } else {
         document.getElementById("result").innerHTML = res.error;
         if (res.pos !== null) {
+            cp = "";
             for (var p = 0; p < address.length; ++p) {
                 if (res.pos.indexOf(p) != -1) {
                     cp += "<a style=\"color:red\">" + address.charAt(p) + "</a>";
@@ -59,11 +59,11 @@
             <div class="card mb-3 text-left">
                 <h3 class="card-header">SegWit address format</h3>
                 <div class="card-block">
-                    <p><a href="https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki">BIP 173</a> is a proposal for a new SegWit address format to replace <a href="https://github.com/bitcoin/bips/blob/master/bip-0142.mediawiki">BIP 142</a>.
+                    <p><a href="https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki">BIP 173</a> defines the address format used for native segwit outputs.
                     This format is not required for using segwit, but is more
-                    efficient, flexible, and nicer to use.</p>
+                    efficient, flexible, and nicer to use than the compatibility P2SH wrapper format.</p>
 
-                    <p>The format is base 32 and uses a simple checksum algorithm with strong
+                    <p>The used Bech32 encoding is generally usable and uses a simple checksum algorithm with strong
                     error detection properties. Reference code in several languages as
                     well as a website demonstrating it are included.</p>
 
@@ -77,6 +77,20 @@ <h3 class="card-header">SegWit address format</h3>
                 </div>
             </div>
 
+            <div class="card mb-3 text-left">
+                <h3 class="card-header">Bech32m for version 1 witnesses and higher</h3>
+                <div class="card-block">
+                    <p>To address <a href="https://github.com/sipa/bech32/issues/51">weaknesses</a> discovered in Bech32, <a href="https://github.com/sipa/bips/blob/bip-bech32m/bip-0350.mediawiki">BIP 350</a> proposes using an improved format called Bech32m
+                    for addresses for witness versions 1 and higher. Such addresses would be used by the <a href="https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki">Taproot</a> proposal.</p>
+
+                    <ul>
+                    <li><a href="https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-October/018236.html">Mailinglist discussion</a></li>
+                    <li><a href="https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018338.html">BIP discussion</a></li>
+                    <li><a href="https://github.com/bitcoin/bips/pull/1056">BIP PR</a></li>
+                    </ul>
+                </div>
+            </div>
+
             <div class="card text-left">
                 <h3 class="card-header">Decoder demo</h3>
                 <div class="card-block">
@@ -93,6 +107,8 @@ <h3 class="card-header">Decoder demo</h3>
                     <li> <a class="demo_link" href='javascript:load_addr("bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t4");'>P2WPKH example</a>
                     <li> <a class="demo_link" href='javascript:load_addr("BC1QW508D6QEJXTDG4Y5R3ZARVAYR0C5XW7KV8F3T4");'>P2WPKH example with errors</a>
                     <li> <a class="demo_link" href='javascript:load_addr("bc1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3qccfmv3");'>P2WSH example</a>
+                    <li> <a class="demo_link" href='javascript:load_addr("bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqzk5jj0");'>P2TR example (proposed)</a>
+                    <li> <a class="demo_link" href='javascript:load_addr("bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqh2y7hd");'>P2TR example with errors (using Bech32 instead of Bech32m)</a>
                     </ul>
                 </div>
             </div>

demo/demo.js

@@ -147,8 +147,24 @@ var GF1024_LOG = [
   452, 710, 552, 128, 612, 600, 275, 322, 193
 ];
 
+const encodings = {
+  BECH32: "bech32",
+  BECH32M: "bech32m",
+};
+
+function getEncodingConst (encoding) {
+  if (encoding == encodings.BECH32) {
+    return 1;
+  } else if (encoding == encodings.BECH32M) {
+    return 0x2bc830a3;
+  } else {
+    return null;
+  }
+}
+
 module.exports = {
   check: check,
+  encodings: encodings,
 };
 
 function syndrome (residue) {
@@ -258,7 +274,7 @@ function range (from, to) {
   return ret;
 }
 
-function check (bechString, validHrp) {
+function check (bechString, validHrp, encoding) {
   if (bechString.length > 90) {
       return {error:"Too long", pos:range(90, bechString.length)};
   }
@@ -298,16 +314,19 @@ function check (bechString, validHrp) {
   if (validHrp.indexOf(hrp) == -1) {
     return {error:"Unknown part before the separator '1'", pos:range(0, hrp.length)};
   }
-  var residue = polymod(hrpExpand(hrp).concat(data)) ^ 1;
+  var residue = polymod(hrpExpand(hrp).concat(data)) ^ getEncodingConst(encoding);
   if (residue != 0) {
-    var epos = locate_errors(residue, bechString.length - 1);
-    if (epos.length == 0) {
-      return {error:"Invalid", pos:null};
-    }
-    for (var ep = 0; ep < epos.length; ++ep) {
-      epos[ep] = bechString.length - epos[ep] - (epos[ep] >= data.length ? 2 : 1);
+    var epos = locate_errors(residue, data.length);
+    if (epos.length == 0) return {error:"Invalid checksum", data_pattern:null};
+    pattern = [];
+    for (var pos = 0; pos < data.length; ++pos) {
+      if (epos.includes(data.length - 1 - pos)) {
+        pattern.push(-1);
+      } else {
+        pattern.push(data[pos]);
+      }
     }
-    return {error:"Invalid", pos:epos};
+    return {error:"Invalid checksum", data_pattern:pattern};
   }
   return {error:null, hrp:hrp, data:data.slice(0, -6)};
 }

ecc/javascript/bech32_ecc.js

@@ -58,25 +58,60 @@ function check (addr, validHrp) {
   if (addr.length > 74) {
     return {error:"Too long", pos:null};
   }
-  if ((addr.length % 8) == 0 || (addr.length % 8) == 3 || (addr.length % 8) == 5) {
-    return {error:"Invalid length", pos:null};
-  }
-  var dec = bech32_ecc.check(addr, validHrp);
-  if (dec.error !== null) {
-    return {error:dec.error, pos:dec.pos};
-  }
-  var res = convertbits(dec.data.slice(1), 5, 8, false);
-  if (res === null) {
-    return {error:"Padding error", pos:[addr.length - 6]};
-  }
-  if (res.length < 2 || res.length > 40) {
-    return {error:"Invalid witness program length", pos:null};
+  eposs = []
+  for (var encname in bech32_ecc.encodings) {
+    const encoding = bech32_ecc.encodings[encname];
+    var dec = bech32_ecc.check(addr, validHrp, encoding);
+    if ("data_pattern" in dec) {
+      if (dec.data_pattern !== null) {
+        const numbytes = ((dec.data_pattern.length - 6 - 1) * 5) >> 3;
+        if (dec.data_pattern.length - 6 - 1 != ((numbytes * 8 + 4) / 5|0)) continue;
+        if (dec.data_pattern[0] == 0 && encoding != bech32_ecc.encodings.BECH32) continue;
+        if (dec.data_pattern[0] > 0 && dec.data_pattern[0] <= 16 && encoding != bech32_ecc.encodings.BECH32M) continue;
+        if (dec.data_pattern[0] > 16) continue;
+        if (dec.data_pattern[0] == 0 && numbytes != 20 && numbytes != 32) continue;
+        var epos = [];
+        for (var i = 0; i < dec.data_pattern.length; ++i) {
+          if (dec.data_pattern[i] == -1) {
+            epos.push(addr.length - dec.data_pattern.length + i);
+          }
+        }
+        eposs.push(epos);
+      }
+      continue;
+    }
+    if (dec.error !== null) {
+      return {error:dec.error, pos:dec.pos};
+    }
+    var res = convertbits(dec.data.slice(1), 5, 8, false);
+    if (res === null) {
+      return {error:"Padding error", pos:[addr.length - 6]};
+    }
+    if (res.length < 2 || res.length > 40) {
+      return {error:"Invalid witness program length", pos:null};
+    }
+    if (dec.data[0] > 16) {
+      return {error:"Invalid witness version", pos:[dec.hrp.length + 1]};
+    }
+    if (dec.data[0] == 0 && encoding != bech32_ecc.encodings.BECH32) {
+      return {error:"Bech32 must be used for witness v0 programs", pos:null};
+    }
+    if (dec.data[0] != 0 && encoding != bech32_ecc.encodings.BECH32M) {
+      return {error:"Bech32m must be used for witness v1+ programs", pos:null};
+    }
+    if (dec.data[0] === 0 && res.length !== 20 && res.length !== 32) {
+      return {error:"Invalid witness program length for v0", pos:null};
+    }
+    return {error:null, version:dec.data[0], program:res};
   }
-  if (dec.data[0] > 16) {
-    return {error:"Invalid witness version", pos:[dec.hrp.length + 1]};
+  if (eposs.length == 1) {
+    return {error:"Checksum error", pos:eposs[0]};
   }
-  if (dec.data[0] === 0 && res.length !== 20 && res.length !== 32) {
-    return {error:"Invalid witness program length for v0", pos:null};
+  if (eposs.length > 1) {
+    eposs.sort(function (a,b) { return a.length - b.length; });
+    if (eposs[0].length < eposs[1].length) {
+      return {error:"Checksum error", pos:eposs[0]};
+    }
   }
-  return {error:null, version:dec.data[0], program:res};
+  return {error:"Checksum error", pos:null};
 }