@bcts/uniform-resources 1.0.0-alpha.9 → 1.0.0-beta.1

package/src/utils.ts

@@ -1,8 +1,16 @@
-import { InvalidTypeError } from "./error.js";
+/**
+ * Copyright © 2023-2026 Blockchain Commons, LLC
+ * Copyright © 2025-2026 Parity Technologies
+ *
+ */
+
+import { BytewordsError, InvalidTypeError } from "./error.js";
 
 /**
  * Checks if a character is a valid UR type character.
- * Valid characters are lowercase letters, digits, and hyphens.
+ *
+ * Mirrors Rust's `URTypeChar::is_ur_type` (`bc-ur-rust/src/utils.rs:6-19`):
+ * lowercase a-z, digits 0-9, and the hyphen `-`.
  */
 export function isURTypeChar(char: string): boolean {
   const code = char.charCodeAt(0);
@@ -17,10 +25,14 @@ export function isURTypeChar(char: string): boolean {
 
 /**
  * Checks if a string is a valid UR type.
- * Valid UR types contain only lowercase letters, digits, and hyphens.
+ *
+ * Mirrors Rust's `URTypeString::is_ur_type` (`bc-ur-rust/src/utils.rs:26-32`)
+ * which is `self.chars().all(...)` — meaning **the empty string is accepted**
+ * (a vacuously-true `all` over no chars). We mirror that here so that
+ * `URType::new("")` succeeds in both ports; the round-trip then fails at
+ * decode-time with `TypeUnspecified`.
  */
 export function isValidURType(urType: string): boolean {
-  if (urType.length === 0) return false;
   return Array.from(urType).every((char) => isURTypeChar(char));
 }
 
@@ -574,39 +586,115 @@ export const BYTEMOJIS: string[] = [
 ];
 
 /**
- * Encodes a 4-byte slice as a string of bytewords for identification.
+ * Encodes an arbitrary byte slice as a string of space-separated bytewords.
+ *
+ * Mirrors `bytewords::encode_to_words` in `bc-ur-rust` (≥ v0.19.1). Does not
+ * add a CRC32 checksum — use {@link encodeBytewords} for UR-style encoding.
  */
-export function encodeBytewordsIdentifier(data: Uint8Array): string {
-  if (data.length !== 4) {
-    throw new Error("Identifier data must be exactly 4 bytes");
-  }
+export function encodeToWords(data: Uint8Array): string {
   const words: string[] = [];
-  for (let i = 0; i < 4; i++) {
-    const byte = data[i];
-    if (byte === undefined) throw new Error("Invalid byte");
+  for (const byte of data) {
     const word = BYTEWORDS[byte];
-    if (word === "" || word === undefined) throw new Error("Invalid byteword mapping");
+    if (word === undefined) throw new Error(`Invalid byte value: ${byte}`);
     words.push(word);
   }
   return words.join(" ");
 }
 
+/**
+ * Encodes an arbitrary byte slice as a string of space-separated bytemojis.
+ *
+ * Mirrors `bytewords::encode_to_bytemojis` in `bc-ur-rust` (≥ v0.19.1).
+ */
+export function encodeToBytemojis(data: Uint8Array): string {
+  const emojis: string[] = [];
+  for (const byte of data) {
+    const emoji = BYTEMOJIS[byte];
+    if (emoji === undefined) throw new Error(`Invalid byte value: ${byte}`);
+    emojis.push(emoji);
+  }
+  return emojis.join(" ");
+}
+
+/**
+ * Encodes an arbitrary byte slice as minimal bytewords (first + last letter of
+ * each word, concatenated with no separator).
+ *
+ * Mirrors `bytewords::encode_to_minimal_bytewords` in `bc-ur-rust`
+ * (≥ v0.19.1). Does not add a CRC32 checksum.
+ */
+export function encodeToMinimalBytewords(data: Uint8Array): string {
+  let out = "";
+  for (const byte of data) {
+    const word = BYTEWORDS[byte];
+    if (word === undefined) throw new Error(`Invalid byte value: ${byte}`);
+    out += word[0] + word[word.length - 1];
+  }
+  return out;
+}
+
+/**
+ * Encodes a 4-byte slice as a string of bytewords for identification.
+ *
+ * Thin wrapper over {@link encodeToWords} that enforces the 4-byte length
+ * contract historically used by `bc-ur-rust`'s `bytewords::identifier`.
+ */
+export function encodeBytewordsIdentifier(data: Uint8Array): string {
+  if (data.length !== 4) {
+    throw new Error("Identifier data must be exactly 4 bytes");
+  }
+  return encodeToWords(data);
+}
+
 /**
  * Encodes a 4-byte slice as a string of bytemojis for identification.
+ *
+ * Thin wrapper over {@link encodeToBytemojis} that enforces the 4-byte length
+ * contract historically used by `bc-ur-rust`'s `bytewords::bytemoji_identifier`.
  */
 export function encodeBytemojisIdentifier(data: Uint8Array): string {
   if (data.length !== 4) {
     throw new Error("Identifier data must be exactly 4 bytes");
   }
-  const emojis: string[] = [];
-  for (let i = 0; i < 4; i++) {
-    const byte = data[i];
-    if (byte === undefined) throw new Error("Invalid byte");
-    const emoji = BYTEMOJIS[byte];
-    if (emoji === "" || emoji === undefined) throw new Error("Invalid bytemoji mapping");
-    emojis.push(emoji);
+  return encodeToBytemojis(data);
+}
+
+/**
+ * Returns `true` if `emoji` is one of the 256 bytemojis.
+ *
+ * Mirrors `bytewords::is_valid_bytemoji` in `bc-ur-rust` (≥ v0.19.1).
+ */
+export function isValidBytemoji(emoji: string): boolean {
+  return BYTEMOJI_SET.has(emoji);
+}
+
+/**
+ * Canonicalises a byteword token (2–4 ASCII letters, case-insensitive) to its
+ * full 4-letter lowercase form. Returns `undefined` if the token is not a
+ * valid byteword or any of its short forms.
+ *
+ * Mirrors `bytewords::canonicalize_byteword` in `bc-ur-rust` (≥ v0.19.1).
+ *
+ * - 2-letter tokens are matched against the first + last letter of each
+ *   byteword (identical to the minimal bytewords encoding).
+ * - 3-letter tokens are matched against the first 3 and the last 3 letters of
+ *   each byteword; if both match different entries, the first-3 match wins
+ *   (matching rust's `or_else` priority).
+ * - 4-letter tokens must exactly match a full byteword (after lower-casing).
+ */
+export function canonicalizeByteword(token: string): string | undefined {
+  const lower = token.toLowerCase();
+  switch (lower.length) {
+    case 4:
+      return BYTEWORDS_MAP.has(lower) ? lower : undefined;
+    case 2:
+      return BYTEWORD_FIRST_LAST_MAP.get(lower);
+    case 3: {
+      return BYTEWORD_FIRST_THREE_MAP.get(lower) ?? BYTEWORD_LAST_THREE_MAP.get(lower);
+    }
+    default:
+      return undefined;
   }
-  return emojis.join(" ");
 }
 
 /**
@@ -615,7 +703,7 @@ export function encodeBytemojisIdentifier(data: Uint8Array): string {
 export enum BytewordsStyle {
   /** Full 4-letter words separated by spaces */
   Standard = "standard",
-  /** Full 4-letter words without separators */
+  /** Full 4-letter words separated by hyphens (URI-safe) */
   Uri = "uri",
   /** First and last character only (minimal) - used by UR encoding */
   Minimal = "minimal",
@@ -636,6 +724,48 @@ function createMinimalBytewordsMap(): Map<string, number> {
 
 export const MINIMAL_BYTEWORDS_MAP = createMinimalBytewordsMap();
 
+/**
+ * Set of all 256 bytemojis for fast membership testing. Backs
+ * {@link isValidBytemoji}.
+ */
+const BYTEMOJI_SET: ReadonlySet<string> = new Set(BYTEMOJIS);
+
+/**
+ * Lookup from a 2-letter (first+last) byteword short-form to its full
+ * lowercase 4-letter form. Backs {@link canonicalizeByteword}.
+ */
+const BYTEWORD_FIRST_LAST_MAP: ReadonlyMap<string, string> = (() => {
+  const map = new Map<string, string>();
+  for (const word of BYTEWORDS) {
+    map.set(word[0] + word[word.length - 1], word);
+  }
+  return map;
+})();
+
+/**
+ * Lookup from the first 3 letters of a byteword to its full lowercase 4-letter
+ * form. Backs {@link canonicalizeByteword}.
+ */
+const BYTEWORD_FIRST_THREE_MAP: ReadonlyMap<string, string> = (() => {
+  const map = new Map<string, string>();
+  for (const word of BYTEWORDS) {
+    map.set(word.slice(0, 3), word);
+  }
+  return map;
+})();
+
+/**
+ * Lookup from the last 3 letters of a byteword to its full lowercase 4-letter
+ * form. Backs {@link canonicalizeByteword}.
+ */
+const BYTEWORD_LAST_THREE_MAP: ReadonlyMap<string, string> = (() => {
+  const map = new Map<string, string>();
+  for (const word of BYTEWORDS) {
+    map.set(word.slice(1), word);
+  }
+  return map;
+})();
+
 /**
  * CRC32 lookup table (IEEE polynomial).
  */
@@ -712,19 +842,51 @@ export function encodeBytewords(
     case BytewordsStyle.Standard:
       return words.join(" ");
     case BytewordsStyle.Uri:
+      return words.join("-");
     case BytewordsStyle.Minimal:
       return words.join("");
   }
 }
 
+/**
+ * Returns true if every code unit of `s` is in the ASCII range (0..=127).
+ *
+ * Mirrors Rust's `str::is_ascii` used at `ur::bytewords::decode` line 105.
+ * We test the raw code units (rather than Array.from + codepoint) because
+ * any non-BMP character has surrogate pairs both ≥ 0xD800, which already
+ * exceed 0x7F.
+ */
+function isAsciiString(s: string): boolean {
+  for (let i = 0; i < s.length; i++) {
+    if (s.charCodeAt(i) > 0x7f) return false;
+  }
+  return true;
+}
+
 /**
  * Decode bytewords string back to data.
  * Validates and removes CRC32 checksum.
+ *
+ * Errors mirror the upstream Rust `ur::bytewords::Error` enum
+ * (`ur-0.4.1/src/bytewords.rs`):
+ * - `NonAscii` — input contains non-ASCII characters (checked first).
+ * - `InvalidLength` — minimal-style input has odd length.
+ * - `InvalidWord` — a token does not map to a byteword index.
+ * - `InvalidChecksum` — the trailing 4-byte CRC32 does not match.
+ *
+ * All variants are surfaced as {@link BytewordsError} with the same default
+ * `Display` strings as Rust (e.g. "invalid checksum", "non-ASCII"), so
+ * callers can branch on the error class rather than the bare `Error`
+ * thrown by earlier revisions of this port.
  */
 export function decodeBytewords(
   encoded: string,
   style: BytewordsStyle = BytewordsStyle.Minimal,
 ): Uint8Array {
+  // Rust rejects non-ASCII input up-front (`bytewords.rs:105-107`).
+  if (!isAsciiString(encoded)) {
+    throw new BytewordsError("bytewords string contains non-ASCII characters");
+  }
   const lowercased = encoded.toLowerCase();
   let bytes: number[];
 
@@ -734,39 +896,35 @@ export function decodeBytewords(
       bytes = words.map((word) => {
         const index = BYTEWORDS_MAP.get(word);
         if (index === undefined) {
-          throw new Error(`Invalid byteword: ${word}`);
+          throw new BytewordsError("invalid word");
         }
         return index;
       });
       break;
     }
     case BytewordsStyle.Uri: {
-      // 4-character words with no separator
-      if (lowercased.length % 4 !== 0) {
-        throw new Error("Invalid URI bytewords length");
-      }
-      bytes = [];
-      for (let i = 0; i < lowercased.length; i += 4) {
-        const word = lowercased.slice(i, i + 4);
+      // 4-character words separated by hyphens
+      const words = lowercased.split("-");
+      bytes = words.map((word) => {
         const index = BYTEWORDS_MAP.get(word);
         if (index === undefined) {
-          throw new Error(`Invalid byteword: ${word}`);
+          throw new BytewordsError("invalid word");
         }
-        bytes.push(index);
-      }
+        return index;
+      });
       break;
     }
     case BytewordsStyle.Minimal: {
       // 2-character minimal words with no separator
       if (lowercased.length % 2 !== 0) {
-        throw new Error("Invalid minimal bytewords length");
+        throw new BytewordsError("invalid length");
       }
       bytes = [];
       for (let i = 0; i < lowercased.length; i += 2) {
         const minimal = lowercased.slice(i, i + 2);
         const index = MINIMAL_BYTEWORDS_MAP.get(minimal);
         if (index === undefined) {
-          throw new Error(`Invalid minimal byteword: ${minimal}`);
+          throw new BytewordsError("invalid word");
         }
         bytes.push(index);
       }
@@ -775,7 +933,7 @@ export function decodeBytewords(
   }
 
   if (bytes.length < 4) {
-    throw new Error("Bytewords data too short (missing checksum)");
+    throw new BytewordsError("invalid checksum");
   }
 
   // Extract data and checksum
@@ -793,9 +951,7 @@ export function decodeBytewords(
     0;
 
   if (expectedChecksum !== actualChecksum) {
-    throw new Error(
-      `Bytewords checksum mismatch: expected ${expectedChecksum.toString(16)}, got ${actualChecksum.toString(16)}`,
-    );
+    throw new BytewordsError("invalid checksum");
   }
 
   return data;

package/src/xoshiro.ts

@@ -1,12 +1,19 @@
 /**
+ * Copyright © 2023-2026 Blockchain Commons, LLC
+ * Copyright © 2025-2026 Parity Technologies
+ *
+ *
  * Xoshiro256** PRNG implementation.
  *
  * This is a high-quality, fast pseudo-random number generator used
  * for deterministic fragment selection in fountain codes.
  *
  * Reference: https://prng.di.unimi.it/
+ * BC-UR Reference: https://github.com/nicklockwood/fountain-codes
  */
 
+import { sha256 } from "@bcts/crypto";
+
 const MAX_UINT64 = BigInt("0xffffffffffffffff");
 
 /**
@@ -28,25 +35,33 @@ export class Xoshiro256 {
   private s: [bigint, bigint, bigint, bigint];
 
   /**
-   * Creates a new Xoshiro256** instance from a seed.
+   * Creates a new Xoshiro256** instance from a 32-byte seed.
    *
-   * The seed is hashed using SHA-256 to initialize the state.
-   * For consistent results across encoder/decoder, use the same seed.
+   * The seed must be exactly 32 bytes (256 bits). The bytes are interpreted
+   * using the BC-UR reference algorithm: each 8-byte chunk is read as
+   * big-endian then stored as little-endian for the state.
    *
-   * @param seed - The seed bytes (any length)
+   * @param seed - The seed bytes (must be exactly 32 bytes)
    */
   constructor(seed: Uint8Array) {
-    // Hash the seed using a simple hash function
-    // In production, you'd use SHA-256 here
-    const hash = this.hashSeed(seed);
-
-    // Initialize the 4x64-bit state from the hash
-    this.s = [
-      this.bytesToBigInt(hash.slice(0, 8)),
-      this.bytesToBigInt(hash.slice(8, 16)),
-      this.bytesToBigInt(hash.slice(16, 24)),
-      this.bytesToBigInt(hash.slice(24, 32)),
-    ];
+    if (seed.length !== 32) {
+      throw new Error(`Seed must be 32 bytes, got ${seed.length}`);
+    }
+
+    // BC-UR reference implementation:
+    // For each 8-byte chunk, read as big-endian u64, then convert to little-endian bytes
+    // This effectively swaps the byte order within each 8-byte segment
+    const s: [bigint, bigint, bigint, bigint] = [0n, 0n, 0n, 0n];
+    for (let i = 0; i < 4; i++) {
+      // Read 8 bytes as big-endian u64
+      let v = 0n;
+      for (let n = 0; n < 8; n++) {
+        v = (v << 8n) | BigInt(seed[8 * i + n] ?? 0);
+      }
+      s[i] = v;
+    }
+
+    this.s = s;
   }
 
   /**
@@ -59,47 +74,6 @@ export class Xoshiro256 {
     return instance;
   }
 
-  /**
-   * Simple hash function for seeding.
-   * This is a basic implementation - in production use SHA-256.
-   */
-  private hashSeed(seed: Uint8Array): Uint8Array {
-    // Simple hash expansion using CRC32-like operations
-    const result = new Uint8Array(32);
-
-    if (seed.length === 0) {
-      return result;
-    }
-
-    // Expand seed to 32 bytes using a simple mixing function
-    for (let i = 0; i < 32; i++) {
-      let hash = 0;
-      for (const byte of seed) {
-        hash = (hash * 31 + byte + i) >>> 0;
-      }
-      // Mix the hash further
-      hash ^= hash >>> 16;
-      hash = (hash * 0x85ebca6b) >>> 0;
-      hash ^= hash >>> 13;
-      hash = (hash * 0xc2b2ae35) >>> 0;
-      hash ^= hash >>> 16;
-      result[i] = hash & 0xff;
-    }
-
-    return result;
-  }
-
-  /**
-   * Converts 8 bytes to a 64-bit BigInt (little-endian).
-   */
-  private bytesToBigInt(bytes: Uint8Array): bigint {
-    let result = 0n;
-    for (let i = 7; i >= 0; i--) {
-      result = (result << 8n) | BigInt(bytes[i] ?? 0);
-    }
-    return result;
-  }
-
   /**
    * Generates the next 64-bit random value.
    */
@@ -121,30 +95,43 @@ export class Xoshiro256 {
 
   /**
    * Generates a random double in [0, 1).
+   * Matches BC-UR reference: self.next() as f64 / (u64::MAX as f64 + 1.0)
    */
   nextDouble(): number {
-    // Use the upper 53 bits for double precision
     const value = this.next();
-    return Number(value >> 11n) / Number(1n << 53n);
+    // u64::MAX as f64 + 1.0 = 18446744073709551616.0
+    return Number(value) / 18446744073709551616.0;
   }
 
   /**
-   * Generates a random integer in [low, high).
+   * Generates a random integer in [low, high] (inclusive).
+   * Matches BC-UR reference: (self.next_double() * ((high - low + 1) as f64)) as u64 + low
    */
   nextInt(low: number, high: number): number {
-    const range = high - low;
-    return low + Math.floor(this.nextDouble() * range);
+    const range = high - low + 1;
+    return Math.floor(this.nextDouble() * range) + low;
   }
 
   /**
    * Generates a random byte [0, 255].
+   *
+   * Mirrors Rust `Xoshiro256::next_byte` (`ur-0.4.1/src/xoshiro.rs:91`):
+   *   `self.next_int(0, 255) as u8`
+   * This goes through `next_double() * 256.0`, which effectively uses
+   * the top 8 bits of the f64-converted u64 — NOT the low 8 bits
+   * of the raw `next()` output. Earlier the TS port used `next() & 0xff`,
+   * which produced a completely different byte sequence than Rust for
+   * the same seeded RNG.
    */
   nextByte(): number {
-    return Number(this.next() & 0xffn);
+    return this.nextInt(0, 255);
   }
 
   /**
    * Generates an array of random bytes.
+   *
+   * Mirrors Rust `Xoshiro256::next_bytes` (`ur-0.4.1/src/xoshiro.rs:95-97`):
+   *   `(0..n).map(|_| self.next_byte()).collect()`
    */
   nextData(count: number): Uint8Array {
     const result = new Uint8Array(count);
@@ -153,28 +140,153 @@ export class Xoshiro256 {
     }
     return result;
   }
+
+  /**
+   * Shuffles items by repeatedly picking random indices.
+   * Matches BC-UR reference implementation.
+   */
+  shuffled<T>(items: T[]): T[] {
+    const source = [...items];
+    const shuffled: T[] = [];
+    while (source.length > 0) {
+      const index = this.nextInt(0, source.length - 1);
+      const item = source.splice(index, 1)[0];
+      if (item !== undefined) {
+        shuffled.push(item);
+      }
+    }
+    return shuffled;
+  }
+
+  /**
+   * Chooses the degree (number of fragments to mix) using a weighted sampler.
+   * Uses the robust soliton distribution with weights [1/1, 1/2, 1/3, ..., 1/n].
+   * Matches BC-UR reference implementation.
+   */
+  chooseDegree(seqLen: number): number {
+    // Create weights: [1/1, 1/2, 1/3, ..., 1/seqLen]
+    const weights: number[] = [];
+    for (let i = 1; i <= seqLen; i++) {
+      weights.push(1.0 / i);
+    }
+
+    // Use Vose's alias method for weighted sampling
+    const sampler = new WeightedSampler(weights);
+    return sampler.next(this) + 1; // 1-indexed degree
+  }
 }
 
 /**
- * Creates a seed for the Xoshiro PRNG from message checksum and sequence number.
+ * Weighted sampler using Vose's alias method.
+ * Allows O(1) sampling from a discrete probability distribution.
+ */
+class WeightedSampler {
+  private readonly aliases: number[];
+  private readonly probs: number[];
+
+  constructor(weights: number[]) {
+    const n = weights.length;
+
+    // Mirrors Rust `Weighted::new` (`ur-0.4.1/src/sampler.rs:13-19`):
+    //   assert!(!weights.iter().any(|&p| p < 0.0), "negative probability encountered");
+    //   let summed = weights.iter().sum::<f64>();
+    //   assert!(summed > 0.0, "probabilities don't sum to a positive value");
+    if (weights.some((w) => w < 0.0)) {
+      throw new Error("negative probability encountered");
+    }
+    const sum = weights.reduce((a, b) => a + b, 0);
+    if (!(sum > 0.0)) {
+      throw new Error("probabilities don't sum to a positive value");
+    }
+
+    const normalized = weights.map((w) => (w * n) / sum);
+
+    // Initialize alias table
+    this.aliases = Array.from<number>({ length: n }).fill(0);
+    this.probs = Array.from<number>({ length: n }).fill(0);
+
+    // Partition into small and large
+    const small: number[] = [];
+    const large: number[] = [];
+
+    for (let i = n - 1; i >= 0; i--) {
+      if (normalized[i] < 1.0) {
+        small.push(i);
+      } else {
+        large.push(i);
+      }
+    }
+
+    // Build the alias table
+    while (small.length > 0 && large.length > 0) {
+      const a = small.pop();
+      const g = large.pop();
+      if (a === undefined || g === undefined) break;
+      this.probs[a] = normalized[a] ?? 0;
+      this.aliases[a] = g;
+      const normalizedG = normalized[g] ?? 0;
+      const normalizedA = normalized[a] ?? 0;
+      normalized[g] = normalizedG + normalizedA - 1.0;
+      if (normalized[g] !== undefined && normalized[g] < 1.0) {
+        small.push(g);
+      } else {
+        large.push(g);
+      }
+    }
+
+    while (large.length > 0) {
+      const g = large.pop();
+      if (g === undefined) break;
+      this.probs[g] = 1.0;
+    }
+
+    while (small.length > 0) {
+      const a = small.pop();
+      if (a === undefined) break;
+      this.probs[a] = 1.0;
+    }
+  }
+
+  /**
+   * Sample from the distribution.
+   */
+  next(rng: Xoshiro256): number {
+    const r1 = rng.nextDouble();
+    const r2 = rng.nextDouble();
+    const n = this.probs.length;
+    const i = Math.floor(n * r1);
+    if (r2 < this.probs[i]) {
+      return i;
+    } else {
+      return this.aliases[i];
+    }
+  }
+}
+
+/**
+ * Creates a Xoshiro256 PRNG instance from message checksum and sequence number.
+ *
+ * This creates an 8-byte seed by concatenating seqNum and checksum (both in
+ * big-endian), then hashes it with SHA-256 to get the 32-byte seed for Xoshiro.
  *
- * This ensures that both encoder and decoder produce the same random sequence
- * for a given message and part number.
+ * This matches the BC-UR reference implementation.
  */
 export function createSeed(checksum: number, seqNum: number): Uint8Array {
-  const seed = new Uint8Array(8);
+  // Create 8-byte seed: seqNum (big-endian) || checksum (big-endian)
+  const seed8 = new Uint8Array(8);
 
-  // Pack checksum (4 bytes, big-endian)
-  seed[0] = (checksum >>> 24) & 0xff;
-  seed[1] = (checksum >>> 16) & 0xff;
-  seed[2] = (checksum >>> 8) & 0xff;
-  seed[3] = checksum & 0xff;
+  // seqNum in big-endian (bytes 0-3)
+  seed8[0] = (seqNum >>> 24) & 0xff;
+  seed8[1] = (seqNum >>> 16) & 0xff;
+  seed8[2] = (seqNum >>> 8) & 0xff;
+  seed8[3] = seqNum & 0xff;
 
-  // Pack seqNum (4 bytes, big-endian)
-  seed[4] = (seqNum >>> 24) & 0xff;
-  seed[5] = (seqNum >>> 16) & 0xff;
-  seed[6] = (seqNum >>> 8) & 0xff;
-  seed[7] = seqNum & 0xff;
+  // checksum in big-endian (bytes 4-7)
+  seed8[4] = (checksum >>> 24) & 0xff;
+  seed8[5] = (checksum >>> 16) & 0xff;
+  seed8[6] = (checksum >>> 8) & 0xff;
+  seed8[7] = checksum & 0xff;
 
-  return seed;
+  // Hash with SHA-256 to get 32 bytes
+  return sha256(seed8);
 }