Protocol specification

Warning

All objects sent on the network should support protocol v3 starting on Sun, 16 Nov 2014 22:00:00 GMT.

Common standards

Hashes

Most of the time SHA-512 hashes are used, however RIPEMD-160 is also used when creating an address.

A double-round of SHA-512 is used for the Proof Of Work. Example of double-SHA-512 encoding of string “hello”:

hello
9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043(first round of sha-512)
0592a10584ffabf96539f3d780d776828c67da1ab5b169e9e8aed838aaecc9ed36d49ff1423c55f019e050c66c6324f53588be88894fef4dcffdb74b98e2b200(second round of sha-512)

For Bitmessage addresses (RIPEMD-160) this would give:

hello
9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043(first round is sha-512)
79a324faeebcbf9849f310545ed531556882487e (with ripemd-160)

Common structures

All integers are encoded in big endian. (This is different from Bitcoin).

Message structure
Field Size Description Data type Comments
4 magic uint32_t Magic value indicating message origin network, and used to seek to next message when stream state is unknown
12 command char[12] ASCII string identifying the packet content, NULL padded (non-NULL padding results in packet rejected)
4 length uint32_t Length of payload in number of bytes. Because of other restrictions, there is no reason why this length would ever be larger than 1600003 bytes. Some clients include a sanity-check to avoid processing messages which are larger than this.
4 checksum uint32_t First 4 bytes of sha512(payload)
? message_payload uchar[] The actual data, a message or an object. Not to be confused with objectPayload.

Known magic values:

Magic value Sent over wire as
0xE9BEB4D9 E9 BE B4 D9

Variable length integer

Integer can be encoded depending on the represented value to save space. Variable length integers always precede an array/vector of a type of data that may vary in length. Varints must use the minimum possible number of bytes to encode a value. For example, the value 6 can be encoded with one byte therefore a varint that uses three bytes to encode the value 6 is malformed and the decoding task must be aborted.

Value Storage length Format
< 0xfd 1 uint8_t
<= 0xffff 3 0xfd followed by the integer as uint16_t
<= 0xffffffff 5 0xfe followed by the integer as uint32_t
9 0xff followed by the integer as uint64_t

Variable length string

Variable length string can be stored using a variable length integer followed by the string itself.

Field Size Description Data type Comments
1+ length var_int Length of the string
? string char[] The string itself (can be empty)

Variable length list of integers

n integers can be stored using n+1 variable length integers where the first var_int equals n.

Field Size Description Data type Comments
1+ count var_int Number of var_ints below
1+   var_int The first value stored
1+   var_int The second value stored…
1+   var_int etc…

Network address

When a network address is needed somewhere, this structure is used. Network addresses are not prefixed with a timestamp or stream in the version message.

Field Size Description Data type Comments
8 time uint64 the Time.
4 stream uint32 Stream number for this node
8 services uint64_t same service(s) listed in version
16 IPv6/4 char[16] IPv6 address. IPv4 addresses are written into the message as a 16 byte IPv4-mapped IPv6 address (12 bytes 00 00 00 00 00 00 00 00 00 00 FF FF, followed by the 4 bytes of the IPv4 address).
2 port uint16_t port number

Inventory Vectors

Inventory vectors are used for notifying other nodes about objects they have or data which is being requested. Two rounds of SHA-512 are used, resulting in a 64 byte hash. Only the first 32 bytes are used; the later 32 bytes are ignored.

Inventory vectors consist of the following data format:

Field Size Description Data type Comments
32 hash char[32] Hash of the object

Encrypted payload

Bitmessage uses ECIES to encrypt its messages. For more information see Encryption

Field Size Description Data type Comments
16 IV uchar[] Initialization Vector used for AES-256-CBC
2 Curve type uint16_t Elliptic Curve type 0x02CA (714)
2 X length uint16_t Length of X component of public key R
X length X uchar[] X component of public key R
2 Y length uint16_t Length of Y component of public key R
Y length Y uchar[] Y component of public key R
? encrypted uchar[] Cipher text
32 MAC uchar[] HMACSHA256 Message Authentication Code

Unencrypted Message Data

Field Size Description Data type Comments
1+ msg_version var_int Message format version. This field is not included after the protocol v3 upgrade period.
1+ address_version var_int Sender’s address version number. This is needed in order to calculate the sender’s address to show in the UI, and also to allow for forwards compatible changes to the public-key data included below.
1+ stream var_int Sender’s stream number
4 behavior bitfield uint32_t A bitfield of optional behaviors and features that can be expected from the node with this pubkey included in this msg message (the sender’s pubkey).
64 public signing key uchar[] The ECC public key used for signing (uncompressed format; normally prepended with x04)
64 public encryption key uchar[] The ECC public key used for encryption (uncompressed format; normally prepended with x04)
1+ nonce_trials_per_byte var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is the average number of nonce trials a node will have to perform to meet the Proof of Work requirement. 1000 is the network minimum so any lower values will be automatically raised to 1000. This field is new and is only included when the address_version >= 3.
1+ extra_bytes var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is added to the data length to make sending small messages more difficult. 1000 is the network minimum so any lower values will be automatically raised to 1000. This field is new and is only included when the address_version >= 3.
20 destination ripe uchar[] The ripe hash of the public key of the receiver of the message
1+ encoding var_int Message Encoding type
1+ message_length var_int Message Length
message_length message uchar[] The message.
1+ ack_length var_int Length of the acknowledgement data
ack_length ack_data uchar[] The acknowledgement data to be transmitted. This takes the form of a Bitmessage protocol message, like another msg message. The POW therein must already be completed.
1+ sig_length var_int Length of the signature
sig_length signature uchar[] The ECDSA signature which covers the object header starting with the time, appended with the data described in this table down to the ack_data.

Message Encodings

Value Name Description
0 IGNORE Any data with this number may be ignored. The sending node might simply be sharing its public key with you.
1 TRIVIAL UTF-8. No ‘Subject’ or ‘Body’ sections. Useful for simple strings of data, like URIs or magnet links.
2 SIMPLE

UTF-8. Uses ‘Subject’ and ‘Body’ sections. No MIME is used.

messageToTransmit = 'Subject:' + subject + '\n' + 'Body:' + message
3 EXTENDED See Extended encoding

Further values for the message encodings can be decided upon by the community. Any MIME or MIME-like encoding format, should they be used, should make use of Bitmessage’s 8-bit bytes.

Pubkey bitfield features

Bit Name Description
0 undefined The most significant bit at the beginning of the structure. Undefined
1 undefined The next most significant bit. Undefined
27 onion_router (Proposal) Node can be used to onion-route messages. In theory any node can onion route, but since it requires more resources, they may have the functionality disabled. This field will be used to indicate that the node is willing to do this.
28 forward_secrecy (Proposal) Receiving node supports a forward secrecy encryption extension. The exact design is pending.
29 chat (Proposal) Address if for chatting rather than messaging.
30 include_destination

(Proposal) Receiving node expects that the RIPE hash encoded in their address preceedes the encrypted message data of msg messages bound for them.

Note

since hardly anyone implements this, this will be redesigned as simple recipient verification

31 does_ack If true, the receiving node does send acknowledgements (rather than dropping them).

Message types

Undefined messages received on the wire must be ignored.

version

When a node creates an outgoing connection, it will immediately advertise its version. The remote node will respond with its version. No futher communication is possible until both peers have exchanged their version.

Payload
Field Size Description Data type Comments
4 version int32_t Identifies protocol version being used by the node. Should equal 3. Nodes should disconnect if the remote node’s version is lower but continue with the connection if it is higher.
8 services uint64_t bitfield of features to be enabled for this connection
8 timestamp int64_t standard UNIX timestamp in seconds
26 addr_recv net_addr The network address of the node receiving this message (not including the time or stream number)
26 addr_from net_addr The network address of the node emitting this message (not including the time or stream number and the ip itself is ignored by the receiver)
8 nonce uint64_t Random nonce used to detect connections to self.
1+ user_agent var_str User Agent (0x00 if string is 0 bytes long). Sending nodes must not include a user_agent longer than 5000 bytes.
1+ stream_numbers var_int_list The stream numbers that the emitting node is interested in. Sending nodes must not include more than 160000 stream numbers.

A “verack” packet shall be sent if the version packet was accepted. Once you have sent and received a verack messages with the remote node, send an addr message advertising up to 1000 peers of which you are aware, and one or more inv messages advertising all of the valid objects of which you are aware.

The following services are currently assigned
Value Name Description
1 NODE_NETWORK This is a normal network node.
2 NODE_SSL This node supports SSL/TLS in the current connect (python < 2.7.9 only supports a SSL client, so in that case it would only have this on when the connection is a client).
3 NODE_POW (Proposal) This node may do PoW on behalf of some its peers (PoW offloading/delegating), but it doesn’t have to. Clients may have to meet additional requirements (e.g. TLS authentication)
4 NODE_DANDELION Node supports dandelion

verack

The verack message is sent in reply to version. This message consists of only a message header with the command string “verack”. The TCP timeout starts out at 20 seconds; after verack messages are exchanged, the timeout is raised to 10 minutes.

If both sides announce that they support SSL, they must perform an SSL handshake immediately after they both send and receive verack. During this SSL handshake, the TCP client acts as an SSL client, and the TCP server acts as an SSL server. The current implementation (v0.5.4 or later) requires the AECDH-AES256-SHA cipher over TLSv1 protocol, and prefers the secp256k1 curve (but other curves may be accepted, depending on the version of python and OpenSSL used).

addr

Provide information on known nodes of the network. Non-advertised nodes should be forgotten after typically 3 hours

Payload:

Field Size Description Data type Comments
1+ count var_int Number of address entries (max: 1000)
38 addr_list net_addr Address of other nodes on the network.

inv

Allows a node to advertise its knowledge of one or more objects. Payload (maximum payload length: 50000 items):

Field Size Description Data type Comments
? count var_int Number of inventory entries
32x? inventory inv_vect[] Inventory vectors

getdata

getdata is used in response to an inv message to retrieve the content of a specific object after filtering known elements.

Payload (maximum payload length: 50000 entries):

Field Size Description Data type Comments
? count var_int Number of inventory entries
32x? inventory inv_vect[] Inventory vectors

error

Note

New in version 3

This message may be silently ignored (and therefor handled like any other “unknown” message).

The message is intended to inform the other node about protocol errors and can be used for debugging and improving code.

Field Size Description Data type Comments
1+ fatal var_int This qualifies the error. If set to 0, than its just a “warning”. You can expect, everything still worked fine. If set to 1, than it’s an error, so you may expect, something was going wrong (e.g. an object got lost). If set to 2, it’s a fatal error. The node will drop the line for that error and maybe ban you for some time.
1+ ban time var_int If the error is fatal, you can specify the ban time in seconds, here. You inform the other node, that you will not accept further connections for this number of seconds. For non fatal errors this field has no meaning and should be zero.
1+ inventory vector var_str If the error is related to an object, this Variable length string contains the inventory vector of that object. If the error is not related to an object, this string is empty.
1+ error text var_str A human readable string in English, which describes the error.

object

An object is a message which is shared throughout a stream. It is the only message which propagates; all others are only between two nodes. Objects have a type, like ‘msg’, or ‘broadcast’. To be a valid object, the Proof of work must be done. The maximum allowable length of an object (not to be confused with the objectPayload) is 218 bytes.

Message structure
Field Size Description Data type Comments
8 nonce uint64_t Random nonce used for the Proof of work
8 expiresTime uint64_t The “end of life” time of this object (be aware, in version 2 of the protocol this was the generation time). Objects shall be shared with peers until its end-of-life time has been reached. The node should store the inventory vector of that object for some extra period of time to avoid reloading it from another node with a small time delay. The time may be no further than 28 days + 3 hours in the future.
4 objectType uint32_t Four values are currently defined: 0-“getpubkey”, 1-“pubkey”, 2-“msg”, 3-“broadcast”. All other values are reserved. Nodes should relay objects even if they use an undefined object type.
1+ version var_int The object’s version. Note that msg objects won’t contain a version until Sun, 16 Nov 2014 22:00:00 GMT.
1+ stream number var_int The stream number in which this object may propagate
? objectPayload uchar[] This field varies depending on the object type; see below.

Unsupported messages

If a node receives an unknown message it must silently ignore it. This is for further extensions of the protocol with other messages. Nodes that don’t understand such a new message type shall be able to work correct with the message types they understand.

Maybe some version 2 nodes did already implement it that way, but in version 3 it is part of the protocol specification, that a node must silently ignore unsupported messages.

Object types

Here are the payloads for various object types.

getpubkey

When a node has the hash of a public key (from an address) but not the public key itself, it must send out a request for the public key.

Field Size Description Data type Comments
20 ripe uchar[] The ripemd hash of the public key. This field is only included when the address version is <= 3.
32 tag uchar[] The tag derived from the address version, stream number, and ripe. This field is only included when the address version is >= 4.

pubkey

A version 2 pubkey. This is still in use and supported by current clients but new v2 addresses are not generated by clients.

Field Size Description Data type Comments
4 behavior bitfield uint32_t A bitfield of optional behaviors and features that can be expected from the node receiving the message.
64 public signing key uchar[] The ECC public key used for signing (uncompressed format; normally prepended with x04 )
64 public encryption key uchar[] The ECC public key used for encryption (uncompressed format; normally prepended with x04 )
A version 3 pubkey
Field Size Description Data type Comments
4 behavior bitfield uint32_t A bitfield of optional behaviors and features that can be expected from the node receiving the message.
64 public signing key uchar[] The ECC public key used for signing (uncompressed format; normally prepended with x04 )
64 public encryption key uchar[] The ECC public key used for encryption (uncompressed format; normally prepended with x04 )
1+ nonce_trials_per_byte var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is the average number of nonce trials a node will have to perform to meet the Proof of Work requirement. 1000 is the network minimum so any lower values will be automatically raised to 1000.
1+ extra_bytes var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is added to the data length to make sending small messages more difficult. 1000 is the network minimum so any lower values will be automatically raised to 1000.
1+ sig_length var_int Length of the signature
sig_length signature uchar[] The ECDSA signature which, as of protocol v3, covers the object header starting with the time, appended with the data described in this table down to the extra_bytes.
A version 4 pubkey
Field Size Description Data type Comments
32 tag uchar[] The tag, made up of bytes 32-64 of the double hash of the address data (see example python code below)
? encrypted uchar[] Encrypted pubkey data.

When version 4 pubkeys are created, most of the data in the pubkey is encrypted. This is done in such a way that only someone who has the Bitmessage address which corresponds to a pubkey can decrypt and use that pubkey. This prevents people from gathering pubkeys sent around the network and using the data from them to create messages to be used in spam or in flooding attacks.

In order to encrypt the pubkey data, a double SHA-512 hash is calculated from the address version number, stream number, and ripe hash of the Bitmessage address that the pubkey corresponds to. The first 32 bytes of this hash are used to create a public and private key pair with which to encrypt and decrypt the pubkey data, using the same algorithm as message encryption (see Encryption). The remaining 32 bytes of this hash are added to the unencrypted part of the pubkey and used as a tag, as above. This allows nodes to determine which pubkey to decrypt when they wish to send a message.

In PyBitmessage, the double hash of the address data is calculated using the python code below:

doubleHashOfAddressData = hashlib.sha512(hashlib.sha512(
    encodeVarint(addressVersionNumber) + encodeVarint(streamNumber) + hash
).digest()).digest()
Encrypted data in version 4 pubkeys:
Field Size Description Data type Comments
4 behavior bitfield uint32_t A bitfield of optional behaviors and features that can be expected from the node receiving the message.
64 public signing key uchar[] The ECC public key used for signing (uncompressed format; normally prepended with x04 )
64 public encryption key uchar[] The ECC public key used for encryption (uncompressed format; normally prepended with x04 )
1+ nonce_trials_per_byte var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is the average number of nonce trials a node will have to perform to meet the Proof of Work requirement. 1000 is the network minimum so any lower values will be automatically raised to 1000.
1+ extra_bytes var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is added to the data length to make sending small messages more difficult. 1000 is the network minimum so any lower values will be automatically raised to 1000.
1+ sig_length var_int Length of the signature
sig_length signature uchar[] The ECDSA signature which covers everything from the object header starting with the time, then appended with the decrypted data down to the extra_bytes. This was changed in protocol v3.

msg

Used for person-to-person messages. Note that msg objects won’t contain a version in the object header until Sun, 16 Nov 2014 22:00:00 GMT.

Field Size Description Data type Comments
? encrypted uchar[] Encrypted data. See Encrypted payload. See also Unencrypted Message Data

broadcast

Users who are subscribed to the sending address will see the message appear in their inbox. Broadcasts are version 4 or 5.

Pubkey objects and v5 broadcast objects are encrypted the same way: The data encoded in the sender’s Bitmessage address is hashed twice. The first 32 bytes of the resulting hash constitutes the “private” encryption key and the last 32 bytes constitute a tag so that anyone listening can easily decide if this particular message is interesting. The sender calculates the public key from the private key and then encrypts the object with this public key. Thus anyone who knows the Bitmessage address of the sender of a broadcast or pubkey object can decrypt it.

The version of broadcast objects was previously 2 or 3 but was changed to 4 or 5 for protocol v3. Having a broadcast version of 5 indicates that a tag is used which, in turn, is used when the sender’s address version is >=4.

Field Size Description Data type Comments
32 tag uchar[] The tag. This field is new and only included when the broadcast version is >= 5. Changed in protocol v3
? encrypted uchar[] Encrypted broadcast data. The keys are derived as described in the paragraph above. See Encrypted payload for details about the encryption algorithm itself.

Unencrypted data format:

Field Size Description Data type Comments
1+ broadcast version var_int The version number of this broadcast protocol message which is equal to 2 or 3. This is included here so that it can be signed. This is no longer included in protocol v3
1+ address version var_int The sender’s address version
1+ stream number var_int The sender’s stream number
4 behavior bitfield uint32_t A bitfield of optional behaviors and features that can be expected from the owner of this pubkey.
64 public signing key uchar[] The ECC public key used for signing (uncompressed format; normally prepended with x04)
64 public encryption key uchar[] The ECC public key used for encryption (uncompressed format; normally prepended with x04)
1+ nonce_trials_per_byte var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is the average number of nonce trials a node will have to perform to meet the Proof of Work requirement. 1000 is the network minimum so any lower values will be automatically raised to 1000. This field is new and is only included when the address_version >= 3.
1+ extra_bytes var_int Used to calculate the difficulty target of messages accepted by this node. The higher this value, the more difficult the Proof of Work must be before this individual will accept the message. This number is added to the data length to make sending small messages more difficult. 1000 is the network minimum so any lower values will be automatically raised to 1000. This field is new and is only included when the address_version >= 3.
1+ encoding var_int The encoding type of the message
1+ messageLength var_int The message length in bytes
messageLength message uchar[] The message
1+ sig_length var_int Length of the signature
sig_length signature uchar[] The signature which did cover the unencrypted data from the broadcast version down through the message. In protocol v3, it covers the unencrypted object header starting with the time, all appended with the decrypted data.