User elements
These data structures are composed by the Users.
Entry
An Entry is the element which carries user data. An Entry Reveal is essentially this data.
The External IDs are a part of the Entry which have byte sequence lengths that must be known by Factom. The first Entry in a Factom Chain uses the External IDs to define the Chain Name. Other Entries can use the External IDs as their application dictates.
To be valid, the External IDs are parsed and the end of the last element must match the defined length for the External IDs as defined in the header.
External IDs (ExtID) are intended to provide any sort of tagging information for Entries that applications may find useful. Keys to databases are likely to be a common use. External IDs are simply data to Factom, and are not used in the consensus algorithm after the first Entry.
External IDs and Content is not checked for validity, or sanitized, as it is only viewed as binary data.
Data | Field Name | Description |
Header | ||
varInt_F | Version | starts at 0. Higher numbers are currently rejected. Can safely be coded using 1 byte for the first 127 versions. |
32 bytes | ChainID | This is the Chain which the author wants this Entry to go into. |
2 bytes | ExtIDs Size | Describes how many bytes required for the set of External IDs for this Entry. Must be less than or equal to the Payload size. Big endian. |
Payload | This is the data between the end of the Header and the end of the Content. | |
External IDs | This section is only interpreted and enforced if the External ID Size is greater than zero. | |
2 bytes | ExtID element 0 length | This is the number of the following bytes to be interpreted as an External ID element. Cannot be 0 length. |
variable | ExtID 0 | This is the data for the first External ID. |
2 bytes | ExtID X | Size of the X External ID |
variable | ExtID X data | This is the Xth element. The last byte of the last element must fall on the last byte specified ExtIDs Size in the header. |
Content | ||
variable | Entry Data | This is the unstructured part of the Entry. It is all user specified data. |
Minimum empty Entry length: 35 bytes
Minimum empty first Entry with Chain Name of 1 byte: 38 bytes
Maximum Entry size: 10KiB + 35 bytes = 10275 bytes
Typical size recording the hash of a file with 200 letters of ExtID metadata: 1+32+2+2+200+32 = 269 bytes
example size of something similar to an Omni(MSC) transaction, assuming 500 bytes per transaction: 1+32+2+500 = 535 bytes
Example Entry with a Chain Name of 'test', spaces added for clarity: As first Entry: 00 954d5a49fd70d9b8bcdb35d252267829957f7ef7fa6c74f88419bdc5e82209f4 0006 0004 74657374 5061796c6f616448657265
As regular Entry without ExtID: 00 954d5a49fd70d9b8bcdb35d252267829957f7ef7fa6c74f88419bdc5e82209f4 0000 5061796c6f616448657265
As regular Entry with ExtID of 'Hello' in 'test' chain: 00 954d5a49fd70d9b8bcdb35d252267829957f7ef7fa6c74f88419bdc5e82209f4 0007 0005 48656c6c6f 5061796c6f616448657265
Entry Hash
The Entry Hash is a 32 byte identifier unique to specific Entry data. It is referenced in the Entry Block body as well as in the Entry Commit. In a desire to maintain long term resistance to second-preimage attacks in SHA2, as well as preventing length extension attacks, SHA512 is included in the Entry Hash generation process. For a future attacker to come up with a dishonest piece of data, they would need contend with many extra hashing rounds with a combined SHA512 and SHA256 in series. This operation is in contrast to the SHA256d, which does one hash over the SHA256 of the protected data. To brute force a SHA256d collision, modifying data at the end can only require 128 rounds. Prepending the SHA512 requires finding collision to iterate over the entire Entry more than once per attempt.
Straight SHA256 is used for Merkle roots due to anticipated CPU hardware acceleration, as well as being double-checkable by the serial hash. Entries (unlike blocks) do not have two independent ways of hashing protecting data, so this is why the hashing is more complex.
To calculate the Entry Hash, first the Entry is serialized and passed into a SHA512 function. The 64 bytes output from the SHA512 function is prepended to the serialized Entry. The Entry+prependage are then fed through a SHA256 function, and the output of that is the Entry Hash.
Using the above Entry as an example.
00954d5a49fd70d9b8bcdb35d252267829957f7ef7fa6c74f88419bdc5e82209f400005061796c6f616448657265 is passed into SHA512 and that gives: 0ba3c58955c69b02aa675d8ff15b505a48335fdc9a06354ba55e4149f77b69835c8c2b7002ca3b09202846d03626bada6b408fa1374f22dc396c64d9a3980ed3
The Entry is appended to the SHA512 result to make 0ba3c58955c69b02aa675d8ff15b505a48335fdc9a06354ba55e4149f77b69835c8c2b7002ca3b09202846d03626bada6b408fa1374f22dc396c64d9a3980ed300954d5a49fd70d9b8bcdb35d252267829957f7ef7fa6c74f88419bdc5e82209f400005061796c6f616448657265 which is then SHA256 hashed to make an Entry Hash of: 72177d733dcd0492066b79c5f3e417aef7f22909674f7dc351ca13b04742bb91
Entry Commit
An Entry Commit is a payment for a specific Entry. It deducts a balance held by a specific public key in the amount specified. They are collected into the Entry Credit chain as proof that a balance should be decremented.
data | Field Name | Description |
Header | ||
varInt_F | Version | starts at 0. Higher numbers are currently rejected. Can safely be coded using 1 byte for the first 127 versions. |
6 bytes | milliTimestamp | This is a timestamp that is user defined. It is a unique value per payment. This is the number of milliseconds since 1970 epoch. |
32 bytes | Entry Hash | This is the SHA512+256 descriptor of the Entry to be paid for. |
1 byte | Number of Entry Credits | This is the number of Entry Credits which will be deducted from the balance of the public key. Any values above 10 are invalid. |
32 bytes | Pubkey | This is the Entry Credit public key which will have the balance reduced. It is the ed25519 A value. |
64 bytes | Signature | This is a signature of this Entry Commit by the pubkey. Parts ordered R then S. Signature covers from Version through 'Number of Entry Credits' |
The Entry Commit is only valid for 12 hours before and after the milliTimestamp. Since Entry Credits are balance based, replay attacks can reduce balances. Also a user can pay for the same Entry twice, and have two copies in Factom. Since a P2P network is used, the payments would need to be differentiated. The payments would be differentiated by public key and the time specified. This puts a limit of 1000 per second on any individual Entry Credit public key per duplicate Entry. The milliTimestamp also helps the network protect itself. Adding the time element allows peers to automatically reject payments beyond 12 hours plus or minus. This means they must check for duplicates only over a rolling one day period.
The number of Entry Credits is based on the Payload size. Cost is 1 EC per partial KiB. Empty Entries cost 1 EC.
The Entry Commits (and Chain Commits) have two hashes associated with them. Each hash is a single SHA256 of the data. One is the hash of the entire Commit from the Version through the Signature. The other is the hash of the ledger fields (Version through Number of Entry Credits), which is the TXID. The TXID is immune from transaction malleability, since it does not cover the signature. Doublespends share the same ledger hash.
Chain Commit
A Chain Commit is a simultaneous payment for a specific Entry and a payment to allow a new Chain to be created. It deducts a balance held by a specific EC public key in the amount specified. They are collected into the Entry Credit chain as proof that a balance should be decremented.
Data | Field Name | Description |
varInt_F | Version | starts at 0. Higher numbers are currently rejected. Can safely be coded using 1 byte for the first 127 versions. |
6 bytes | milliTimestamp | This is a timestamp that is user defined. It is a unique value per payment. This is the number of milliseconds since 1970 epoch. |
32 bytes | ChainID Hash | This is a double hash (SHA256d) of the ChainID which the Entry is in. |
32 bytes | Commit Weld | SHA256(SHA256(Entry Hash |
32 bytes | Entry Hash | This is the SHA512+256 descriptor of the Entry to be the first in the Chain. |
1 byte | Number of Entry Credits | This is the number of Entry Credits which will be deducted from the balance of the public key. Any values above 20 or below 11 are invalid. |
32 bytes | Pubkey | This is the Entry Credit public key which will have the balance reduced. |
64 bytes | Signature | This is a signature of this Chain Commit by the pubkey. Parts ordered R then S. Signature covers from Version through 'Number of Entry Credits' |
The Federated server will keep track of the Chain Commits based on ChainID Hash. The Federated servers keep track of the Chain Commits they receive. When the first Entry is received, it will reveal the ChainID. If the ChainID was a secret, then it now can be compared against all the possible Chain Commits claiming to pay for Entries of a certain ChainID. Once the ChainID is revealed, the ChainID hash and the 'Entry Hash + ChainID' fields can be compared to see if they match and form valid hashes. If they do not match, that Chain Commit is invalid. If they do match, then the first one to be acknowledged gets accepted as the first Entry. They maintain exclusivity for 1 hour for each ChainID hash after an acknowledgement. The commit itself must be within 12 hours +/- of the milliTimestamp.
A prudent user will not broadcast their first Entry until the Federated server acknowledges the Chain Commit. If they do not wait, a malicious peer on the P2P network can put their Entry as the first one in that Chain, or stop the chain from being created for 1 hour. This is the denial of chain attack.
Chain Commits cost 10 Entry Credits to create the Chain, plus the fee per KiB of the Entry itself.
The TXID of a Chain Commit shares the same form as a Entry Commit.
Factoid Transaction
Factoid transactions are similar to Bitcoin transactions, but incorporate some lessons learned from Bitcoin.
They are closer to P2SH style addresses, where the value is sent to the hash of a redeem condition, instead of sent to the redeem condition itself. To redeem value, a datastructure containing public keys, etc should be revealed. This is referred to as the Redeem Condition Datastructure (RCD)
Factoids use Ed25519 with Schnorr signatures. They have many benefits over the ECDSA signatures used in Bitcoin.
The signatures are enforced to be canonical. This will limit malleability by attackers without the private key.
Scripts are not used. They may be added later, but are not implemented in the first version. Instead of scripts, there are a limited number of valid RCDs which are interpreted. This is similar to how Bitcoin only has a handful of standard transactions. Non-standard transactions are not relayed on the Factom P2P network. In Factom, non-standard transactions are undefined. Adding new transaction types will cause a hard fork of the Factom network.
Factoids are balanced based and have all the value combined to a single amount. The address is a hash of a Redeem Condition Datastructure (RCD). The Factoid transaction is denominated in Factoshis, which is 10^-8 Factoids.
data | Field Name | Description |
Header | ||
varInt_F | Version | Version of the transaction type. Versions other than 2 are not relayed. Can safely be coded using 1 byte for the first 127 versions. |
6 bytes | milliTimestamp | Same rules as the Entry Commits. This is a unique value per transaction. This field is the number of milliseconds since 1970 epoch. The Factoid transaction is valid for 24 hours before and after this time. |
1 byte | Input Count | This is how many Factoid addresses are being spent from in this transaction. |
1 byte | Factoid Output Count | This is how many Factoid addresses are being spent to in this transaction. |
1 byte | Entry Credit Purchase Count | This is how many Entry Credit addresses are being spent to in this transaction. |
Inputs | ||
varInt_F | Value | (Input 0) This is how much the Factoshi balance of Input 0 will be decreased by. |
32 bytes | Factoid Address | (Input 0) This is an RCD hash which previously had value assigned to it. |
varInt_F | Value | (Input X) This is how much the Factoshi balance of Input X will be decreased by. |
32 bytes | Factoid Address | (Input X) This is an RCD hash which previously had value assigned to it. |
Factoid Outputs | ||
varInt_F | Value | (Output 0) This is how much the Output 0 Factoshi balance will be increased by. |
32 bytes | Factoid Address | (Output 0) This is an RCD hash which will have its balance increased. |
varInt_F | Value | (Output X) This is how much the Output X Factoshi balance will be increased by. |
32 bytes | Factoid Address | (Output X) This is an RCD hash which will have its balance increased. |
Entry Credit Purchase | ||
varInt_F | Value | (Purchase 0) This many Factoshis worth of ECs will be credited to the Entry Credit public key 0. |
32 bytes | EC Pubkey | (Purchase 0) This is Entry Credit public key that will have its balance increased. |
varInt_F | Value | (Purchase X) This many Factoshis worth of ECs will be credited to the Entry Credit public key X. |
32 bytes | EC Pubkey | (Purchase X) This is Entry Credit public key that will have its balance increased. |
Redeem Condition Datastructure (RCD) Reveal / Signature Section | ||
variable | RCD 0 | First RCD. It hashes to input 0. The length is dependent on the RCD type, which is in the first byte. There are as many RCDs as there are inputs. |
variable | Signature 0 | This is the data needed to satisfy RCD 0. It is a signature for type 1, but might be other types of data for later RCD types. Its length is dependent on the RCD type. |
variable | RCD X | Xth RCD. It hashes to input X. |
variable | Signature X | This is the data needed to satisfy RCD X. |
The transaction is protected against replay attacks because the servers do not allow duplicate transactions with the same timestamp if they share the same inputs and outputs. Changing any of those fields would also break the signature.
The signatures cover the Header, Inputs, Outputs, and Purchases. The RCD is protected from tampering because the signed inputs specify only one possible RCD.
The Factoids have two hashes associated with them. Both are a single SHA256 of the data. One is the hash of the entire transaction from the Header through the Signatures. The other is the hash of the ledger fields (Header through Entry Credit Purchase), which is the TXID. The TXID is immune from transaction malleability, since it does not cover the signature (or subkeys of a multisig). Doublespends share the same ledger hash.
Redeem Condition Datastructure (RCD)
This can be considered equivalent to a Bitcoin redeem script behind a P2SH transaction. The first version will only support single signature addresses. Type 1 is defined here. The RCD is hashed with SHA256 twice, (SHA256d), to prevent potential length extension attacks. Multisignature RCDs are planned for release soon.
RCD Type 1:
data | Field Name | Description |
varInt_F | Type | The RCD type. This specifies how the datastructure should be interpreted. Type 1 is the only currently valid type. Can safely be coded using 1 byte for the first 127 types. |
32 bytes | Pubkey 0 | The raw ed25519 public key. |
Note: For the token sale, a raw Ed25519 pubkey is included in an OP_RETURN output along with the payment to the sale multisig address. The the genesis block will contain a transaction which outputs to many 1 of 1 addresses. There will be an output for each of the Bitcoin payments' specified pubkeys. The addresses will be derived from the exposed pubkeys. Payments with the same pubkey will have their balances combined.
Some later RCD types will be added. Output types supporting atomic cross chain swaps and time locking outputs are desirable. Output scripts are also useful and desirable, but can open security holes. They are not critical for the first release of Factom, so we will implement them later. This would give us the ability to make conditional outputs (IF, AND, OR, etc). Nesting is also desirable. This would give multisig within a multisig transaction. Implementing scripts will give all the intermediate RCD types, so possibly going directly to scripts can bypass a special atomic cross chain swap, etc.
Ed25519 allows for threshold multisig in a single signature, but that cryptography will have to come later. This does have the disadvantage against Bitcoin style, multiple individual key checking though. When a signature is made, this method does not show who in the group made the signature.
Fees
Fees are the difference between the outputs and the inputs. The fees are sacrificed. They are defined by, but not reclaimed by the Federated servers. The minimum transaction fees are based on the current exchange rate of Factoids to Entry Credits. The outputs must be less than the inputs by at least the the fee amount at confirmation time. The minimum fees are the sum of 3 things that cause load on the system:
Transaction data size. -- Factoid transactions are charged the same amount as Entry Credits (EC). The size fees are 1 EC per KiB with a maximum transaction size of 10 KiB.
Number of outputs created -- These are data points which potentially need to be tracked far into the future. They are more expensive to handle, and require a larger sacrifice. Outputs cost 10 EC per output. A purchase of Entry Credits also requires the 10 EC sized fee to be valid.
Number of signatures checked -- These cause expensive computation on all full nodes. A fee of 1 EC equivalent must be paid for each signature included.
A minimal transaction buying Entry Credits or sending Factoids to one address from a single sig address would cost the equivalent of 12 Entry Credits.
Coinbase Factoid Transaction
The coinbase transaction is how new Factoids come into the system to reward network participants. These are new Factoids created by the protocol. The outputs are determined by the Coinbase Descriptor which is included in the Admin block 1000 blocks prior (approx 1 week).
In M1 and M2, coinbase transactions were included in each factoid block. All but the genesis block coinbase tx had 0 inputs and 0 outputs. In M3, the coinbase tx will similarly be 0 inputs and 0 outputs except for coinbases included at 25 block intervals. A non-zero coinbase output will be on Factoid blocks following 1000 blocks after a Coinbase Descriptor in the Admin block.
data | Field Name | Description |
Header | ||
varInt_F | Version | Determined by Federated Servers, version 2 for now. |
6 bytes | milliTimestamp | The time is set as the Directory Block timestamp. |
1 byte | Input Count | Always zero. coinbase has no inputs. As such, it has no RCD reveals or signatures. |
1 byte | Factoid Output Count | This is how many Factoid addresses are being spent to in this transaction. It is coordinated among the Federated Servers. |
1 byte | Entry Credit Purchase Count | Always zero. Federated Servers do not need to buy entry credits in the coinbase. |
Factoid Outputs | ||
varInt_F | Value | (Output 0) This is how much the Output 0 Factoshi balance will be increased by. |
32 bytes | Factoid Address | (Output 0) This is an RCD hash which will have its balance increased. |
varInt_F | Value | (Output X) This is how much the Output X Factoshi balance will be increased by. |
32 bytes | Factoid Address | (Output X) This is an RCD hash which will have its balance increased. |
Balance Increase
This datastructure is a pointer to a valid Factoid transaction which purchases Entry Credits. It creates a trigger to increase the Entry Credit balance of a particular EC pubkey. It is derived deterministically from every Factoid output which credits EC keys.
data | Field Name | Description |
32 bytes | EC Public Key | This is the public key which the Factoid transaction has credited. |
32 bytes | TXID | This is the transaction ID of the Factoid transaction crediting the above public key. |
varInt_F | Index | The index in the above Factoid transaction's Purchase field crediting the EC pubkey. |
varInt_F | NumEC | This is the number of Entry Credits granted to the EC public key based on the current exchange rate in effect. |
Human Readable Addresses
Factoid and Entry Credit addresses are modeled after Bitcoin addresses. They have an identifiable prefix and a checksum to prevent typos. See base58check encoding. Instead of Bitcoin's 160 bits, they use 256 bits. They also use 2 bytes for the version byte instead of Bitcoin's 1 byte.
Factoid Address
Factoids are sent to an RCD Hash. Inside the computer, the RCD hash is represented as a 32 byte number. The user sees Factoid addresses as a 52 character string starting with FA.
To convert a 32 byte RCD Hash to a Factoid address follow these steps:
Concatenate 0x5fb1 and the RCD Hash bytewise
5fb10000000000000000000000000000000000000000000000000000000000000000using zeros as a substitute RCD Hash
Take the SHA256d of the above data. Append the first 4 bytes of this SHA256d to the end of the above value bytewise.
5fb10000000000000000000000000000000000000000000000000000000000000000d48a8e32
Convert the above value from base 256 to base 58. Use standard Bitcoin base58 encoding to display the number.
FA1y5ZGuHSLmf2TqNf6hVMkPiNGyQpQDTFJvDLRkKQaoPo4bmbgu
Factoid addresses will range between FA1y5ZGuHSLmf2TqNf6hVMkPiNGyQpQDTFJvDLRkKQaoPo4bmbgu and FA3upjWMKHmStAHR5ZgKVK4zVHPb8U74L2wzKaaSDQEonHajiLeq representing all zeros and all f-characters (hex).
Entry Credit Address
Entry Credits are redeemed to an Ed25519 raw public key. Inside the computer, the pubkey is represented as a 32 byte number. The user sees Entry Credit addresses as a 52 character string starting with EC.
To convert a 32 byte pubkey to an Entry Credit address follow these steps:
Concatenate 592a and the pubkey bytewise
592a0000000000000000000000000000000000000000000000000000000000000000using zeros as a substitute pubkey
Take the SHA256d of the above data. Append the first 4 bytes of this SHA256d to the end of the above value bytewise.
592a00000000000000000000000000000000000000000000000000000000000000003cf4595f
Convert the above value from base 256 to base 58. Use standard Bitcoin base58 encoding to display the number.
EC1m9mouvUQeEidmqpUYpYtXg8fvTYi6GNHaKg8KMLbdMBrFfmUa
Entry Credit addresses will range between EC1m9mouvUQeEidmqpUYpYtXg8fvTYi6GNHaKg8KMLbdMBrFfmUa and EC3htx3MxKqKTrTMYj4ApWD8T3nYBCQw99veRvH1FLFdjgN6GuNK representing all zeros and all f-characters (hex).
Private Keys
Private keys for Factoids and Entry Credits follow a similar pattern. They start with Fs and Es, with the s standing for secret.
Factoid Private Keys
Single signature private keys are represented in human readable form using the same base58check as the public keys. The only difference is the prefix bytes. The Factoid private key prefix is 0x6478.
Human readable Factoid private keys will range between Fs1KWJrpLdfucvmYwN2nWrwepLn8ercpMbzXshd1g8zyhKXLVLWj and Fs3GFV6GNV6ar4b8eGcQWpGFbFtkNWKfEPdbywmha8ez5p7XMJyk representing all zeros and all f-characters (hex).
Entry Credit Private Keys
Single signature private keys are represented in human readable form using the same base58check as the public keys. The only difference is the prefix bytes. The Entry Credit private key prefix is 0x5db6.
Human readable Entry Credit private keys will range between Es2Rf7iM6PdsqfYCo3D1tnAR65SkLENyWJG1deUzpRMQmbh9F3eG and Es4NQHwo8F4Z4oMnVwndtjV1rzZN3t5pP5u5jtdgiR1RA6FH4Tmc representing all zeros and all f-characters (hex).
Last updated