Is there a digital time-stamping scheme that does not rely on a time-stamping authority?

Question

Given a bit string, is it possible to assign it an immutable time stamp that is verifiable as correct without assuming a (one or more) trusted time-stamping authority? A time-stamp is correct if it is within delta milliseconds of the creation of the (instance of the) bit string, for some fixed but small delta. The creation time of a bit string is chosen by its creator / owner (but it is immutable once stamped).

To start off the discussion, I suspect that there will be a need to connect to some sort of physical information source (a la atomic clocks, resistor noise, radioactive half-life etc.) and make some clever use of it.

If it is not possible, I would like an argument that exposes the fundamental barrier. If it is possible, I would like an exposition of the main idea and links to papers or patents for details.

I apologize if my question has a simple answer that my novice mind has missed.

Thank you for considering my question and I appreciate your spending any cycles on a stranger's query.

Update 1: When I say that the creator of the bit string may choose the timestamp, I mean that they can choose when to timestamp the bit string. If they decide to do so at some time t, then the bitstring must be time-stamped to show time t (within delta). It does not mean that the creator can choose any timestamp in the past or future. Such arbitrary stamping must be impossible in the scheme, of course.

Answer 1

If being decentralized with no trusted timestamping authority that could backdate things is a must, then the solution is Bitcoin's blockchain (or a similar cryptocurrency's blockchain). OpenTimestamps is a project for efficiently using it to timestamp files.

---

Most of the design for a possible basic decentralized cryptocurrency has been known since public key cryptography was invented (have a shared ledger of public keys with associated balances, and anyone can transfer currency from their balance to another by signing a transaction with their private key), but it had always been blocked by the double-spend problem (Alice could sign a transaction sending currency to Bob to buy a physical object, and then once it's in her possession, she could broadcast a second transaction with an older timestamp that sends that same currency to a 3rd address also controlled by herself instead, and try to convince everyone else that it came first and should be honored instead of the transaction to Bob). Essentially, without a decentralized timestamping service, there's no way for a decentralized cryptocurrency to get everyone to agree on the same order of transactions.

The double-spend problem was finally solved in 2009 by Bitcoin through its use of a proof-of-work blockchain. Each block contains a proof-of-work based on a hash of the rest of the block, the hash of the previous block, and a list of transactions. People ("miners") are incentivized to compute the blockchain proof-of-works by receiving newly minted bitcoins and bitcoin transaction fees. Each block contains a timestamp, and the proof-of-work difficulty automatically scales so that the proof-of-work (and therefore a new block) can be made every 10 minutes. Every Bitcoin node knows to use the longest blockchain. For an attacker to backdate a transaction N blocks into the past so that it would be before a conflicting transaction, they would have to calculate N proof-of-works, but the while they are computing these proof-of-works, the rest of the miners are on the network are still building the blockchain by creating more proof-of-works. The attacker would have to have more computing power than the entire rest of the miners on the network in order to race them and create a bigger blockchain.

Now to rewind a bit: to actually use this for timestamping files, then you would just want to encode a file (or merkle tree) hash into a transaction in the Bitcoin network. OpenTimestamps is a project for doing this efficiently. (There are other such projects, but OpenTimestamps is much more efficient than most and is made by a Bitcoin developer.) You might be wondering "why involve Bitcoin at all?" and want to extract out its blockchain, but that can't work as Bitcoin's blockchain only works because the miners have a cryptocurrency incentive to contribute, and a blockchain without a significant number of miners like Bitcoin's already has could be easily attacked.

Answer 2

Technically no. But practically, possibly, yes.

Time is an absolute measurement using an agreed standard (UTC, hours, minutes, seconds, etc...). It's a human construct to log a progression of local (cosmically speaking) events against. By its definition, it requires a "witness" to validate, which is the same as saying "authority".

Note: It's very important to consider the application of what you're trying to achieve with a time-like stamp without an "authority". You might have a very specific problem in mind, which might have a specific interesting solution.

Does this mean that there's nothing here to discover/invent? I don't think so. The problem is "time". I suspect, if you remove "time", and step back toward a more universal fundamental of "events", you might have a better chance of achieving your background requirements.

Consider, in a hostage situation, they will ask a hostage to record their plea while holding a current newspaper. Why? So they know the video was recorded very recently. Absolute time is a factor of the proof here, but importantly so are "events". The time is implied by the newspaper edition, the content, and the fact that no one can predict the future (tomorrow's newspaper). This doesn't work in digital timestamping type scenarios of course, but it helps to describe how "events" may be key, not quantum-level events, but most likely more macroscopic events.

Picture of the night sky

Here's a poor, but workable option which shows there may be hope. The planets, constellations, and more have been used for hundreds of years to determine "time". Manuals are required to map such cosmic "events" to our agreed standard of "time".

One could take one or more photos of key features in the night sky, possibly also requiring telescope(s), with superimposed hash value in the image.

There are many other possible schemes for making the night sky, but most (if not all) require a photo. Of course, it's possible to photoshop, so it's not perfect. Also the time precision is relatively low.

Relative events

Going back to "applications" and context. If your purpose was to ensure that you paid money before a package was sent, then it's all relative. It doesn't matter what the time is, you only want to determine which event happened first. This doesn't necessarily require an absolute event reference (space). If you're both in the same room hand over money, and then hand over the package, you see it happen. If you do this from a distance, you need a witness/authority/third-party.

So technically the way we do it currently is for a reason, no other compelling way has been found yet. The same issues compound problems with HTTPS certificates involving revocations list, OCSP stapling, and more.

It's good to step back to analyse the problem in more conceptual abstract ideas to answer such questions.

Answer 3

It is mathematically possible to time stamp against publicly available information. I'm not aware of anyone doing so commercially (notwithstanding Bitcoin and derivatives), but I see no fundamental technical impediment. So we can do something as simple as:--

certificate = SHA256(bit string | public entropy)

where bit string is your document that you want time stamped, and public data is a freely available source of entropy for that particular day. The trick though is not to use physical entropy. That's impossible as entropy is only created by the observer and not the physical process, hence no two measurements of anything physical are 100% identical. The avalanche effect negates this possibility.

You use social entropy. For example the stock market. Every afternoon that the FTSE250 closes, well over 8000 bits of true entropy are created from the individual companies' transactions. (I haven't yet measured entropy generation for any other major index.) That's vastly more than the bits required for any possible contemporary hash. This entropy is well catalogued by many independent institutions and publicly available throughout the world. Simply hash your document against that day's close. The FTSE250 is never closed for more than three days at a time, so your time stamp would have a max. resolution of +/- 1.5 days. Not perfect, but something to consider.

To verify the time stamp, you just simply check a particular day's close and rehash your bit string against it.

Off topic issues (but very important):-

There is an argument to be made that the London Stock Exchange is an authority. Yes, but at some point along the line you have to trust some aspect of society. Or we'll all end up in a Mad Max scenario fighting over the last few cans of tuna. It's incredibly regulated and monitored by thousands of professionals and amateurs. If the FTSE100 /FTSE250 were to be adversely manipulated, your least concern will be whether you can verify your bit stings. Bitcoin or the NIST randomness beacon could easily disappear tomorrow without too much negative effect. Not so a major stock market.

Answer 4

If your definition of Timestamping Authority (TA) is relaxed enough, I can think of a few options, which are not a "remote server" TA. Also this is a very different approach and answer to my other one.

1. If this doesn't need to support thousands of transactions per second, per user; and if it's about proving in court, then you can spend more time on the timestamping process.

1a. You could use one or more chemicals and isotopes and imbue paper with the claim information hashed and printed on that paper. Or something of this nature. Might need those chemicals in the ink which reacts with air.

1b. Or, you could copy the manual legal process: have someone "witness" your timestamp claim. They can physically sign some paper with the claim, or do so with digital signature means.

2. Another approach, which deviates only a very little from your banned TA remote service, is to have a distributed and possibly hierarchical delegation of a trusted third party.

2a. So a post office could officiate with digital means, or perhaps extending 1b, but requiring a hash of claims to be sent back up the hierarchy periodically for ultimate authority.

2b. A portable tamperproof device could be used to delegate the authority. It would accept a hash, and output the timestamped signature. This could be a compact smartcard device, and may have USB interface. It would have a lifetime limited by battery.

3. Trusted peers could be used without a hierarchy of authority. If you have a claim hash, you can ask those who you esteem to timestamp it. If a claim invokes a contract, each party would have their own set of peers to timestamp. If it went to court, those peers would need to inspect the timestamps and testify if they're valid. The more peers, and the greater their trustworthiness the better. But one need not have a "common" trusted third party.

Answer 5

The number of novelty chess positions in a grandmaster quality chess game is a measure of time. It is constantly updated and tracked in chessbase. Such novel position is on its own a proof of work. It can be used to timestamp something.