Timestamping service

Verifiable proof of knowledge at a certain time

Published September 21, 2019Updated October 24, 2020

Bitcoin is an extremely important innovation, but not in the way most people think. Bitcoin’s real innovation is a globally verifiable proof publishing at a certain time. The whole system is built on that concept and many other systems can also be built on it. The blockchain nails down history, breaking Orwell’s dictum of “He who controls the present controls the past and he who controls the past controls the future.”
Julian Assange, Sep 16, 2014

In How do cryptocurrencies work? we saw that cryptocurrencies work by preventing double spending coins, and the system chooses one of two potentially valid transactions. While doing so it also creates an order between blocks and transactions, which can be used as the basis for a decentralized timestamping service.

What is a timestamping service?

A timestamping service offers proof that a message or document existed at a certain time with certain contents. The idea of timestamping information is according to Wikipedia centuries old, dating back to at least the 17^th century.

A modern example is the Wayback Machine, a service which allows you to see how a certain website looked at a certain time. A bit like traveling back in time, but with your web-browser instead of a DeLorean.

Let’s travel back in time and look at the site Hacker News, a tech oriented site where you can discuss news stores. I’ve lost a lot of time on the site reading insightful comments or getting upset at other less insightful comments.

1.	▲	Natalie Portman - Scientist (nytimes.com)
		100 points by mhb 2 hours ago \| 43 comments
2.	▲	Matt Blaze: How ACM and IEEE Shake Down Science (crypto.com)
		50 points by alterego 2 hours ago \| 9 comments
3.	▲	The Redis Manifesto (antirez.com)
		116 points by tednaleid 2 hours ago \| 14 comments

The top three stories on Hacker News on Mars 1st, 2011 according to the Wayback Machine.
I tried to reproduce the site appearance, but it’s not pixel perfect.

As long as we can trust the Wayback Machine (and I do consider them generally trustworthy) we can be fairly sure this is correct. Letting a trusted party like the Wayback Machine handle timestamping, called trusted timestamping, is a solved problem with different kinds of standards but—as the name implies—there’s always the caveat of requiring a trusted party to verify the timestamps.

Usage examples

What is a timestamping service useful for? Here are some examples:

Proof of invention
Surprisingly often in history a discovery happens independently and at around the same time. What if you come up with an idea or an invention and you didn’t want to reveal it yet but still wanted to claim priority?
You would use timestamping. For example Robert Hook used it in 1660 when discovering Hooke’s law by publishing the anagram ceiiinosssttuv and later published the translation ut tensio sic vis (latin for “as is the extension, so is the force”).
Interestingly if you search for “ceiiinosssttuv” on Wikipedia you’ll be redirected to Hooke’s law, without an explanation why.
Testaments
If you’re someone who likes to write testaments maybe you want to update the one you have. But after you die, how will people tell which is the newest? Sure you can write a date on the paper, but that can be altered by people who want the more beneficial one to be valid.
The solution is to use a timestamping service. If you use one based on a cryptocurrency there’s no possibility of altering the dates, not even by your lawyer.
Of course the lawyer might try to forge your testament completely. If that’s a worry you might want to sign your testament digitally, and make sure everyone has your key so they can themselves verify the validity of the document (strongly consider distributing a how-to document as well).
Proving discovery of software bugs
What if you’ve discovered a major software bug and want to disclose it anonymously, but still want the ability to prove you were the one who found it? Later in the chapter we’ll go into details of how the discoverer of one of the most catastrophic bugs in Bitcoin ever accomplished this using timestamping.

Decentralized timestamping

With cryptocurrencies it’s possible to do away with the trusted party requirement and offer a decentralized timestamping service. We know that there’s no single trusted party that manages a cryptocurrency and instead many cooperate and reach consensus together. Therefore we only need to decide how to embed verifiable data and timestamps into a cryptocurrency:

Prepare data
Because we might want to reveal our message at a later date we don’t want to store the message in the clear. We can use an anagram like Robert Hook used, some kind of encryption with a key or a hash function to obfuscate the message.
After we have the obfuscated message we want to verify we can embed it into a cryptocurrency.
Retrieve timestamps
Transactions in an older block are older, transactions in a newer block are newer and transactions in the same block occur at the same time.¹ You can observe, in a decentralized way, when a block with your transaction is created and use that as your message timestamp.
The blocks themselves don’t contain a trustworthy timestamp,² but we can use the many different nodes observing the network to create an estimation. This could for example be the timestamps recorded by two nodes:
Block number Node #1 Node #2
#1001 2019-09-14 10:01 2019-09-14 10:01
#1002 2019-09-14 10:15 2019-09-14 10:27
...
#1007 2019-09-14 11:07 2019-09-14 11:08

A couple of blocks and their observed timestamps by two different nodes.
Blocks 1003–1006 are omitted.
Here we see that the timestamps differ, at most by 12 minutes. Although not visible in the table the nodes tell us that blocks 1003–1006 happened some time between 10:15 and 11:08. We cannot be sure down to seconds or minutes, but it gives a good estimate if we’re only interested in an hourly or daily timestamp.³
¹A blockchain creates a partial order between transactions where there’s no order between transactions in the same block.
²There is actually a timestamp in a block that the miner who creates the block can set themselves—with some constraints. If we blindly trust that timestamp we put our trust in that miner.
Using the time different nodes received the block is a more decentralized approach, but trusting the miner is probably good enough for most practical examples because the timestamp cannot diff too much. As more blocks are built on top by other miners we can be sure that the timestamp is reasonably correct.
³In practice well connected nodes (with up to date clocks) will display a small time difference because blocks usually travel quickly through the network. A 12 minute time difference is extremely unlikely and unwanted, I only used it as an illustrative example.
The network requires that blocks travel between miners quickly otherwise it increases the risk for forks or hurts smaller miners disproportionally.

Block number	Node #1	Node #2
#1001	2019-09-14 10:01	2019-09-14 10:01
#1002	2019-09-14 10:15	2019-09-14 10:27
...
#1007	2019-09-14 11:07	2019-09-14 11:08

This way we have the basis for a decentralized timestamping service. Insert an obfuscated message in a transaction and afterwards you can reveal the message and use the creation time of the block the transaction is included in as your timestamp. Also comparing two messages to find which the oldest is very simple: just check which block came first—there’s no need to look at a timestamp.

It’s much easier to use (I’ll go through an example step-by-step at the end of the chapter) compared to getting your message included in a publication like Hook did. You also don’t have to trust a timestamping service—the solution is fully opaque and you can verify it yourself.

A real-life example

One of the most catastrophic bugs in recent years, CVE-2018–17144, which if left unpatched would allow an attacker to print an unlimited amount of Bitcoin. It was found and disclosed by someone who at least initially wanted to stay anonymous, but he wanted the ability to prove he was the one who found it.

Therefore he decided to create this message:

BitcoinABC does not check for duplicate inputs when processing a block,
only when inserting a transaction into the mempool.

This is dangerous as blocks can be generated with duplicate transactions
and then sent through e.g. compact block missing transactions and avoid
hitting the mempool, creating money out of thin air.

/u/awemany

Which has the SHA-256 hash:

5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6

And inserted it into the BTC blockchain using a timestamping service. See “Advanced Verification” on the website to find the hash and see the explanation of hash functions for why the hash is enough.

This proves that reddit user awemany had knowledge of the inflation bug before it was disclosed and therefore that he was the one who found it.

Please read his writeup of how he found the bug and the related discussion on reddit for more info.

We can do it ourselves

The previous example used a timestamping service which did the conversions for us, but it’s actually easy to do everything ourselves.

Let’s say we want to obscure and timestamp the message Hook used:

as is the extension, so is the force

Let’s now encode and timestamp it using the Bitcoin Cash blockchain:

Encode the message using SHA-256
On Linux we can run the command:
```
echo -n "as is the extension, so is the force" | sha256sum
```
Giving us the SHA-256 hash:
```
dab965bb19823669b8481846b9672c694a9af1b808314956b43154a0472942d8
```
I’m sure you can find a tool for Windows if you search for it. Be sure to exclude the newline (which the -n flag is for). You can also find websites for it, but don’t use them if the message is sensitive.
Insert it in a transaction using OP_RETURN
For this step you need a wallet capable of creating a transaction with a custom OP_RETURN field, I used the desktop version of Electron Cash 4.0.14 and enabled the OP_RETURN field in settings. You need to have enough money to pay a small fee and use a small amount to transfer.
Custom OP_RETURN using Electron Cash.
We can double-check the transaction on a blockexplorer, such as Blockchair, to see that the OP_RETURN value matches our SHA-256 hash (look for the decoded OP_RETURN field).
My transaction transferred around $0.05 with a $0.0008 fee. It might even be possible to transfer zero coins—as long as you pay the transaction fee—but the wallet I used had a minimum transaction limit.
Blockchair includes the prefix “j@” in the decoded OP_RETURN field while other blockexplorers I checked don’t. It’s the encoding (64) Electron Cash inserted into the transaction and isn’t part of our hash.

With that our timestamp is prepared and nobody can see our original message, only the SHA-256 hash. When we’re ready to reveal our message to the world, all we have to do is show everyone the message and how to verify the timestamp:

Locate the hash in the blockchain
It’s probably easiest if we point out which transaction we’ve included our hash in. This is the txid:
```
586783e17fadace136365490fd83ba59390ca55e7205ee74fbc7db2daa012ad3
```
Here’s the same transaction using another blockexplorer.
Verify the SHA-256 hash
The message should encode to the the same hash that’s included in the blockchain.
Lookup the timestamp
According to Blockchair the transaction was included in a block mined 20:17 September 15, 2019 (UTC). Verifying the timestamp with other blockexplorers or full nodes is left as an exercise to the reader, just be cautious of timezone differences.

We now have a trusted timestamp for our message, backed by math instead of trust.