Bitcoin is an extremely important innovation, but not in the way most people think. Bitcoin’s real innovation is a globally verifiable proof publishing at a certain time. The whole system is built on that concept and many other systems can also be built on it. The blockchain nails down history, breaking Orwell’s dictum of “He who controls the present controls the past and he who controls the past controls the future.”
In How do cryptocurrencies work? we saw that cryptocurrencies work by preventing double spending coins, and the system chooses one of two potentially valid transactions. While doing so it also creates an order between blocks and transactions, which can be used as the basis for a decentralized timestamping service.
What is a timestamping service?
A timestamping service offers proof that a message or document existed at a certain time with certain contents. The idea of timestamping information is according to Wikipedia centuries old, dating back to at least the 17th century.
A modern example is the Wayback Machine, a service which allows you to see how a certain website looked at a certain time. A bit like traveling back in time, but with your web-browser instead of a DeLorean.1
Let’s travel back in time and look at the site Hacker News, a tech oriented site where you can discuss news stores. I’ve lost a lot of time on the site reading insightful comments or getting upset at other less insightful comments.2
|1.||▲||Natalie Portman - Scientist (nytimes.com)|
|100 points by mhb 2 hours ago | 43 comments|
|2.||▲||Matt Blaze: How ACM and IEEE Shake Down Science (crypto.com)|
|50 points by alterego 2 hours ago | 9 comments|
|3.||▲||The Redis Manifesto (antirez.com)|
|116 points by tednaleid 2 hours ago | 14 comments|
I tried to reproduce the site appearance, but it’s not pixel perfect.
As long as we can trust the Wayback Machine (and I do consider them generally trustworthy) we can be fairly sure this is correct. Letting a trusted party like the Wayback Machine handle timestamping, called trusted timestamping, is a solved problem with different kinds of standards but—as the name implies—there’s always the caveat of requiring a trusted party to verify the timestamps.
2I wanted to use a story of Bitcoin as an example, but they never got any traction that early on.
Interestingly enough Hacker News is full of people extremely skeptical of cryptocurrencies, who often comment that cryptocurrencies don’t have a single legal use-case. This skepticism and misunderstanding, even from highly technical people, was one of the reasons I started writing this book.
What is a timestamping service useful for? Here are some examples:
Proof of invention.
Surprisingly often history a discovery happens independently and at around the same time. What if you come up with an idea or an invention and you didn’t want to reveal it yet but still wanted to claim priority?
You would use timestamping. For example Robert Hook used it in 1660 when discovering Hooke’s law by publishing the anagram ceiiinosssttuv and later published the translation ut tensio sic vis (latin for “as is the extension, so is the force”).3
If you’re someone who likes to write testaments maybe you want to update the one you have. But after you die, how will people tell which is the newest? Sure you can write a date on the paper, but that can be altered by people who want a more beneficial one to be valid.
The solution is to use a timestamping service. If you use one based on a cryptocurrency there’s no possibility of altering the dates, not even by your lawyer.4
Proving discovery of software bugs.
What if you’ve discovered a major software bug and want to disclose it anonymously, but still want the ability to prove you were the one who found it? Later in the chapter we’ll go into details of how the discoverer of one of the most catastrophic bugs in Bitcoin ever accomplished this using timestamping.
With cryptocurrencies it’s possible to do away with the trusted party requirement and offer a decentralized timestamping service. We know that there’s no single trusted party that manages a cryptocurrency and instead many cooperate and reach consensus together. Therefore we only need to decide how to embed verifiable data and timestamps into a cryptocurrency:
Because we might want to reveal our message at a later date we don’t want to store the message in the clear. We can use an anagram like Robert Hook used, some kind of encryption with a key or a hash function to obfuscate the message.
After we have the obfuscated message we want to verify we can embed it into a cryptocurrency.
Transactions in an older block are older, transactions in a newer block are newer and transactions in the same block occur at the same time.5 You can observe, in a decentralized way, when a block with your transaction is created and use that as your message timestamp.
The blocks themselves don’t contain a trustworthy timestamp,6 but we can use the many different nodes observing the network to create an estimation. This could for example be the timestamps recorded by two nodes:
Block number Node #1 Node #2 #1001 2019-09-14 10:01 2019-09-14 10:01 #1002 2019-09-14 10:15 2019-09-14 10:27 ... #1007 2019-09-14 11:07 2019-09-14 11:08 A couple of blocks and their observed timestamps by two different nodes.
Blocks 1003–1006 are omitted.
Here we see that the timestamps differ, at most by 12 minutes. Although not visible in the table the nodes tell us that blocks 1003–1006 happened some time between 10:15 and 11:08. We cannot be sure down to seconds or minutes, but it gives a good estimate if we’re only interested in an hourly or daily timestamp.75A blockchain creates a partial order between transactions where there’s no order between transactions in the same block.6There is actually a timestamp in a block which the miner who creates the block can set themselves, with some constraints. If we blindly trust that timestamp we essentially trust that one miner. Using the time different nodes received the block is a more decentralized approach, but trusting the miner is probably good enough for most practical examples. As more blocks are built on top by other miners we can be sure that the timestamp is reasonably correct.
7In practice well connected nodes (with up to date clocks) will display a small time difference because blocks usually travel quickly through the network. A 12 minute time difference is extremely unlikely and unwanted, I only used it as an illustrative example.
The network requires that blocks travel between miners quickly otherwise it increases the risk for forks or hurt smaller miners disproportionally.
This way we have the basis for a decentralized timestamping service. Insert an obfuscated message in a transaction and afterwards you can reveal the message and use the creation time of the block the transaction is included in as your timestamp. Also comparing two messages to find which the oldest is very simple: just check which block came first, there’s no need to look at a timestamp.
It’s much easier to use (I’ll go through an example step-by-step at the end of the chapter) compared to getting your message included in a publication like Hook did. You also don’t have to trust a timestamping service—the solution is fully opaque and you can verify it yourself.
A real-life example
One of the most catastrophic bugs in recent years, CVE-2018–17144, which if left unpatched would allow an attacker to print an unlimited amount of Bitcoin. It was found and disclosed by someone who at least initially wanted to stay anonymous, but he wanted the ability to prove he was the one who found it.
Therefore he decided to create this message:
BitcoinABC does not check for duplicate inputs when processing a block, only when inserting a transaction into the mempool. This is dangerous as blocks can be generated with duplicate transactions and then sent through e.g. compact block missing transactions and avoid hitting the mempool, creating money out of thin air. /u/awemany
Which has the SHA-256 hash:
And inserted it into the BTC blockchain using a timestamping service. See “Advanced Verification” on the website to find the hash and see the explanation of hash functions in the appendix for why the hash is enough.
This proves that reddit user awemany had knowledge of the inflation bug before it was disclosed and therefore that he was the one who found it.8
Please read his writeup of how he found the bug and the related discussion on reddit for more info.
We can do it ourselves
The previous example used a timestamping service which did the conversions for us, but it’s actually easy to do everything ourselves.
Let’s say we want to obscure and timestamp the message Hook used:
as is the extension, so is the force
Let’s now encode and timestamp it using the Bitcoin Cash blockchain:
Encode the message using SHA-256.
On Linux we can run the command:9
echo -n "as is the extension, so is the force" | sha256sum
Giving us the SHA-256 hash:
dab965bb19823669b8481846b9672c694a9af1b808314956b43154a0472942d89I’m sure you can find a tool for Windows if you search for it. Be sure to exclude the newline (which the -n flag is for). You can also find websites for it, but don’t use them if the message is sensitive.
Insert it in a transaction using OP_RETURN.
For this step you need a wallet capable of creating a transaction with a custom OP_RETURN field, I used the desktop version of Electron Cash and enabled the OP_RETURN field in settings. You need to have enough money to pay a small fee and use a small amount to transfer.10
We can double-check the transaction on a blockexplorer, such as Blockchair, to see that the OP_RETURN value matches our SHA-256 hash (look for the decoded OP_RETURN field).1110My transaction transferred around $0.05 with a $0.0008 fee. It might even be possible to transfer zero coins—as long as you pay the transaction fee—but the wallets I used had a minimum transaction limit.11Blockchair includes the prefix “j@” in the decoded OP_RETURN field while other blockexplorers I checked don’t. It’s the encoding (64) Electron Cash inserted into the transaction and isn’t part of our hash.
With that our timestamp is prepared and nobody can see our original message, only the SHA-256 hash. When we’re ready to reveal our message to the world, all we have to do is show everyone the message and how to verify the timestamp:
Locate the hash in the blockchain.
It’s probably easiest if we point out which transaction we’ve included our hash in. Here’s the same transaction using another blockexplorer.
Verify the SHA-256 hash.
The message should encode to the the same hash that’s included in the blockchain.
Lookup the timestamp.
According to Blockchair the transaction was included in a block mined 20:17 September 15, 2019 (UTC). Verifying the timestamp with other blockexplorers or full nodes is left as an exercise to the reader, just be cautious of timezone differences.
We now have a trusted timestamp for our message, backed by math instead of trust.