[Idea] Use Block Chain as a distributed digital time stamp service

[jerfelix]

What do you guys think of this idea?

Using Bitcoin as a Decentralized Digital Time Stamp Service.
This has been kicked around a few times in other forum posts (like here and here as just a couple of examples). But I think I have an implementation proposal that may be original.


Background on Digital Time Stamps  (skip or skim if you know this):

The problem that would be solved is this:  You have created some digital work (perhaps a photograph, an MP3, or a signed contract, or a word document, or a scanned document).  You want to be able to prove that it existed prior to some date.

The old fashioned way to accomplish this would be to snail-mail it to yourself in a sealed envelope, and use the postmark as your proof.

A newer technique is to use a digital time stamp service such as digistamp.  Digital time stamping Protocol is described in rfc 3161.

Costs to time stamp something can range from about 40 cents for quantity of one, down to about 4 cents or less, at higher quantities.


Proposed Bitcoin solution:

If you have a digital file that you wish to time stamp, perform the following steps:
1) calculate a digital hash of the file, to generate a unique Bitcoin Address
2) pay that address some very small amount of Bitcoins (somewhere between .00000001 and .01 BTC, along with the appropriate transaction fee).

This payment would effectively be destroyed, as the likelihood that anyone has that address in their wallet would be extremely small.  The value of everyone else's Bitcoins would rise ever so slightly (as supply would be reduced), which should make many of you happy.  There's no extra burden on the Bitcoin system (as would be if you stuck additional information in the transaction record).  The only burden would be a small transaction, which would be funded by the transaction fee.


To defend your claim of the time stamp, you'd simply need to show that the digital hash (fingerprint) of the file equals the address that the coins were sent to. 

To prove that you "own" the digital file (if necessary), you'd simply need to show that you are in control of the sending Bitcoin address (so you'd need to save your wallet file).  This claim would obviously not be as strong as the timestamp claim, as you could have stolen the wallet file.


Pros and Cons:

When compared to other digital time stamp services, this can be much cheaper.  It is decentralized.  But it is not RFC 3161 compliant.  And it wastes/destroys small amounts of Bitcoins.



Any comments?  Any ideas for improvement?

[1713891460]

1713891460

[1713891460]

1713891460

[1713891460]

1713891460

[realnowhereman]

I wonder: does bitcoin accept transactions with zero outputs?

If that is so, then you could simply create a transaction with 0.01 in and 0.00 out (to your file-hash address).  Miners would be keen to take it because they can have the whole of the 0.01 as a transaction fee.

The advantage in this case is that no coins are lost; they go to the miner.

Edit:

Also: you don't need to show you are in control of the sending address.  The receiving address (which is the hash of the content you are timestamping) being present in the chain shows that that content existed at that time.

The sending address doesn't prove anything other than you were the person to request the timestamp.  It certainly doesn't prove ownership.

[JoelKatz]

Just use the hash of the document as the secret key. Transfer .01 bitcoins to the corresponding public key's address and then transfer those .01 bitcoins back to you. To prove the signature, hash the document, calculate the corresponding public key, hash that, then show that appears in the chain.

It now takes two transactions, but it's free.

[jerfelix]

The sending address doesn't prove anything other than you were the person to request the timestamp.  It certainly doesn't prove ownership.

I meant "ownership" in the sense of possession, not in the sense of exclusive rights.  So I think we're in agreement on that point - I just worded it poorly.  At a later date, you can prove that you have the wallet of the person that possessed the digital document at the time of the time-stamp.

Just use the hash of the document as the secret key. Transfer .01 bitcoins to the corresponding public key's address and then transfer those .01 bitcoins back to you. To prove the signature, hash the document, calculate the corresponding public key, hash that, then show that appears in the chain.

It now takes two transactions, but it's free.

This sounds better than my idea.  Any downside to this?

[JoelKatz]

This sounds better than my idea.  Any downside to this?

Two downsides. First, the verification process is more complex. Second, two transactions are needed instead of one. You can commit any number of hashes, within reason, in a single transaction pair though. (Fees might apply if it's more than 5 or so.)

[MoonShadow]

Digital timestamping of external documents could be achieved using the (not yet implemented) transaction scripting mechanism.  Using zero value inputs or outputs is not necessary, simply send money from yourself to another address that you control, less the transaction fee required for the script (which will never be free, it costs miner's cpu time that regular transactions do not).  If you want to see scripting happen, join the development team.  It will be able to do much more than digital timestamping.

[realnowhereman]

I should say that, while it's great that the Bitcoin technology can be used for this sort of thing, we shouldn't be encouraging the pollution of the blockchain with non-financial features.

If there were a demand for it; then an independent timestamping chain could be set up.  There was a thread a month or so ago on here describing how to make non-polluting chains piggy back on the bitcoin block chain.

One easy simplification would be for one timestamping server to create a document that was a list of document hashes; so everyone who wanted something timestamping writes their hash in a list.  Then that one document's hash would be fed in and out of the blockchain using the method described above.  Magic.  As many documents as you like all timestamped at once for the price of two transactions.

[jerfelix]

I should say that, while it's great that the Bitcoin technology can be used for this sort of thing, we shouldn't be encouraging the pollution of the blockchain with non-financial features.

If there were a demand for it; then an independent timestamping chain could be set up.  There was a thread a month or so ago on here describing how to make non-polluting chains piggy back on the bitcoin block chain.

One easy simplification would be for one timestamping server to create a document that was a list of document hashes; so everyone who wanted something timestamping writes their hash in a list.  Then that one document's hash would be fed in and out of the blockchain using the method described above.  Magic.  As many documents as you like all timestamped at once for the price of two transactions.

But the way I described it, it WOULD be a financial transaction.  And the anti-spam features (minimal transaction fee) would actually help to fund the block verifications of the financial system.

Generally, I have a belief that seems to be the polar opposite of you - that we should be encouraging usage of the system in any way possible.  We can't anticipate all the ways that the block-chain system will be used, and the "system" will adapt (through coding changes, increased fees, usage changes) to accommodate the clever uses that "the market" determines are of value.  Most other systems seem to work that way.

An analogy would be SMS messages, which were originally designed to "transport messages on the signaling paths needed to control the telephony traffic" but the value of them for text messaging has far surpassed the original intent of the system, and the systems adapted to handle this unanticipated demand!

[realnowhereman]

It's not really financial though is it?  You're just using the financial system to timestamp something.  Using the two transaction idea, would mean you end up with exactly the same money.

My point is that if thousands of people started doing this, it would fill up the chain very quickly.  Adding to the (already pretty large) space requirements.

I'm not discouraging the use of a block chain system; just discouraging the use of the bitcoin chain for non-bitcoin purposes.

The problem is that timestamping files is not the only use; there are many excellent ideas - namecoin, voting systems, timestamps, inter-exchange lending, option markets, bond markets.  The list is endless.

If we start pushing all of them into the same chain, it will become rapidly unwieldy, and we've spread the costs of unrelated systems between all users of all systems.  Why should a miner who isn't interested in timestamping have to carry transactions to do with timestamping; or voting, or whatever?

Every byte in the blockchain has a cost; and it will distort the price of bitcoin transactions if you force the chain to hold the Women's auxilliary guild annual general meeting treasurer vote as well.

[JoelKatz]

If we start pushing all of them into the same chain, it will become rapidly unwieldy, and we've spread the costs of unrelated systems between all users of all systems.  Why should a miner who isn't interested in timestamping have to carry transactions to do with timestamping; or voting, or whatever?

Every byte in the blockchain has a cost; and it will distort the price of bitcoin transactions if you force the chain to hold the Women's auxilliary guild annual general meeting treasurer vote as well.

I think you focus on the downside and miss the upside. Every single one of these things is more robust and secure together than they would be alone. The more processing power going to extend a hash chain, the harder it is to attack that hash chain by accumulating 51% of the power. If all of these things are in the same chain, someone would need the computing power to attack all of them just to attack one of them. If that power is divided over a dozen projects, it becomes much easier.

That kind of gives me an idea for a project -- a generic hash chain system using proof of work just like bitcoin, but that include any data just by keeping its hash. So it can include all of those things. By analogy, you can mine bitcoins without ever seeing a transaction, they just keep a hash -- today's miners typically do just that. If the hash chain included many projects you could keep just a hash of each one. For projects you are interested in, you could keep the transactions data.

This can be incorporated without damage into the existing bitcoin system. Nodes in the timestamp chain, for example, can be included as nothing but transactions in the bitcoin chain (including only their hash). The real underlying transactions themselves need never be seen by the bitcoin system.

[jerfelix]

Every byte in the blockchain has a cost; and it will distort the price of bitcoin transactions if you force the chain to hold the Women's auxilliary guild annual general meeting treasurer vote as well.

Presumably every byte in the blockchain has a benefit as well.  And also potentially a payment which exceeds the cost.

It seems challenging to encourage other uses, because of the current paradigm that every participant in the network needs to receive and analyze every byte in every block.  This is true in the current implementation, but this implementation is unlikely to be able to handle all of the financial transactions, much less everything else, if/when Bitcoin becomes popular.   (Look at the difficulties of Android-Bitcoin apps, and their need to download the entire blockchain and stay up to date.  We're only on year 3 of Bitcoin, and the transaction volume is presumably a tiny fraction of where we'd like it to be.  One ten-thousandth?)

Handling the Woman's auxiliary guild annual general meeting treasurer vote (for a fee) will only serve to advance the usage of the Block Chain and accelerate the technology such that more people are dependent on the Block Chain, so more developers will work on improving the scalability.

In summary, funded valuable uses of the Block chain which include transaction fees will advance the popularity of, and dependency on Bitcoin, which will encourage further development and solutions to the scaling problem.  It will actually *financially* encourage development, because the people collecting fees will benefit directly with a more scalable architecture.

PS, I'm voting for Thelma Taylor for treasurer.  Check Blockexplorer.com to verify.

[nealmcb]

I just ran across a formal paper expanding on this idea, complete with a salt, a threat model etc.  See their demo and abstract submitted to
 FC'12 : Financial Cryptography 2012
 http://fc12.ifca.ai/:

Jeremy Clark & Aleks Essex -a demonstration of a simplified version of CommitCoin
 http://people.scs.carleton.ca/~clark/commitcoin/

CommitCoin: Commitments with Temporal Dispute Resolution using Bitcoin
 http://people.scs.carleton.ca/~clark/commitcoin/abstract.pdf

and the commitment itself:

 http://blockexplorer.com/tx/2993c284f0b6838386ddd286af415384560d93cc4e27d25087fd6534f8e0d276

I agree that it is probably better to mix various uses in one block chain which can then be optimized, rather than trying to establish and defend multiple block chains for different purposes.

[Flow]

I wonder if it would be feasible to include the hash to timestamp in the input and not in the output.

Let's assume we would change scriptSig to

timestampScriptSig: <hashToTimestmap> <sig> <pubKey>

and under the conditions that
1. The so modified input is still able to claim the output

and optional these nice to have features
2. <sig> ideally also signs the <hashToTimestamp>
3. the output can be empty (i.e. the whole BTC input amount is the transaction fee)

This would come with the following advantages: It does not burn any bitcoins. The transaction fee is an incentive for miners to include the transaction. And finally: You only need one transaction.

Can anyone comment if it's possible that <sig> also signs <hashToTimestamp> (maybe with OP_CODESEPARATOR)? Is a transaction containing timestampScriptSig a valid transaction with bitcoin 0.8.3? Would it, together with <hashToTimestamp>, be included in the blockchain?

[samson]

I have a feeling that hash based calendar chains and some kind of Keyless Signature Infrastructure (KSI) might have an impact on future developments in the world of Crypto.

I posted to this old thread as I believe the relevance of this kind of technology will increase in the coming year or so and occasionally it's worth looking into older ideas with fresh eyes and hindsight in the ever evolving environment that we are experiencing today.