Let's build a ... clockchain (blockchain + time server) ?
In order to timestamp, I need to have a reliable time from a third party time server. If this server “cheats”, I want to be able to detect it and prove it.
So what can we put in place to make this server accountable ?
What about applying the blockchain concept to timestamping ?
How ?
- The client requests the time by sending a nonce “nonce1” to the time server
- The server gives its current time “time1” and sign this set of data : nonce1 and time1. Signature1 = sign( nonce1, time1 )
- Later, the client perform another request to the same server, this time, the client build its nonce "nonce2" such as nonce2 = hash( a random string, time1, signature1 )
- The server answers with its current time "time2" and sign this set of data : nonce2 and time2. Signature2 = sign( nonce2, time2 )
In this example, to simplify the explanation, the client requests the same server, but in reality, the client would requests different servers.
Imagine this sequence of timestamps given by 4 different servers :
- Server A : 2019-04-10 11:40:34
- Server B : 2019-04-10 11:44:12
- Server C : 2019-04-10 10:45:42
- Server D : 2019-04-10 11:46:51
We can see that the server C has given an inconsistent time and we can even prove it thanks to its signature of our linked nonces.
In conclusion, with this protocol, the client is able to prove cryptographically that a server behaved maliciously.
If you want to know more, take a look at Google’s Roughtime protocol (https://roughtime.googlesource.com/roughtime)