MIME-Version: 1.0
From: Neiman <neiman.mail@gmail.com>
Date: Mon, 29 Jan 2018 14:34:20 +0100
Message-ID: <CACRYg-4ho-XGK3xUdQW-ny2BFs2O91BuendrxuVYBni4wHrRqw@mail.gmail.com>
To: bitcoin-dev@lists.linuxfoundation.org
Content-Type: multipart/alternative; boundary="001a1143eef4b3fd1e0563ea4d23"
Subject: [bitcoin-dev] How accurate are the Bitcoin timestamps?
Precedence: list

--001a1143eef4b3fd1e0563ea4d23
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

First time posting here, please be gentle.

I'm doing a research project about blockchain timestamping. There are many
such projects, including the fantastic OpenTimestamps.

All of the projects essentially save some data in a block, and rely on the
block timestamp as a proof that this data existed at some specific time.

But how accurate are Bitcoins timestamps?

I didn't find any discussion or research regarding Bitcoin timestamp
accuracy (also not in the history of this mailing list). I share here a
simple analysis of timestamp accuracy, and a suggestion how to improve it.

Basic observations and questions:
-------------------------------------------
*1.* It seems to me that the timestamp is not the time that the block was
created. Ideally, it's the time that the miner started to try to mine the
block. However, as timestamps may also be used as a source of variety for
hashes, the exact meaning of its value is unclear.

If this is true, then there's a strange phenomena to observe in
blockchain.info and blockexplorer.com: the timestamps of blocks equals the
receiving times.

Am I wrong in my understanding, or is there a mistake in those websites?

*2.* Timestamps are not necessary to avoid double-spending. A simple
ordering of blocks is sufficient, so exchanging timestamps with enumeration
would work double-spending wise. Permissioned consensus protocols, such as
hyperledger, indeed have no timestamps (in version 1.0).

As far as I could tell, timestamps are included in Bitcoin's protocol
*only* to adjust the difficulty of PoW.

Direct control of timestamp accuracy:
-----------------------------------------------
The only element in the protocol that I found to control timestamp accuracy
is based on the network time concept.

The Bitcoin protocol defines =E2=80=9Cnetwork time=E2=80=9D for each node. =
The network time
is the median time of the other clients, but only if
    1. there are at least 5 connected, and
    2. the difference between the median time and the nodes own system time
is less than 70 minutes.

Then new blocks are accepted by the peers if their timestamps is
    1. less than the network time plus 2 hours, and
    2. greater than the median timestamp of previous 11 blocks.

The first rule supplies a 2 hour upper bound for timestamp accuracy.

However, the second rule doesn't give a tight lower bound. Actually, no
lower bound is given at all if no assumption is made about the median. If
we assume the median to be accurate enough at some timepoint, then we're
only assured that any future timestamp is no bigger than this specific
median, which is not much information.

Further analysis can be made under different assumptions. For example,
what's the accuracy if holders of 51% of the computational power create
honest timestamps? But unfortunately, I don't see any good reason to work
under such an assumptions.

The second rule cannot be strengthened to be similar to the first one
(i.e., nodes don't accept blocks less than network time minus 2 hours). The
reason is that nodes cannot differentiate if it's a new block with
dishonest timestamp, an old block with an old timestamps (with many other
blocks coming) or simply a new block that took a long time to mine.

Indirect control of timestamps accuracy:
--------------------------------------------------
If we assume that miners have no motive to increase difficulty
artificially, then the PoW adjusting algorithm yields a second mechanism of
accuracy control.

The adjustment rules are given in pow.cpp (bitcoin-core source, version
0.15.1), in the function 'CalculateNextWorkRequired', by the formula (with
some additional adjustments which I omit):

    (old_target* (time_of_last_block_in_2016_blocks_interval -
time_of_first_block_in_2016_blocks_interval) )/time_of_two_weeks

It uses a simple average of block time in the last 2016 blocks. But such
averages ignore any values besides the first and last one in the interval.
Hence, if the difficulty is constant, the following sequence is valid from
both the protocol and the miners incentives point of views:

    1, 2, 3,=E2=80=A6., 2015, 1209600 (time of two weeks), 2017, 2018, 2019=
,=E2=80=A6.,
4031, 1209600*2, 4033, 4044, =E2=80=A6

If we want to be pedantic, the best lower bound for a block timestamp is
the timestamp of the block that closes the adjustment interval in which it
resides.

Possible improvement:
-----------------------------
We may consider exchanging average with standard deviation in the
difficulty adjustment formula. It both better mirrors changes in the hash
power along the interval, and disables the option to manipulate timestamps
without affecting the difficulty.

I'm aware that this change requires a hardfork, and won't happen any time
soon. But does it make sense to add it to a potential future hard fork?

--001a1143eef4b3fd1e0563ea4d23
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">First time posting here, please be gentle.<br><div><br>I&#=
39;m doing a research project about blockchain timestamping. There are many=
 such projects, including the fantastic OpenTimestamps. <br><br>All of the =
projects essentially save some data in a block, and rely on the block times=
tamp as a proof that this data existed at some specific time.<br><br>But ho=
w accurate are Bitcoins timestamps?<br><br>I didn&#39;t find any discussion=
 or research regarding Bitcoin timestamp accuracy (also not in the history =
of this mailing list). I share here a simple analysis of timestamp accuracy=
, and a suggestion how to improve it.<br><br>Basic observations and questio=
ns:<br></div><div>-------------------------------------------<br><b>1.</b> =
It seems to me that the timestamp is not the time that the block was create=
d. Ideally, it&#39;s the time that the miner started to try to mine the blo=
ck. However, as timestamps may also be used as a source of variety for hash=
es, the exact meaning of its value is unclear.<br><br>If this is true, then=
 there&#39;s a strange phenomena to observe in <a href=3D"http://blockchain=
.info">blockchain.info</a> and <a href=3D"http://blockexplorer.com">blockex=
plorer.com</a>: the timestamps of blocks equals the receiving times. <br><b=
r>Am I wrong in my understanding, or is there a mistake in those websites?<=
br><br><b>2.</b> Timestamps are not necessary to avoid double-spending. A s=
imple ordering of blocks is sufficient, so exchanging timestamps with enume=
ration would work double-spending wise. Permissioned consensus protocols, s=
uch as hyperledger, indeed have no timestamps (in version 1.0).<br><br>As f=
ar as I could tell, timestamps are included in Bitcoin&#39;s protocol *only=
* to adjust the difficulty of PoW.<br><br>Direct control of timestamp accur=
acy:<br>-----------------------------------------------<br>The only element=
 in the protocol that I found to control timestamp accuracy is based on the=
 network time concept.<br><br>The Bitcoin protocol defines =E2=80=9Cnetwork=
 time=E2=80=9D for each node. The network time is the median time of the ot=
her clients, but only if<br>=C2=A0=C2=A0=C2=A0 1. there are at least 5 conn=
ected, and<br>=C2=A0=C2=A0=C2=A0 2. the difference between the median time =
and the nodes own system time is less than 70 minutes.<br><br>Then new bloc=
ks are accepted by the peers if their timestamps is<br>=C2=A0=C2=A0=C2=A0 1=
. less than the network time plus 2 hours, and<br>=C2=A0=C2=A0=C2=A0 2. gre=
ater than the median timestamp of previous 11 blocks.<br><br>The first rule=
 supplies a 2 hour upper bound for timestamp accuracy. <br><br>However, the=
 second rule doesn&#39;t give a tight lower bound. Actually, no lower bound=
 is given at all if no assumption is made about the median. If we assume th=
e median to be accurate enough at some timepoint, then we&#39;re only assur=
ed that any future timestamp is no bigger than this specific median, which =
is not much information.<br><br>Further analysis can be made under differen=
t assumptions. For example, what&#39;s the accuracy if holders of 51% of th=
e computational power create honest timestamps? But unfortunately, I don=
9;t see any good reason to work under such an assumptions.<br><br>The secon=
d rule cannot be strengthened to be similar to the first one (i.e., nodes d=
on&#39;t accept blocks less than network time minus 2 hours). The reason is=
 that nodes cannot differentiate if it&#39;s a new block with dishonest tim=
estamp, an old block with an old timestamps (with many other blocks coming)=
 or simply a new block that took a long time to mine. <br><br>Indirect cont=
rol of timestamps accuracy:<br>--------------------------------------------=
------<br>If we assume that miners have no motive to increase difficulty ar=
tificially, then the PoW adjusting algorithm yields a second mechanism of a=
ccuracy control.<br><br>The adjustment rules are given in pow.cpp (bitcoin-=
core source, version 0.15.1), in the function &#39;CalculateNextWorkRequire=
d&#39;, by the formula (with some additional adjustments which I omit):<br>=
<br>=C2=A0=C2=A0=C2=A0 (old_target* (time_of_last_block_in_2016_blocks_inte=
rval - time_of_first_block_in_2016_blocks_interval) )/time_of_two_weeks<br>=
<br>It uses a simple average of block time in the last 2016 blocks. But suc=
h averages ignore any values besides the first and last one in the interval=
. Hence, if the difficulty is constant, the following sequence is valid fro=
m both the protocol and the miners incentives point of views:<br><br>=C2=A0=
=C2=A0=C2=A0 1, 2, 3,=E2=80=A6., 2015, 1209600 (time of two weeks), 2017, 2=
018, 2019,=E2=80=A6., 4031, 1209600*2, 4033, 4044, =E2=80=A6<br><br>If we w=
ant to be pedantic, the best lower bound for a block timestamp is the times=
tamp of the block that closes the adjustment interval in which it resides. =
<br><br>Possible improvement:<br>-----------------------------<br>We may co=
nsider exchanging average with standard deviation in the difficulty adjustm=
ent formula. It both better mirrors changes in the hash power along the int=
erval, and disables the option to manipulate timestamps without affecting t=
he difficulty.<br><br>I&#39;m aware that this change requires a hardfork, a=
nd won&#39;t happen any time soon. But does it make sense to add it to a po=
tential future hard fork?<br></div></div>

--001a1143eef4b3fd1e0563ea4d23--