Can I use Bitcoin to permanently prove that "there exists a file with content at this point of time"?

Question

I have some files (e.g. of 10MB in size, think of it as a paper, an article, a photo, etc), and want to permanently prove that "at 2022.05.24, I already come up with such a file with such content".

So, is it possible to be done via bitcoin? My very naive thought is that, transferring some bitcoin with "attachment" being the hash of my file. Then, since this money transfer record is permanently unmodifiable and visible to everyone, I prove that I have it at this time.

In addition, can this be evidence in, for example, courts?

I am new to blockchain/bitcoin so I am not sure whether this thought is reasonable or not. Thanks for any suggestions!

"In addition, can this be evidence in, for example, courts?" might be better asked on law.SE . — Brian, May 24 '22 at 15:49
You can also (ab)use Certificate Transparency logs for this purpose without involving Bitcoin or any other cryptocurrency. — R.. GitHub STOP HELPING ICE, May 25 '22 at 13:06
@R..GitHubSTOPHELPINGICE Could you please elaborate it a bit more? — ch271828n, May 25 '22 at 13:33
@R.. There might be many alternative ways of creating the evidence the OP desires; I am not sure how that is relevant here. — Brian Drake, May 25 '22 at 13:37
The title and question body are inconsistent. Do you only want to prove that the file exists (that is, *someone* had the file) at the relevant time? Or do you want to prove that *you* had the file at that time? It seems that the former is much easier than the latter. — Brian Drake, May 25 '22 at 13:39
@ch271828n: Just by arranging for the hash you want recorded to be present in the CSR submitted to Lets Encrypt or whatever ACME provider you use. Then it gets recorded in one or more append-only ledgers as required by policy for CAs. — R.. GitHub STOP HELPING ICE, May 25 '22 at 13:46
For the purpose of courts, wouldn't something like mailing yourself the hash (or even a disk/usb stick containing the file in question) be sufficient/better/cheaper? — Dan M., May 25 '22 at 13:50
@BrianDrake I guess the former is enough. The data has identity in it, consider it like an article with author's name and id. Thus, as long as I can prove this file content exists, I also show the article is by this author (me). — ch271828n, May 25 '22 at 14:32
@R..GitHubSTOPHELPINGICE Looks interesting (and not using bitcoin) — ch271828n, May 25 '22 at 14:33
@DanM. Well, then how can I prove the mail is not fake, e.g. Outlook/Gmail/... create a fake mail at that time? For USB stick, I even cannot prove the file is created at that time. — ch271828n, May 25 '22 at 14:34
@ch271828n: Indeed, and even methods like relying on "$mailprovider's DKIM keys signed the mail attesting that they saw it at the time" are not valid because DKIM keys often leak after their validity expires (and many folks even propose intentionally leaking them after validity expires so that they don't create unwanted nonrepudiation properties). — R.. GitHub STOP HELPING ICE, May 25 '22 at 14:43
Easy way to do it with CT logs: just bring up a https site for "$hash.$yourdomain" with a configuration that auto-deploys Lets Encrypt, and the hash will be permanently recorded in an append-only ledger (attesting to the time/sequence in which it was published) by virtue of being the hostname for which a certificate was issued. — R.. GitHub STOP HELPING ICE, May 25 '22 at 14:45
Why not just get a notary? Well established authority in courts. — frеdsbend, May 25 '22 at 23:07
Can you see that "… already come up with…" inarguably proves, you need a better translator? Do you doubt that matters? Can you say how or why this is about Bitcoin, specifically? How would a Bitcoin transfer allow you to attach files that a standard bank transfer would not? Why ask about evidence in, for example, courts,l when everyone else knows that courts are the obvious, over-riding example? How could what works in court, not work anywhere else? — Robbie Goodwin, May 25 '22 at 23:08
You may want to google for "timestamp server". Such services, based on cryptographic signatures, have existing for many years and there's a lot written about them. The variant you're suggesting is a way to make sure the record of the timestamping is public and permanent - an improvement (depending on your use case) from depending on a privately operated timestamp server to persist. — davidbak, May 26 '22 at 16:42
You might have, but not with that wording. I suggest any court would "ask" you to find a (much) better translator. Can you re-phrase "… use Bitcoin to permanently prove that 'there exists a file with content at this point of time' " at least three ways, or see that no court will accept your argument? — Robbie Goodwin, May 27 '22 at 00:56

score 29 · Answer 1 · answered May 24 '22 at 11:42

29

Embedding arbitrary data in the Bitcoin blockchain is possible with the use of an OP_RETURN output. If you embed a hash of your file this way, it will prove its existence at that point in time, for as long as Bitcoin exists and its timestamps can be trusted. Note that block timestamps in Bitcoin can theoretically be up to 2 hours different from real time.

However, embedding a hash of a single file in a transaction is wasteful. Using a merkle tree, you can timestamp thousands or millions of files at the same time, and still use only one transaction. The OpenTimestamps project creates an open standard for exactly that and lists several so-called "calendar servers" that allow you to create a trusted timestamp for free (they rely on donations to cover transaction fees and other expenses).

Example OpenTimestamps transaction: f1127bd52c1fe4894134379403f4dc7287018fc4f1361c3ce01a554ae6995f9c

answered May 24 '22 at 11:42

Vojtěch Strnad

5,623
1
8
31

8

the only thing he can prove is that statement "the transaction submitter created a hash arount time t". Not that he actually has the message that generated that hash. And even less that that message was in fact, a file on a filesystem at any point. – v.oddou May 24 '22 at 13:58
1

@v.oddou The hash is good enough. – fraxinus May 24 '22 at 14:14
10

@v.oddou Not sure what you're getting at there.... are you saying that someone could report a hash, and then later do a preimage attack to simulate the original existence of the file? – Sneftel May 24 '22 at 14:14
@Sneftel well yes, but the fact that this hard makes it an acceptable solution for that case. My point wasn't for the case where we query the system with valid queries. The point was as long as there is no query, anybody can just put some random hashes in there and pretend they "have files" when in fact they have nothing. – v.oddou May 24 '22 at 14:31
@v.oddou Putting "some random hashes" into the blockchain is no use when there are potentially 2^256 valid SHA-256 hashes. This is no better than a preimage attack. – Vojtěch Strnad May 24 '22 at 14:39
6

@v.oddou I think this is just an issue of imprecise wording. In cryptographic terms, it sounds like the OP is striving to make a "commitment" that a file existed at a certain time. The "proof" is actually done at a later time, by providing the file (which can be hashed), and some key material to prove that the OP was the instigator of the transaction. And, to your comment about random hashes, the validity of this commitment does depend on the quality of the algorithm used. At time of writing this, SHA-256 is considered pretty reliable for these purposes. – Cort Ammon May 24 '22 at 18:12
8

It also depends on the intended use. If the OP is an inventor in a nation whose patent office used "first to invent," they may want to use bitcoin to timestamp a key document, and then keep that document secret until the patent is issued *or* contested. At that point, they produce the file and use the blockchain to argue its date of origin. If the OP wishes to claim "ownership" of a file before distributing it en-masse, that's trickier. That's effectively an NFT. Ensuring the minter of a NFT isn't merely the first person to stick a pre-existing file on the blockchain is complicated. – Cort Ammon May 24 '22 at 18:17
1

@CortAmmon: First-to-invent basically [doesn't exist any more](https://en.wikipedia.org/wiki/First_to_file_and_first_to_invent). – Kevin May 25 '22 at 06:56
@fraxinus the hash is good enough unless it's compromised in a way that allows creating files that you can control the hash of. – Dan Is Fiddling By Firelight May 26 '22 at 21:00

score 5 · Answer 2 · answered May 24 '22 at 05:53

5

Yes, it is possible today. Have a look to https://originstamp.com/ - this service already performs it. I do not recommend you to upload your files to this site, but you will find more information there, rather in my answer

answered May 24 '22 at 05:53

amaclin

6,718
1
20
32

As I am new to bitcoin, I am worried whether this approach has drawbacks or not? Thanks – ch271828n May 24 '22 at 06:48
10

For an open source version of this type of time-stamping service: https://opentimestamps.org/ – chytrik May 24 '22 at 07:17

ddawson · Answer 3 · 2022-05-25T23:34:53.937

In addition to the services already mentioned, Proof of Existence, billed as "the original Blockchain notary service", does exactly what you are asking for (if you're asking only about existence and not possession), for a fee of 0.00025 BTC each.

Actually uploading the document to the server is not necessary; it only needs the hash, which is computed client-side. I can't vouch for whether or not what's currently on the web site secretly uploads your submissions somewhere. However, they do host their code on GitHub, so you could e.g. run your own server (or just see what exactly it puts on the blockchain, so you could do the same on your own). There is also a free API available, with which you know for sure only the hash is being submitted.

score 2 · Answer 4 · answered May 24 '22 at 17:02

2

You cannot use bitcoin alone to prove something about arbitrary files, because bitcoin does not interact with arbitrary files. Any software which calculates a file hash and puts it on the blockchain could have been a software which read hashes from a website, e.g. [1], and never had the actual files.

So a verifier like a court would have to trust a combination of blockchain, custom software and your deployment of it.

[1] http://ftp.debian.org/debian/dists/bullseye/Release

answered May 24 '22 at 17:02

Damian

21
1

5

This misses the point. The very existence of a hash matching a given file (which someone needing to verify prior existence has a copy of) implies that hash was *with very high probability* calculated from the given file (assuming, of course, a collision attack could not be used). If said hash is found in the Bitcoin blockchain, whose time stamps are very likely to be trustworthy, this then implies the given file *probably* existed when the block was mined, *regardless of how the hash made its way into a transaction*. – ddawson May 25 '22 at 16:57
2

@ddawson Small note: broken collision resistance wouldn't be a problem in this case since you still wouldn't be able to prove you had a file that you didn't actually have at the time. Being able to prove two different files with the same hash doesn't provide any real benefit over just timestamping two different hashes. Preimage resistance is what matters here. – Vojtěch Strnad May 25 '22 at 22:36
@VojtěchStrnad Yes, good point. – ddawson May 25 '22 at 22:47
1

@ddawson, "This misses the point" -> To quote some parts of the question: "I already come up with such a file with such content" and "I prove that I have it at this time". This sounds like possession not pure existence. Having a hash of a file does not mean to have the file. – Damian May 25 '22 at 23:05
@Damian Well, if it is indeed possession by oneself (whether this is really necessary may depend on the nature of the file), as opposed to mere existence, then yeah, you'd need something more. Maybe take a photo/video showing your face while holding a sign with the hash of the file written on it, and put the hash of *that photo/video* in the blockchain. You'd need to present an exact copy of the photo/video and not a re-encoded version on a hosting site (or you could instead rely on such a site's date stamp and forgo Bitcoin), as well as a copy of the file you want to prove possession of. – ddawson May 25 '22 at 23:21
No, now that I think about it some more, that wouldn't be enough either. As you said, having the hash is not enough. Proving possession *now* is not difficult. There are already protocols for that, but I believe they tend to be interactive, to prevent a claimant cheating. But proving it in the past is another matter. – ddawson May 25 '22 at 23:28
@ddawson, you are fine. OP is not asking about "possession" (whatever that means), but is exactly interested in `there exists a file with content at this point of time`. Having a hash of the file together with a timestamp (as part of the Bitcoin chain) would be perfectly fine to prove exactly OP's statement in court or wherever else. Provided the judge and jury grok the meaning of hashes and the (im)probability of clashes, and the difficulty in doctoring a file to meet a given hash, of course. – AnoE May 30 '22 at 08:35
@AnoE: "OP is not asking about possession". That is not true, as I have quoted other parts saying so. OP's question is ambiguous at best. – Damian May 30 '22 at 15:08
@AnoE Possession means exactly what it sounds like: possessing a copy of the file. One who possesses it can answer questions about its contents that one who only has knowledge of existence cannot, and there exist **challenge-response protocols** that use this property to (probabilistically) prove current possession without transmitting the actual contents. But how would one show that they possessed it at a given time in the past? – ddawson May 31 '22 at 19:39
@ddawson, the question has the title "Can I use Bitcoin to permanently prove that "there exists a file with content at this point of time"?" (which was the pertinent question to me, regarding my comments). In the question, OP asks "I already come up with such a file with such content". I agree that these are contradictory terms. The question seems to leave much room for interpretation, so ... yeah. Hard to tell anything unless we know what OP wants. ;) – AnoE Jun 01 '22 at 09:07

score 1 · Answer 5 · answered May 24 '22 at 12:31

1

Ethereum could be the right choice, Bitcoin require more hassle. I developed a simple smart contract for certification as you described more than three years ago and it is still working and used by the customer. Moreover, you can label the output so that it is not required to give a lot of explanation when you need to demonstrate your certification: the smart contract “print out” all whatever needed to understand (I.e. not a simple number or hash, but a complete “legenda” of the record).

answered May 24 '22 at 12:31

Rick Park

129
4

1

I think a source or link could be helpful here. – Matt Popovich May 25 '22 at 18:54
Yes, I agree but unfortunately surely I can mention the application here for educational purpose, but… first of all it is an Ethereum application (and this is th Bitcoin section), secondly that implementation it is property of the customer and it is not open-source. Sorry for this. – Rick Park May 26 '22 at 08:28

score -1 · Answer 6 · answered May 25 '22 at 18:30

-1

Frame challenge: this is a solved problem via Git.

The whole point of a version control software like git is to keep track of who changed/created files at what time. As such, you can show all modifications that have ever happened to a file and when they occurred.

As for the legality aspect of this, git has already been used for maintaining laws in such areas as Washington DC: https://arstechnica.com/tech-policy/2018/11/how-i-changed-the-law-with-a-github-pull-request/

answered May 25 '22 at 18:30

Robin Clower

99
1

3

It might be useful in some contexts. But there is a question of how robust this solution is. Bitcoin's blockchain is practically immutable (with exponentially increasing certainty for a given block the more blocks are added after it). Git has `git commit --amend`, `git push --force`, and other things, which are specifically designed to alter history. It doesn't necessarily work if people are keeping their own copies, but if the *only* copies are your own and one on a central repo like on GitHub, it's easy, or at least doable. – ddawson May 25 '22 at 20:12
3

Yeah, as @ddawson says, the linked article and described practice of maintaining a set of law on a publicly accessible git repository don't actually compare well to what OP here is trying to achieve. The point of putting the hash of a file in a public timestamped record is to create widely distributed reliable evidence to show that the corresponding document already existed. Git commits just use the local time of the computer that generated them, so pointing at your own git repository to document the existence of something in the past would be significantly weaker evidence. – Murch May 26 '22 at 14:19

Can I use Bitcoin to permanently prove that "there exists a file with content at this point of time"?

6 Answers6