What If a Clock Could Prove Its Own Past? A Thought Experiment in Cryptographic UTC Attestation

Concept · Thought experiment

What If a Clock Could Prove Its Own Past? A Thought Experiment in Cryptographic UTC Attestation

A speculative question, not a product pitch: imagine if every machine could hand anyone independently verifiable proof of what its clock was doing at any moment in history. Would it matter? Who would benefit, what might it cost us, and would the world actually be better for it? An exploration of the idea of cryptographic UTC attestation.

Ian Gough
Ian GoughFounder & CEO, TimeBeat
13 min read
ConceptComplianceTrustTimeThought experiment

TL;DR

  • A thought experiment: what if a clock could prove, to anyone, what it was doing at a given instant, without that person having to trust the organisation that owned the clock?
  • Today the world runs on records that ask to be trusted. A log says what a system claimed was true, and nothing in it stops it being quietly rewritten later. The idea here is to flip that, and make the record self-proving rather than self-asserting.
  • The interesting question is not whether it is technically possible, because it plainly is. The same primitives already secure version-control history, certificate transparency and distributed ledgers. The real question is whether it would be worth doing: would it change behaviour, would anyone trust it, and what might we lose along the way?

The premise: what if time could not be quietly rewritten?

Start with a simple question. Imagine that every machine keeping time could, after the fact, hand you a proof of exactly what its clock was doing at 14:32:01 on a given Tuesday, and that you could check that proof yourself with nothing more than a piece of public mathematics, without taking the machine's owner at their word.

That is not how time works in our systems today. A clock keeps time, a process writes down what it believed the time to be, and that written record is accepted largely on trust. The record asserts, it does not prove. This piece explores the opposite idea, a clock whose history is self-proving, and it tries to ask an honest question. Would such a thing actually be worth building for the world, or is it a clever answer to a question almost nobody is really asking?

The shape of the question

This is not a description of a product. It is a thought experiment. If cryptographic UTC attestation existed at scale, would it make a difference worth the effort, and to whom?

Where the pressure is real today

The idea is worth poking at because a surprising amount of the modern world quietly depends on trusting timestamps after the fact. When something goes wrong, a disputed trade, an outage, a safety incident, the first question is almost always when, and the answer is almost always a timestamp produced by the same organisation now being asked to account for itself.

Financial markets are where this tension is sharpest and most formalised, so they make a useful lens. Several regulators already insist that trade timestamps be traceable to Coordinated Universal Time and that the traceability be documented and auditable. The table below sketches where that pressure sits today. Read it not as a sales case but as evidence that at least one large and serious industry has already decided that trusting a firm's own clock records is not good enough.

WhereEU markets
InstrumentMiFID II RTS 25 Article 2
UTC tolerance100 microseconds (HFT business clocks); 1 ms (algorithmic traders)
What is required todayA documented traceability chain, with evidence available at all times rather than on request.
WhereEU operational resilience
InstrumentDORA Articles 9, 10, 11 (in force Jan 2025)
UTC toleranceNot set directly; timing is in scope as an ICT system
What is required todayAccurate, complete and consistent records, continuous monitoring, documented continuity.
WhereUS markets
InstrumentSEC Consolidated Audit Trail
UTC tolerance1 ms
What is required todayTraceability to a national reference, documented.
WhereUS broker-dealers
InstrumentFINRA OATS / Rule 6030
UTC tolerance1 ms (most reportable events)
What is required todayDocumented synchronisation to a national reference, consistent with CAT.
WhereAsia-Pacific
InstrumentMAS, HKFSC, ASIC and equivalents
UTC toleranceSub-millisecond, varies by asset class
What is required todayDocumented traceability to a national UTC reference.

The DORA acceleration

Rules like the EU's DORA, in force since January 2025, ask for records that are accurate, complete and consistent, and for continuous monitoring. Most timing setups still produce log files, which are records in the literal sense but not self-proving ones. The gap between those two ideas is exactly the space this thought experiment lives in.

The weakness hiding in every log file

A log file is a confession, not a proof. It is generated by the very system whose behaviour is in question, stored on storage that system controls, and it can be edited afterwards with nothing in the file itself to reveal that it was. To accept a log you have to trust two things at once: that the system was configured correctly when the line was written, and that nobody has touched it since. Neither is visible from the inside.

For most of computing history that was an acceptable bargain, because checking the alternative was expensive and the people involved were broadly trusted. What has shifted is scale and scepticism. There is simply too much data to reconcile by hand, and the people receiving the records have grown technically literate enough to know that a self-generated record proves very little. Once you have noticed this about timestamps, it is hard to unnotice it about everything else.

The thought experiment: a record that proves itself

So picture the alternative. Once a second, a machine captures the state of its clock: the offset it measured against its reference, the quality of the signal it was tracking, whether it was running on holdover, and the reference value itself. It wraps that snapshot in a digital signature, and inside each new snapshot it includes a fingerprint of the one before it.

That single design choice, each record carrying the fingerprint of its predecessor, is what turns a pile of records into a chain. Change any record in the past and every fingerprint after it stops matching, and the break is obvious to anyone who looks. None of this is exotic. It is the same idea that underpins version-control history, certificate transparency logs and distributed ledgers. The novelty is only in pointing it at clocks.

Anchor the start of the chain to a recognised national time reference, the kind of laboratory-grade UTC source that already publishes its own figures, and you have something with an interesting property. A stranger could be handed a fragment of the chain and check, entirely offline, three things: that each record was signed by who it claims, that the chain of fingerprints is unbroken, and that it traces back to a reference everyone already accepts. No call to the firm, no call to a vendor, no trust required in either.

What would feel different

Today you ask an organisation to show you its records and you decide how much to believe them. In this imagined world you would not ask at all. You would take the record and check the mathematics, and the organisation's honesty would simply not be part of the equation.

Would it actually change anything?

Technical possibility is the easy part. The harder and more interesting question is whether any of this would change behaviour, and behaviour is where ideas like this usually live or die.

There is a plausible case that it would. A regulator could verify millions of records programmatically instead of arguing over spreadsheets. An honest firm gains something it cannot get today, the ability to say do not trust me, check, and mean it literally. Disputes shrink, because there is less to dispute. And the mere knowledge that a record is self-proving tends to change how carefully it is produced in the first place, in the same way that an audited account is kept differently from a private one.

There is an equally plausible case that it would change very little. Most of the time nobody checks anything, because nothing has gone wrong. The value of a proof is felt only in the rare moment of dispute, and people are notoriously bad at paying ongoing costs for rare benefits. It is entirely possible to build something rigorous and correct that the world simply shrugs at, because the pain it removes was never quite painful enough.

The catch: what it would not fix, and what it might cost

Even granting that it works and that people use it, the idea carries some uncomfortable baggage worth stating plainly.

First, it proves rather than prevents. A clock that was wildly wrong would have its wrongness faithfully and permanently recorded. Attestation documents reality, it does not improve it, and a beautifully proven record of a bad clock is still a bad clock. The temptation to mistake provability for quality is real.

Second, trust does not disappear, it moves. Instead of trusting a firm's records you now trust whoever holds the signing keys and the integrity of the reference clock at the root. That may well be a smaller and more honest dependency than the one we have now, but it is not nothing, and a compromised key or a captured reference would undermine everything built on top of it. The new trust root deserves at least as much scrutiny as the problem it replaces.

Third, and least discussed, a world where every clock can prove its own past is also a world where nothing about timing can ever be quietly forgotten or placed in context. Perfect, permanent, mechanical provability is not an unalloyed good. It removes a certain human latitude, the room to be wrong and to correct it later, to explain rather than merely to be measured. Whether that is a price worth paying probably depends on what is at stake, and we should be honest that it is a price.

So, would it make a difference?

The honest answer is that it depends less on the cryptography than on us. The mathematics has been ready for decades. What is undecided is whether enough people in enough places would agree, in advance, what a passing proof should mean, because a proof only matters when its audience has agreed to be bound by it.

Perhaps the most useful way to read the whole idea is not as a technology at all but as a shift in posture, from trust me to check me. You do not strictly need cryptography to make that shift, but cryptography makes it cheap and unambiguous, and cheap and unambiguous is often what turns a principle into a practice. Where the consequences of being wrong about time are severe, in markets, in critical infrastructure, in anything where milliseconds carry money or risk, that shift seems clearly worth wanting. Everywhere else, it may remain a fascinating answer in search of a question.

Which leaves the question where a thought experiment should leave it, open. If a clock could prove its own past, would your corner of the world be better for it, or merely more thoroughly recorded? It is worth deciding what you think before someone decides it for you.

An open question, not a pitch

If this idea seems valuable to you, the interesting next step is not to buy anything. It is to ask, in your own field, where you are currently trusting a timestamp that you would rather be able to check.

Frequently asked questions

Is this describing something I can buy today?+
No. This is a thought experiment about an idea and whether it would be worth pursuing, not a description of a shipping product. The aim is to interrogate the concept honestly, including the reasons it might not be worth it.
Is it even technically possible?+
Yes, and trivially so. The building blocks, signed records and hash chains, are decades old and already secure things like version-control history, certificate transparency and distributed ledgers. Possibility was never the hard part. Worthwhileness is.
If the firm is no longer trusted, who is?+
Trust moves rather than vanishes. Instead of trusting the record keeper you would trust whoever holds the signing keys and the integrity of the reference clock at the root of the chain. The real design question is whether that is a smaller and clearer dependency than the one it replaces.
What might the world lose?+
A world where every clock's past is provable is also one where nothing about timing can be quietly forgotten or reframed later. Permanent, mechanical provability has costs, to privacy and to the human latitude to be wrong and correct it, that are easy to ignore when you are excited about the mathematics.
Would regulators or courts actually accept such proofs?+
Unknown, and that is the crux. Acceptance is a social and legal question, not a cryptographic one. A proof is only useful if the people receiving it have agreed beforehand what a passing result obliges them to believe.

Next steps

Put Concept · Thought experiment into practice

Talk to a Timebeat engineer about how this applies to your network, or download the Agent and try it yourself.