TL;DR
- ▸A thought experiment: what if a clock could prove, to anyone, what it was doing at a given instant, without that person having to trust the organisation that owned the clock?
- ▸Today the world runs on records that ask to be trusted. A log says what a system claimed was true, and nothing in it stops it being quietly rewritten later. The idea here is to flip that, and make the record self-proving rather than self-asserting.
- ▸The interesting question is not whether it is technically possible, because it plainly is. The same primitives already secure version-control history, certificate transparency and distributed ledgers. The real question is whether it would be worth doing: would it change behaviour, would anyone trust it, and what might we lose along the way?
The premise: what if time could not be quietly rewritten?
Start with a simple question. Imagine that every machine keeping time could, after the fact, hand you a proof of exactly what its clock was doing at 14:32:01 on a given Tuesday, and that you could check that proof yourself with nothing more than a piece of public mathematics, without taking the machine's owner at their word.
That is not how time works in our systems today. A clock keeps time, a process writes down what it believed the time to be, and that written record is accepted largely on trust. The record asserts, it does not prove. This piece explores the opposite idea, a clock whose history is self-proving, and it tries to ask an honest question. Would such a thing actually be worth building for the world, or is it a clever answer to a question almost nobody is really asking?
The shape of the question
This is not a description of a product. It is a thought experiment. If cryptographic UTC attestation existed at scale, would it make a difference worth the effort, and to whom?
Where the pressure is real today
The idea is worth poking at because a surprising amount of the modern world quietly depends on trusting timestamps after the fact. When something goes wrong, a disputed trade, an outage, a safety incident, the first question is almost always when, and the answer is almost always a timestamp produced by the same organisation now being asked to account for itself.
Financial markets are where this tension is sharpest and most formalised, so they make a useful lens. Several regulators already insist that trade timestamps be traceable to Coordinated Universal Time and that the traceability be documented and auditable. The table below sketches where that pressure sits today. Read it not as a sales case but as evidence that at least one large and serious industry has already decided that trusting a firm's own clock records is not good enough.
| Where | Instrument | UTC tolerance | What is required today |
|---|---|---|---|
| EU markets | MiFID II RTS 25 Article 2 | 100 microseconds (HFT business clocks); 1 ms (algorithmic traders) | A documented traceability chain, with evidence available at all times rather than on request. |
| EU operational resilience | DORA Articles 9, 10, 11 (in force Jan 2025) | Not set directly; timing is in scope as an ICT system | Accurate, complete and consistent records, continuous monitoring, documented continuity. |
| US markets | SEC Consolidated Audit Trail | 1 ms | Traceability to a national reference, documented. |
| US broker-dealers | FINRA OATS / Rule 6030 | 1 ms (most reportable events) | Documented synchronisation to a national reference, consistent with CAT. |
| Asia-Pacific | MAS, HKFSC, ASIC and equivalents | Sub-millisecond, varies by asset class | Documented traceability to a national UTC reference. |
The DORA acceleration
Rules like the EU's DORA, in force since January 2025, ask for records that are accurate, complete and consistent, and for continuous monitoring. Most timing setups still produce log files, which are records in the literal sense but not self-proving ones. The gap between those two ideas is exactly the space this thought experiment lives in.
The weakness hiding in every log file
A log file is a confession, not a proof. It is generated by the very system whose behaviour is in question, stored on storage that system controls, and it can be edited afterwards with nothing in the file itself to reveal that it was. To accept a log you have to trust two things at once: that the system was configured correctly when the line was written, and that nobody has touched it since. Neither is visible from the inside.
For most of computing history that was an acceptable bargain, because checking the alternative was expensive and the people involved were broadly trusted. What has shifted is scale and scepticism. There is simply too much data to reconcile by hand, and the people receiving the records have grown technically literate enough to know that a self-generated record proves very little. Once you have noticed this about timestamps, it is hard to unnotice it about everything else.
The thought experiment: a record that proves itself
So picture the alternative. Once a second, a machine captures the state of its clock: the offset it measured against its reference, the quality of the signal it was tracking, whether it was running on holdover, and the reference value itself. It wraps that snapshot in a digital signature, and inside each new snapshot it includes a fingerprint of the one before it.
That single design choice, each record carrying the fingerprint of its predecessor, is what turns a pile of records into a chain. Change any record in the past and every fingerprint after it stops matching, and the break is obvious to anyone who looks. None of this is exotic. It is the same idea that underpins version-control history, certificate transparency logs and distributed ledgers. The novelty is only in pointing it at clocks.
Anchor the start of the chain to a recognised national time reference, the kind of laboratory-grade UTC source that already publishes its own figures, and you have something with an interesting property. A stranger could be handed a fragment of the chain and check, entirely offline, three things: that each record was signed by who it claims, that the chain of fingerprints is unbroken, and that it traces back to a reference everyone already accepts. No call to the firm, no call to a vendor, no trust required in either.
What would feel different
Today you ask an organisation to show you its records and you decide how much to believe them. In this imagined world you would not ask at all. You would take the record and check the mathematics, and the organisation's honesty would simply not be part of the equation.
Would it actually change anything?
Technical possibility is the easy part. The harder and more interesting question is whether any of this would change behaviour, and behaviour is where ideas like this usually live or die.
There is a plausible case that it would. A regulator could verify millions of records programmatically instead of arguing over spreadsheets. An honest firm gains something it cannot get today, the ability to say do not trust me, check, and mean it literally. Disputes shrink, because there is less to dispute. And the mere knowledge that a record is self-proving tends to change how carefully it is produced in the first place, in the same way that an audited account is kept differently from a private one.
There is an equally plausible case that it would change very little. Most of the time nobody checks anything, because nothing has gone wrong. The value of a proof is felt only in the rare moment of dispute, and people are notoriously bad at paying ongoing costs for rare benefits. It is entirely possible to build something rigorous and correct that the world simply shrugs at, because the pain it removes was never quite painful enough.
The catch: what it would not fix, and what it might cost
Even granting that it works and that people use it, the idea carries some uncomfortable baggage worth stating plainly.
First, it proves rather than prevents. A clock that was wildly wrong would have its wrongness faithfully and permanently recorded. Attestation documents reality, it does not improve it, and a beautifully proven record of a bad clock is still a bad clock. The temptation to mistake provability for quality is real.
Second, trust does not disappear, it moves. Instead of trusting a firm's records you now trust whoever holds the signing keys and the integrity of the reference clock at the root. That may well be a smaller and more honest dependency than the one we have now, but it is not nothing, and a compromised key or a captured reference would undermine everything built on top of it. The new trust root deserves at least as much scrutiny as the problem it replaces.
Third, and least discussed, a world where every clock can prove its own past is also a world where nothing about timing can ever be quietly forgotten or placed in context. Perfect, permanent, mechanical provability is not an unalloyed good. It removes a certain human latitude, the room to be wrong and to correct it later, to explain rather than merely to be measured. Whether that is a price worth paying probably depends on what is at stake, and we should be honest that it is a price.
So, would it make a difference?
The honest answer is that it depends less on the cryptography than on us. The mathematics has been ready for decades. What is undecided is whether enough people in enough places would agree, in advance, what a passing proof should mean, because a proof only matters when its audience has agreed to be bound by it.
Perhaps the most useful way to read the whole idea is not as a technology at all but as a shift in posture, from trust me to check me. You do not strictly need cryptography to make that shift, but cryptography makes it cheap and unambiguous, and cheap and unambiguous is often what turns a principle into a practice. Where the consequences of being wrong about time are severe, in markets, in critical infrastructure, in anything where milliseconds carry money or risk, that shift seems clearly worth wanting. Everywhere else, it may remain a fascinating answer in search of a question.
Which leaves the question where a thought experiment should leave it, open. If a clock could prove its own past, would your corner of the world be better for it, or merely more thoroughly recorded? It is worth deciding what you think before someone decides it for you.
An open question, not a pitch
If this idea seems valuable to you, the interesting next step is not to buy anything. It is to ask, in your own field, where you are currently trusting a timestamp that you would rather be able to check.
Frequently asked questions
Is this describing something I can buy today?+
Is it even technically possible?+
If the firm is no longer trusted, who is?+
What might the world lose?+
Would regulators or courts actually accept such proofs?+
Deep dives in this guide
Cluster posts that go deeper on specific aspects of what if a clock could prove its own past? a thought experiment in cryptographic utc attestation.

