Newer Older
Daniel Kraft's avatar
Daniel Kraft committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
NameStamp -- Proving Namecoin Time-Stamps

Namecoin [1] is a general-purpose, decentralised name/value database.  This
has a lot of useful applications, like .bit domains [2] or online
identities [3].  In order to make this work, Namecoin uses the same
"blockchain" concept that powers Bitcoin.  See, for instance, the original
Bitcoin whitepaper [4].  The fundamental achievement of the blockchain
is that it implements a decentralised and secure "time-stamping service".
NameStamp is a way to leverage Bitcoin's time-stamping ability.


17 18 19 20 21 22 23 24 25 26 27 28 29
More information about NameStamp can be found at its website [5] [6].
If you have any suggestions, comments, ideas or questions, feel free to
contact me:
  OpenPGP: 4096R/0xB2492AC4A7330737
           1142 850E 6DFF 65BA 63D6  88A8 B249 2AC4 A733 0737
  id/domob [7]

  [6] https://www.namestamp.bit/

Daniel Kraft's avatar
Daniel Kraft committed
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
What is time stamping and why is it useful?

"Time stamping" is the process of creating a proof that something (in
particular, a digital file) existed at some point in time.  This can be very
useful in a lot of situations.  For instance, to prove authorship of some
manuscript, song or other digital work:  If you create a time stamp before
you publish the work and then someone tries to "steal" it, you can use the
time stamp to prove that you had the piece before everyone else.  Or, if you
rent a flat (could also be a car or something else, it does not really matter),
you can take pictures of any damage present and time-stamp it.  This allows
you to prove later on that you were not the originator of the damage, since
it was already present on the date when you moved in.

How is this related to Bitcoin?

Bitcoin creates digital money.  Ownership of a particular balance is proved
using asymmetric cryptography.  In other words, if you own some bitcoins
and want to send them to Alice, you write a message saying

  I want to transfer X bitcoins out of my balance Y to Alice.

and sign it with your private key.  Then you broadcast the message to the
Bitcoin network, and every participating node can process the transfer if
your signature matches the owner of "balance Y".  However, a major difficulty
in systems like this is double-spending:  In addition to your message above,
you could also create a message that spends the very same balance to Bob
(or even back to yourself!).  In this situation, the network needs a way to
determine which of the two transactions is the "correct" one.  A simple
Daniel Kraft's avatar
Daniel Kraft committed
60 61 62
rule to resolve this conflict is to "use the earlier transaction".  However,
for this to work, one needs a way to determine an absolute order of events on
which the network agrees upon.
Daniel Kraft's avatar
Daniel Kraft committed
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85

This is the point where Bitcoin's time-stamping scheme comes in:  Roughly
speaking, all transactions are grouped into "blocks".  The blocks themselves
form a "hash chain", which implies that earlier blocks can not be manipulated
without invalidating the whole chain.  A particular process, called "mining",
is then employed to reach consensus about the correct chain.  This leads
to an absolute order of blocks, which is almost impossible to change
afterwards.  Since each block contains a real-world time, these blocks can
also be interpreted as time stamps of the data contained in them (as well as
all previous blocks of the chain).

Namecoin time stamps

While Bitcoin is, of course, designed to be money, the system can be "hacked"
to include time stamps of actual data.  One service that allows this is
"Proof of Existence" [5].  Namecoin, on the other hand, is specifically
designed to store arbitrary "data".  Thus, it is particularly well-suited
also to store time stamps.  Instead of crafting particular transactions that
look like sending money but instead contain data, you can just include your
data per design into a name's value!  Since Namecoin has a blockchain
similar to Bitcoin's, the same time-stamp process secures the data afterwards.

Daniel Kraft's avatar
Daniel Kraft committed
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

However, one can still argue that Bitcoin is the most secure blockchain
in existence, and that Bitcoin has a better chance of surviving throughout
the coming years than Namecoin has.  (While I believe that both systems
will survive and be of great use, I also think that this argument is justified.)
Fortunately, Namecoin is merge-mined with the Bitcoin blockchain:  This means
that Bitcoin miners can also mine Namecoin, without any additional cost.
Currently about half of all Bitcoin miners makes use of this possibility.
The way in which merge-mining works ensures that Namecoin blocks are, in some
sense, regularly included into the Bitcoin blockchain.  In other words,
even if you use Namecoin to time-stamp your data, a hash chain will eventually
exist that links your data back to Bitcoin itself!

So what, finally, is NameStamp?

This is the point where NameStamp finally comes in:  It is a simple utility
that allows you to extract the particular details of this link.  In other words,
if you have data time-stamped into the Namecoin blockchain, you can use
NameStamp to explicitly find and "construct" a proof that links this data
to a Bitcoin block hash.  This block hash, in turn, has a very securely
defined time stamp in the Bitcoin system, which is independent of Namecoin.
To do just that, you have to have a Namecoin transaction that sets some name
to your desired data.  If TXID is the transaction id, you then simply call:

  $ TXID >

If everything goes well, this writes the "proof" to the given output file
( in the example).  The proof is just a simple Python script that takes
your input data and hashes it together with constants in a particular way
until it arrives at a Bitcoin block hash.  This script is relatively easy
to review, so that one can, indeed, check that the Bitcoin block hash produced
"contains" information about your data.  This, in turn, shows that your data
must have existed before the particular Bitcoin block!

Notes about using NameStamp

In order to use NameStamp, you need to have both a Namecoin and Bitcoin client
installed and with their REST API enabled.  This means that you need at least
Bitcoin version 0.10 as well as Namecoin Core.  Set "rest=1" in the config
files of both clients, or run them with the "-rest" flag.  Namecoin (but not
Bitcoin) also needs "txindex=1".

The ports at which NameStamp tries to access the APIs are hardcoded in the
script.  This should be fine as long as you do not use non-standard
"rpcport"s.  If you do, just edit accordingly and set your
value at the top.
135 136 137 138 139

Live Demo

I have used NameStamp itself to create a time-stamping proof for an early
Daniel Kraft's avatar
Daniel Kraft committed
140 141
version of NameStamp's code.  This can serve as a nice example and
demonstration.  The data is contained in the Namecoin transaction
142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219


which sets the name 'd/namestamp' to the value (with added line break):


The first, longer hex string is the SHA-256 sum of the actual data file,
which is kept in Demo/namestamp-poc.tar.bz2.  The second, shorter hex
string is the SHA-1 commit in Git corresponding to the tag "timestamp-demo".

Using NameStamp and the transaction id above, we can simply create a proof:

  $ f9...98 >
  Stamped in Namecoin blockchain: 2015-02-23 15:44:06
  Stamped in Bitcoin blockchain: 2015-02-23 16:53:42

As you can see, NameStamp also writes out the real-world times in the Namecoin
and Bitcoin blocks found while constructing the proof.  In this case, you can
see that the Namecoin block containing the transaction was there before
a valid merge-mined Bitcoin block was found.  This most likely means that
the merge-mining proof found for the Namecoin block was not "difficult enough"
to qualify also for the Bitcoin network.  That can happen, but is no problem
to the design of NameStamp.  We can just follow up the chain of Namecoin
blocks until we find one that actually corresponds to a Bitcoin block.

More important, however, is the created proof in the output file.  You can
find it in Demo/ if you do not want to (or can not) run NameStamp
yourself.  Running the proof as Python script prints:

  $ python Demo/
  Proving value:

  Original txid: f9e91213b5f5c0156ab92eec606affa40959d19e02849fe31a5c47aa78cb1298
  Namecoin block: 3e9c6d1d6d10281bc71283984db106ee28cff70e42a60dcd7da3486845cb13c5
  Bitcoin block: 000000000000000000e6ee318f139c381502ddd357d0d4561a619c464b2b5b79

This shows you the time-stamped value, the Namecoin transaction id, and the
two block hashes that "contain" the transaction.  Most important, of course,
is the Bitcoin block hash at the bottom.  This hash can be used independently
to verify its authenticity and real-world time against the Bitcoin blockchain.
Let us now also view the proof script itself.  The important part of the
script is this:

  def proof (value, c):
    h = ChainHasher (value)
    print 'Proving value:\n%s\n' % value
    h.hash (c[0], c[1])
    print 'Original txid: %s' % h.getRevHex ()
    h.hash (None, c[2])
    h.hash (c[3], None)
    h.hash (None, c[4])
    h.hash (c[5], c[6])
    print 'Namecoin block: %s' % h.getRevHex ()
    h.hash (c[7], c[8])
    h.hash (c[9], c[10])
    h.hash (c[11], None)
    h.hash (c[12], None)
    h.reverse ()
    h.hash (c[13], c[14])
    h.hash (None, c[15])
    h.hash (None, c[25])
    h.hash (c[26], c[27])
    print 'Bitcoin block: %s' % h.getRevHex ()

At the very end, this function is called with "value" set to the data
string that is being time-stamped, and "c" set to an array of hex strings.
The latter is constructed carefully to fulfil the proof, but is not at all
important for the interpretation.  If you look at the proof function above
as well as the definition of the class "ChainHasher", you will easily see
that the script really only takes the original value and hashes it together
with the various constants.  The Bitcoin block hash printed at the end
is the ultimate hash value.  This, indeed, shows that the time-stamped value
must have existed before the resulting Bitcoin block!