Mesh-Derived Time: Master-Less Consensus and Joint Spacetime Optimization

1. Problem and Architectural Premise

Time synchronization in production distributed systems is overwhelmingly master-bound. Network Time Protocol (NTP) hierarchies trace through stratum-1 servers to stratum-0 atomic references at national time laboratories. Precision Time Protocol (IEEE 1588 PTP) elects a grandmaster within a clock domain and distributes time hop-by-hop with hardware timestamping at boundary clocks. White Rabbit extends PTP for sub-nanosecond data-center synchronization with a root oscillator. GNSS-disciplined oscillators trace through GPS, Galileo, BeiDou, or GLONASS to the constellation's control segment. Roughtime adds adversarial-detection but still queries authoritative servers. In each case, the architecture is a tree rooted at a privileged source, and the correctness of every leaf depends on the correctness of the root.

Master-bound architectures fail predictably along four axes. They fail under partition: when the network fragments, leaves cut off from the root drift without bound and reconciliation on rejoin is undefined or operationally fragile. They fail under contestation: when multiple plausible authoritative sources are present (a corporate NTP server and a public NTP pool, two GNSS constellations with disagreeing time, a primary and backup grandmaster in disagreement), the architecture has no structural mechanism for resolving disagreement, and the operational answer is typically a vendor-defined preference that an adversary can manipulate. They fail under spoofing: GNSS time injection attacks have moved from academic demonstrations to documented field incidents, and the master-bound architecture treats spoofed time as authoritative because the spoofing is below the protocol layer. They fail under compromise: a malicious or compelled time authority can shift downstream time without any structural detection mechanism, because downstream participants have no peer cross-check.

Each failure mode is increasingly exploited in critical-infrastructure, defense, and adversarial-environment contexts, and each is structurally inherent to the master-bound architecture rather than a fixable implementation defect. Existing alternatives partially address some failure modes — Roughtime addresses spoofing-detection through randomized server queries, Hybrid Logical Clocks address partition-rejoin causal ordering, Google's TrueTime bounds clock uncertainty within a controlled administrative domain — but none unify with spatial coordinate establishment, none produce credentialed timestamps suitable for cross-organizational audit, and none support the governance-bound multi-attester consensus that regulated environments (financial markets under MiFID II microsecond timestamping, legal evidence under RFC 3161 and successors, medical-record commit ordering under EU MDR audit, defense assured-PNT requirements) demand. The architectural premise of this disclosure is that time is a governed quantity that should be established cooperatively, with no participant privileged as master, and that time and space should be co-resolved because they are physically coupled in any system using time-of-flight ranging.

2. Core Architectural Primitive: Cooperative Credentialed Consensus

Mesh-derived time establishes time through cooperative consensus among credentialed participants, with no required master and no required external reference. Each participating unit maintains a local clock with a learned drift model, exchanges credentialed time observations with neighbors during normal operation, and integrates received observations into its own time estimate weighted by credential authority, observation freshness, neighbor drift-model quality, and physical-layer measurement uncertainty. The integration produces a per-unit time estimate that is the weighted aggregate of the unit's own predicted trajectory and the consensus contributions from its neighbors.

No participant is structurally privileged as master. If a high-authority participant joins the mesh — a national time-laboratory unit signing observations under a regulator credential, a GNSS-receiving unit during periods of clean GNSS reception, a participant equipped with a primary cesium standard — its observations carry higher weight in the consensus by virtue of its credential and its drift-model quality, but the architecture does not require its presence and does not collapse in its absence. Master-less operation makes the primitive resilient to partition: when the mesh fragments, each fragment maintains internally consistent time within its own consensus, with the fragment's collective uncertainty growing with isolation duration in a structurally bounded fashion. When fragments rejoin, the consensus mechanism reconciles their time states, recording the required adjustment as a credentialed observation in the lineage so downstream consumers can audit how the rejoin was performed.

Time observations are first-class governed observations, indistinguishable in admissibility, lineage, and propagation from any other observation in the broader governance chain. A time observation carries the publishing unit's credential, the observation timestamp, the unit's drift-model state at observation, the physical-layer measurement context (radio modality, ranging method, hardware timestamping epoch), and lineage to the prior observations from which the unit's current estimate was derived. Consumers admit time observations through composite admissibility and combine them with their own local estimate through credentialed weighting.

The consensus mechanism is structurally analogous to a distributed Kalman filter operating on credentialed observations: each unit's local estimate is a Bayesian update over its prior estimate (predicted forward by its drift model) and the credentialed-and-weighted contributions of its peers. Unlike a pure Kalman filter, the weighting is governed: credential authority, observation lineage, and policy-defined trust-slope all enter the weight, which makes the primitive admissible in regulated environments where unweighted statistical estimation is structurally inadmissible.

3. Per-Agent Learned Drift Models

Each participating unit learns and publishes its own clock's drift characteristics under operating conditions. The drift model captures temperature dependence (oscillator frequency varies with crystal or oven temperature), aging (long-term frequency drift over months and years), oscillator type (consumer-grade quartz, temperature-compensated crystal oscillator, oven-controlled crystal oscillator, chip-scale atomic clock, rubidium standard, cesium standard), short-term stability (Allan deviation at 1-second to 10000-second integration), and operational regime (powered-on duty cycle, vibration environment, supply-voltage stability). The model produces a per-unit prediction of how the local clock evolves between observation events along with an uncertainty bound that grows with prediction horizon.

The drift model is itself a governed observation. Each unit publishes its model, signs it with its credential, and updates it as new drift evidence accumulates. The model is versioned in lineage so that consumers can verify which model was active at the time a given observation was emitted. Other participants consume the model to weight observations from this unit appropriately: a unit with a credentialed oven-controlled crystal oscillator (typical Allan deviation 10^-11 at 1 second) is weighted higher than a unit with a consumer-grade temperature-compensated crystal (typical Allan deviation 10^-9 at 1 second), and a unit operating in a stable thermal environment is weighted higher than the same unit operating in a thermal-cycling environment.

Drift-model learning runs continuously. Each unit compares its predicted local time against credentialed peer observations, attributes the residual to either local drift, peer drift, or measurement noise according to a maximum-likelihood decomposition, and updates the local drift parameters. Learning is governance-credentialed: the drift-model evolution is part of the unit's lineage, and an adversarial unit attempting to manipulate the consensus through fabricated drift cannot do so without leaving a structurally detectable lineage break.

Accurate per-unit drift models reduce the required communication frequency for a given accuracy target by enabling the unit to coast accurately between consensus events. A unit with a credentialed OCXO and a learned drift model can hold microsecond-class accuracy through tens of minutes of isolation; a unit with a chip-scale atomic clock can hold microsecond-class accuracy through hours. This property is what makes the primitive viable across intermittent connectivity (maritime, aerospace, underground, contested-RF environments) where master-bound protocols structurally fail.

4. Ranging-Piggyback Synchronization and Joint Spacetime Optimization

Time and range are physically coupled: any range measurement based on time-of-flight is also a time measurement, and any time-of-flight measurement requires a position estimate to interpret. The mesh-time primitive captures both contributions in a single packet exchange. When two units exchange an Ultra-Wideband ranging packet (or any other time-of-flight ranging modality, including acoustic, optical, or two-way satellite), the round-trip time encodes the range, the timestamp difference encodes the relative clock offset, and a single credentialed observation publishes both. The same packet that establishes "you are 47.3 meters from me" also establishes "your clock is 218 microseconds ahead of mine relative to my drift model and your declared drift model."

Joint capture eliminates the redundancy of separate time- and position-distribution channels and exploits cross-correction structurally. A unit with confident time but uncertain position receives both a range update and a time cross-check from a peer with confident position but uncertain time; the joint solution converges faster than either separate channel would, because the joint observation constrains both estimates simultaneously. In adversarial environments, the cross-correction is also a cross-check: a peer attempting to manipulate one estimate without manipulating the other produces a structurally inconsistent observation that the joint optimization detects.

The full mesh state is a joint spacetime graph. Nodes are units, each carrying a position estimate and a time estimate with associated uncertainty. Edges are credentialed range/time observations between unit pairs. The optimization produces a globally consistent spacetime solution by minimizing residuals across all admitted observations under a credentialed weighting. The optimization is incremental: new observations refine the solution without recomputation from scratch, in the manner of incremental smoothing-and-mapping (iSAM) but with credentialed weights and lineage-bound updates. The optimization is also lineage-bound: each refinement is recorded with its supporting observations so that the full solution history can be replayed for audit.

Joint optimization captures cross-effects that separate optimizations miss. A clock drift correction implies a range correction (the assumed time-of-flight at the prior drift estimate was incorrect), and a position correction implies a time correction (the assumed clock offset at the prior position estimate was incorrect). Separate spatial and temporal optimizations, composed after the fact, cannot capture this coupling and produce systematically biased solutions in any system with non-negligible drift or position uncertainty. The joint solution is unbiased and the biased separate solution is structurally observable as a residual; the primitive therefore provides a stronger correctness property than the composition of legacy time and position protocols.

The optimization is governance-credentialed throughout. Regulator-signed reference observations weight highly, peer observations weight by credential authority and drift-model quality, and the resulting solution carries the lineage of all admitted contributions. A consumer who admits the joint solution admits a credentialed object whose components are individually auditable.

5. Multi-Attester Consensus Timestamps for Audit

Audit-grade timestamping in regulated environments requires that no single clock be the basis for a recorded event time. The multi-attester timestamp primitive produces timestamps signed by a quorum of credentialed time authorities. A financial transaction is timestamped by the trading venue's time authority, the regulatory time authority, and the participating firm's own time authority, with all three signatures required for the timestamp to be admissible as the canonical event time. A medical-record commit is timestamped by the institution's time authority, the regulatory time authority, and the patient-custody time authority. A legal-evidence chain-of-custody event is timestamped by the custodian, the issuing court's time authority, and a third-party trusted timestamping authority.

Multi-attester timestamps are structurally tamper-evident. An attacker who compromises a single time authority cannot produce admissible timestamps because the quorum requirement is unmet; an attacker who attempts to retrospectively alter an admitted timestamp must produce a quorum of compromised authorities, which is structurally observable as a coordinated lineage break. The audit trail is therefore not merely signed but quorum-bound, which is the property that distinguishes the primitive from RFC 3161 single-authority trusted timestamping.

The quorum mechanism integrates directly with the consensus primitive. The participating time authorities are participants in the mesh, signing time observations into the consensus that downstream consumers use to interpret the multi-attester timestamp. The timestamp is thus not a one-shot artifact but a structurally embedded observation in the lineage, with the quorum signatures providing the admissibility threshold and the consensus providing the time scale interpretation.

The primitive serves the regulated-timestamping market under a single mechanism: MiFID II microsecond timestamping for European trading venues, SEC Regulation Systems Compliance and Integrity (Reg SCI) timestamping for U.S. market infrastructure, RFC 3161 successors for legal-evidence trusted timestamps, distributed-database commit ordering under serializability audit, EU eIDAS qualified electronic timestamps, and assured-PNT defense applications under the same architectural pattern. The configurations differ only in the quorum composition, the credential set, and the audit-retention policy.

6. Operating Parameters and Engineering Envelope

Time consensus precision targets vary by application class. Microsecond-class precision (1 to 10 microseconds wall-clock accuracy) is typical for general distributed-systems coordination and is achievable with TCXO-equipped commodity hardware participating in a moderately connected mesh (3 to 10 neighbors per unit, 1 to 10 second observation cadence). Sub-microsecond precision (100 nanoseconds to 1 microsecond) requires OCXO or chip-scale atomic clocks and tighter cadence (100 millisecond to 1 second), serving financial-trading and critical-infrastructure applications. Sub-100-nanosecond precision requires CSAC or rubidium standards with hardware-timestamped UWB ranging, serving defense assured-PNT and high-frequency-trading collocation.

Drift-model parameters span typical oscillator classes: consumer crystal at 10^-6 fractional frequency stability, TCXO at 10^-7 to 10^-8, OCXO at 10^-9 to 10^-11, CSAC at 10^-10 to 10^-12, rubidium at 10^-11 to 10^-13, and cesium primary at 10^-13 to 10^-15. Drift-model state per unit is on the order of 1 to 10 KB, comprising temperature coefficients, aging parameters, short-term-stability characterization, and recent residual history. Drift-model update cadence is between 1 minute and 1 hour depending on operating-environment stability.

Joint-spacetime-graph optimization scales between O(N) and O(N log N) per incremental update for typical mesh topologies under iSAM-style incremental optimization, with N being the number of active observation edges. Per-unit memory for the local view of the joint graph is on the order of 100 KB to 10 MB depending on retention horizon. Mesh-wide consensus convergence on a perturbation propagates at the consensus cadence times the mesh diameter, typically converging within 1 to 10 cadence intervals.

Quorum sizes for multi-attester timestamping are application-defined: 2-of-3 for standard financial timestamping, 3-of-5 for high-assurance regulatory timestamping, and configurable thresholds for legal-evidence applications. Quorum verification cost per timestamp is O(k) signature verifications where k is the quorum size, dominated by elliptic-curve verification at typical 0.1 to 1 millisecond per verification on commodity hardware.

Bandwidth per unit for time-observation publication ranges from 100 bps in low-cadence sparse meshes to 100 kbps in tight-cadence high-density meshes, with the upper end serving high-frequency-trading collocation and the lower end serving wide-area sensor networks.

7. Alternative Embodiments

The primitive admits embodiments differing in physical-layer ranging modality, consensus topology, drift-model representation, and timestamp-quorum composition, all preserving the master-less credentialed-consensus contract. Physical-layer ranging modalities include UWB (commodity, sub-meter at 10-meter range), two-way time-transfer over RF (kilometer-class, microsecond-class), acoustic ranging (underwater applications), optical time-transfer (line-of-sight, sub-nanosecond-class), and two-way satellite time-and-frequency transfer (intercontinental, nanosecond-class). The primitive is modality-agnostic; each modality contributes credentialed observations to the joint optimization with its own measurement-uncertainty profile.

Consensus topologies range from full-mesh (every unit observes every neighbor, suitable for small high-assurance deployments) through structured-overlay (units organize into a credentialed graph that bounds observation degree, suitable for large deployments) to hierarchical-cluster (clusters with internal consensus and inter-cluster gateway observations, suitable for federated deployments). The consensus mechanism is identical across topologies; topology choice trades observation density for scalability.

Drift-model representations range from simple two-parameter (offset and rate) through Kalman-style state-space (offset, rate, drift, with environmental-coupling terms) to full machine-learned representations (neural-network-parameterized drift under environmental telemetry). Higher-fidelity models reduce required observation cadence and improve isolated-coast accuracy at the cost of model-size and learning-data requirements.

Multi-attester quorum compositions range from k-of-n threshold signatures (any k of n authorities suffice) through structured-threshold (specific role-defined subsets, e.g., one regulator plus one venue plus one participant) to weighted-threshold (authorities weighted by credential, with quorum measured as weight rather than count). Quorum policy is configurable per application without changing the underlying primitive.

Reference-anchoring embodiments allow the consensus to be periodically anchored to an external reference (a national time laboratory, a regulator-operated reference, a cryptographic transparency log) without making the reference a master. The anchor produces credentialed observations at its declared cadence; the consensus weights them like any other observation but does not depend on them.

8. Composition with Broader Architecture

Mesh-derived time composes laterally with mesh-derived coordinates: the joint spacetime graph is the structural integration point, with time and position co-resolved through ranging-piggyback observations. The two primitives are not separately deployable; they are aspects of a single joint estimation that the implementation may expose as separate APIs but cannot meaningfully decouple, because the cross-correction is what gives both their strongest correctness properties.

Mesh-derived time composes upward with marker-track transport: track markers carry credentialed timestamps signed under the mesh-time consensus, and the proximity windows that define track admissibility are evaluated in joint spacetime so that "this marker was observed at this place at this time within this tolerance" is a structurally well-defined predicate. Without joint spacetime, the predicate is ambiguous because the time and place are evaluated in separate frames.

Mesh-derived time composes with matched-pair settlement: settlement windows are intervals in joint spacetime, the settlement event is a multi-attester timestamp produced under the consensus, and the lineage of a settled pair includes the time-and-position trajectory of each participant through the settlement window. This composition is what enables physical-world transactional settlement (logistic handoffs, custody transfers, regulated-good provenance) on equal structural footing with financial transactional settlement.

Mesh-derived time composes with cross-mesh reconciliation: when two administrative meshes meet at a boundary, the time-frame federation primitive produces credentialed observations that translate timestamps between the two consensuses without privileging either, recording the translation in lineage so downstream consumers can audit how a cross-domain timestamp was interpreted. Time-zone, calendar, leap-second, and relativistic-frame transitions are all handled within this federation pattern; calendar policy is itself a credentialed observation signed by the calendar authority.

Relativistic correction is a credentialed observation layer applied to the consensus. At sufficient precision, altitude, velocity, and gravitational-potential differences are non-negligible: GPS-class systems require relativistic correction at the 38-microsecond-per-day level, aviation and low-earth-orbit applications require correction at the nanosecond-per-second level, and high-precision financial trading across geographically separated venues requires correction at the picosecond-per-second level. The correction is a per-observation transform, signed by the unit declaring its kinematic and gravitational state, and admitted into the consensus through the same governance pattern as any other observation.

9. Prior-Art Distinctions

The primitive is structurally distinct from NTP and PTP. Both are master-bound time-distribution protocols: NTP elects stratum-1 references traceable to atomic standards, PTP elects a grandmaster within a clock domain. The mesh-derived time primitive has no master and no grandmaster; its consensus is symmetric across credentialed peers, and its admissibility is governance-credentialed rather than topology-elected. NTP and PTP can participate as observation sources within the mesh-time consensus (an NTP server's output, properly credentialed, contributes a weighted observation), but they cannot serve as the architectural foundation because their failure modes are precisely the modes the primitive addresses.

The primitive is structurally distinct from White Rabbit. White Rabbit is a sub-nanosecond extension of PTP for data-center and accelerator-physics deployments with a root oscillator and hardware-timestamped boundary clocks. Like PTP, it is master-bound; unlike the primitive, it does not generalize to wide-area, partition-prone, or adversarial environments and does not produce credentialed timestamps suitable for cross-organizational audit.

The primitive is structurally distinct from GNSS time and from GNSS-disciplined oscillators. GNSS time is single-source: the constellation control segment is the master, and the architecture has no defense against constellation-level compromise, jamming, or spoofing. The primitive admits GNSS-receiving units as participants with elevated credential weight during clean-reception periods, but does not require GNSS and does not collapse when GNSS is denied or spoofed.

The primitive is structurally distinct from Google's TrueTime. TrueTime bounds clock uncertainty within Google's administrative domain through GPS and atomic-clock infrastructure operated under a single authority. The primitive operates across multiple administrative authorities through credentialed consensus and supports cross-organizational audit; TrueTime supports neither.

The primitive is structurally distinct from Roughtime. Roughtime adds spoofing detection through randomized server queries with cryptographic chaining; it remains a master-bound architecture with multiple servers as alternatives. The primitive embeds the equivalent guarantees in the credential and lineage structure of every observation rather than as a query-protocol layer.

The primitive is structurally distinct from Hybrid Logical Clocks. HLC produces causally consistent partial ordering across distributed nodes but does not produce wall-clock time consensus, does not support audit-grade timestamping, and does not co-resolve with spatial coordinates. The primitive produces wall-clock consensus admissible for regulated, legal, and physical-world applications.

The primitive is structurally distinct from blockchain timestamps. Blockchain timestamps are consensus-bound to block production cadence and are not spatially aware; the primitive produces sub-millisecond-class consensus, is co-resolved with spatial coordinates, and is admissible in regulated environments where blockchain-cadence timestamps are structurally inadmissible.

10. Disclosure Scope

Disclosed under USPTO provisional application 64/049,409, the mesh-derived time primitive covers the master-less cooperative credentialed consensus mechanism, the per-unit learned drift-model primitive with credentialed publication, the ranging-piggyback joint observation contract, the joint spacetime graph optimization with incremental and lineage-bound updates, the multi-attester audit-grade timestamp primitive with configurable quorum policies, the relativistic correction layer as credentialed per-observation transform, and the time-frame federation primitive for cross-mesh reconciliation including calendar, leap-second, and time-zone handling.

Disclosure includes the alternative embodiments described above (physical-layer ranging modalities including UWB, RF two-way time transfer, acoustic, optical, and two-way satellite; consensus topologies including full-mesh, structured-overlay, and hierarchical-cluster; drift-model representations from simple two-parameter through machine-learned; quorum compositions from threshold through weighted; reference-anchoring as non-master credentialed contribution), the operating-parameter envelope (precision targets, oscillator classes, bandwidth profiles, optimization scaling), and the integration interface with installed-base time-distribution and audit-timestamping infrastructure.

The primitive composes with the broader governance-chain umbrella disclosed in the same provisional, including mesh-derived coordinates (joint spacetime graph as integration point), marker-track transport (track markers as time-and-place references), matched-pair settlement (settlement windows in joint spacetime), capability admission, mission policy, cross-mesh reconciliation, and health monitoring (composite health observations carry mesh-time-credentialed timestamps). The composition is by structural admissibility of governed observations and does not introduce admissibility rules specific to time.