Master-Less Consensus Time

Mechanism

The mechanism rests on three constructs: the signed observation, the admissibility weight, and the composite aggregation. Each peer in the mesh maintains a local clock model: an oscillator state, a drift estimate, and a confidence envelope around its current time estimate. At each consensus epoch, the peer publishes an observation that contains the time estimate, the confidence envelope, the local drift estimate, the timestamp at which the observation was produced, and a credential proving that the publishing peer is a member in good standing of the mesh. The observation is signed under the peer's credential key.

Other peers receive the observation and evaluate its admissibility. Admissibility is composite: it combines the credential validity, the freshness of the observation relative to the current epoch, the consistency of the observation with the receiver's prior model of the publishing peer's drift, and any external admissibility signals carried in the credential, such as recent attestation by the credential issuer or the peer's standing under the operating policy. The composite admissibility yields a weight in a bounded range, typically zero to one, where zero indicates that the observation should be discarded and one indicates that the observation should contribute fully.

The consensus is then computed as a weighted aggregate. The simplest aggregation is a weighted mean over the time estimates, but the disclosure does not restrict the aggregation function. Robust aggregations such as weighted medians, trimmed weighted means, or admissibility-weighted Kalman fusions are within scope. The selection is a tunable parameter of the deployment rather than a fixed property of the architecture.

Each peer integrates the consensus output into its local clock model. The integration is not an instantaneous slewing to the consensus value; it is a model update that adjusts the local oscillator's drift estimate and confidence envelope to reduce divergence from the consensus over the next epoch. This produces the smooth trajectory that downstream applications require while ensuring that the mesh as a whole converges on a shared time without any peer being privileged to dictate the value.

Operating Parameters

The epoch length sets the cadence at which observations are published and consensus is recomputed. Short epochs reduce divergence between consensus updates but increase observation traffic; long epochs reduce traffic but permit drift accumulation between updates. A representative deployment might operate on epochs ranging from tens of milliseconds for tightly-coupled fleets to seconds for loosely-coupled wide-area meshes.

The admissibility composition is parameterized by the weight assigned to each constituent signal. The credential-validity component is typically binary. The freshness component decays observations whose production timestamps are too old relative to the current epoch. The drift-consistency component penalizes observations whose drift estimates diverge sharply from the receiver's prior model of the publishing peer. The external-attestation component permits the credential issuer to influence weight by attaching recent attestations to the credential.

The aggregation function and its parameters are deployment-tunable. A trimmed weighted mean configured to discard the highest and lowest five percent of contributions provides resistance to outlier peers without requiring explicit malicious-peer detection. A weighted median provides stronger robustness at the cost of slower convergence in well-behaved fleets. Operators select the aggregation that matches their threat model and convergence requirements.

The local integration parameters control how aggressively each peer slews toward the consensus. A high integration gain produces rapid convergence but amplifies consensus jitter into the local clock; a low gain smooths out jitter but extends the time to recover from local clock perturbations. Production deployments typically tune the gain to a value that produces smooth integration under nominal conditions while permitting faster recovery when the local clock is detected to be substantially divergent.

Alternative Embodiments

One embodiment operates over a fully connected mesh in which every peer receives every other peer's observation each epoch. This embodiment is appropriate for small fleets where the quadratic message complexity is acceptable. A second embodiment operates over a gossip topology in which observations propagate through a randomized peer-to-peer fan-out, achieving sub-quadratic message complexity at the cost of slightly delayed convergence at the network periphery.

A third embodiment introduces hierarchical consensus, in which local clusters compute internal consensus and elect a representative observation that participates in a higher-level consensus across clusters. The hierarchy reduces aggregate traffic for very large fleets while preserving the master-less property at every level: no single peer holds authority, and any cluster can be lost without producing total time loss.

A fourth embodiment composes the consensus with hardware-clock holdover. Peers that possess high-quality local oscillators contribute observations with tighter confidence envelopes and consequently receive higher admissibility weight under the freshness and drift-consistency components. The composite consensus reflects the contribution of high-quality clocks without making any single clock authoritative.

A fifth embodiment integrates external time sources, such as occasional GNSS fixes or upstream stratum references, as additional signed observations rather than as authoritative inputs. The external source is treated as a peer with a particular credential and admissibility profile. When the external source is available and admissible, it contributes to consensus in proportion to its weight. When the external source is denied, jammed, or spoofed, its admissibility falls to zero and the consensus continues from the surviving peers without architectural reconfiguration.

Composition

The consensus composes naturally with the broader credentialed-event infrastructure of the mesh. Observations are credentialed events; consensus updates are credentialed events; integrations of consensus updates into local clock models are credentialed events. The same audit and provenance infrastructure that records mesh operations records the time-consensus operations, and reconstructing the time history at any peer is a matter of replaying the credentialed event stream.

Because admissibility is composite, the time consensus composes with policy enforcement. A peer that is suspended under the operating policy is suspended in the consensus by virtue of its credential becoming inadmissible. A peer that is restored is restored in the consensus by the same mechanism. There is no separate access-control layer for the timekeeping fabric; it is the same admissibility framework that governs the rest of the mesh.

Prior Art Distinctions

NTP and PTP architectures are stratum-based: time flows from authoritative sources through intermediate strata to leaf consumers. Loss of upper-stratum sources degrades or eliminates time at downstream peers. The master-less consensus described here has no strata; every peer is structurally equivalent and contributes observations on equal footing, modified only by composite admissibility weight.

Berkeley-algorithm style averaging schemes do produce a time average across a peer set, but the original formulation requires a coordinator to collect observations and broadcast the average, reintroducing a master at the coordinator role. The architecture described here computes consensus locally at each peer from observations received from other peers, eliminating the coordinator role.

Blockchain-based timekeeping schemes typically derive time from block-production cadence and consequently inherit the throughput limitations and adversarial dynamics of the underlying consensus protocol. The architecture described here is dedicated to time consensus, operates at the cadence required by downstream applications, and does not require a global ordering of all events in the mesh.

GNSS-disciplined timekeeping derives time from external satellite reference and is therefore vulnerable to denial and spoofing. The architecture described here treats GNSS, where present, as one credentialed contributor among many, preserving operation through GNSS denial.

Practical Considerations

Bootstrap is a distinct concern. A peer entering an established consensus must reconcile its initial clock estimate, which may be substantially divergent from the consensus, without disturbing the existing fleet. The disclosure handles bootstrap by distinguishing observation publishing from observation contribution: a bootstrapping peer may publish observations that other peers receive but assign minimal admissibility weight until the bootstrapping peer has demonstrated drift consistency over several epochs. The bootstrapping peer integrates received consensus updates into its local model during this period, converging toward the fleet without contributing to the fleet's instability.

Network partition behavior follows naturally from the admissibility framework. When a partition isolates two subsets of peers, each subset continues to compute consensus from its locally available observations, and the two consensuses drift independently. On reunion, the admissibility weights of the previously partitioned peers reflect the duration of isolation, and the drift-consistency component drives the merged consensus toward the larger or higher-quality subset rather than producing a discontinuous jump.

Adversarial considerations include peers that publish maliciously crafted observations to manipulate the consensus. The composite admissibility evaluation provides multiple defenses: credential validity excludes peers whose credentials have been revoked, drift consistency penalizes peers whose published drift estimates diverge from their observed drift, and the trimmed-aggregation embodiment removes outlier contributions before aggregation. A sophisticated adversary controlling a minority of peers cannot move the consensus by more than the trimming threshold; an adversary controlling a majority is outside the threat model and outside the scope of any consensus protocol.

Disclosure Scope

The disclosure encompasses the signed-observation construct, the composite admissibility evaluation, the aggregation of admissibility-weighted observations into consensus time, the local integration of consensus into peer clock models, and the credentialed-enrollment mechanism by which new peers join the consensus without disrupting existing operations. Variants over topology, aggregation function, hierarchical composition, and external-source integration fall within scope. The disclosure is filed as Provisional 64/049,409.