Multi-Attester Consensus Timestamping

Mechanism

A timestamping request is presented to the architecture as a credentialed event carrying a payload digest, a request identifier, and a declared attester set. Each attester within the eligible set independently observes the request, generates a local timestamp under its own time-source identity (which may include a hardware clock, a disciplined oscillator referenced to a national time scale, a GNSS-disciplined source, or a network-time protocol reference), and signs the resulting tuple {payload digest, local time value, attester identifier, source class, uncertainty estimate} under its credentialed signing key. The signed observation is returned to a consensus solver that operates within the architecture rather than being delegated to an external clearing authority.

The consensus solver applies an admissibility-weighted aggregation. Each attester's contribution carries a weight derived from its declared authority class, its source-uncertainty estimate, and any governance-credentialed adjustments. The aggregation produces a consensus time value, a dispersion measure across the attester set, and an enumerated lineage of contributing observations. The lineage is the timestamp; the scalar consensus value is merely the principal projection of a structured claim. Downstream consumers verify the timestamp by re-evaluating the aggregation against the named attesters, against the governance-declared weights in force at request time, and against the dispersion bound declared admissible for the request class.

Disagreement is a first-class output. When the dispersion across the attester set exceeds a declared admissibility threshold, the consensus record carries a diagnostic flag that propagates into downstream lineage. Sustained disagreement triggers a credentialed diagnostic event that may indicate clock drift, attempted manipulation, or genuine ordering ambiguity for events whose causal separation is below the resolution of the attester set. The architecture preserves the disagreement rather than masking it; downstream audit can therefore distinguish between high-confidence and low-confidence consensus timestamps without re-executing the underlying observations.

The signed observations are retained in lineage rather than discarded after aggregation. This retention permits an independent re-aggregation by any consumer who possesses the named attesters' public credentials, the governance weight table in force at request time, and the declared aggregation rule. The consensus value is therefore not a trusted output of the solver; it is a derived quantity whose derivation is reproducible from the lineage. A solver compromise is bounded by the requirement that its outputs match an independent re-aggregation of the retained observations; a divergence between the published consensus and an independently re-aggregated value is itself an admissible diagnostic event.

Operating Parameters

The attester set cardinality is governance-declared per request class. Low-stakes operational events may be admissible at a minimum cardinality of three with a quorum of two; high-stakes evidentiary events may require cardinality of seven with a quorum of five and a declared mix of source classes (for example, at least two GNSS-disciplined sources, at least two network-time references to disjoint upstream stratum-1 servers, and at least one hardware-clock source isolated from network drift). The architecture admits the set composition as a credentialed parameter rather than hard-coding a single configuration.

Authority-class weighting is declared in a governance table that names each attester, its source class, its admissible weight band, and the conditions under which the weight may be adjusted. Weights may be unit, may follow an inverse-variance schedule keyed to declared uncertainty, or may follow a piecewise schedule that downweights attesters whose observations have historically diverged from the consensus by more than a declared tolerance. Weight adjustments themselves carry lineage; the timestamp consumer can therefore reconstruct not only the timestamp but the policy state that produced it.

Aggregation rules include the weighted median (preferred for robustness against a small number of compromised attesters), the weighted mean with trimming, and the credentialed-quorum mode in which the consensus value is the value at which a declared weight quorum is achieved. Dispersion is reported as a weighted interquartile range or as a maximum admissible deviation. The selected rule is recorded in lineage; a consumer that prefers a different rule may re-aggregate from the named observations without re-soliciting the attesters.

Admissibility windows declare the time band within which an attester observation may be admitted relative to the request's reception time. Late observations beyond the window are recorded but excluded from the principal aggregation; they may be admitted under a credentialed late-admission procedure that itself enters lineage. Resolution declarations name the smallest time difference the attester set is admissible to distinguish, beyond which event ordering is reported as ambiguous rather than arbitrarily resolved. Replay-protection parameters name the window during which a request identifier may not be reused and the credentialed procedure for retiring an identifier from the active window.

Alternative Embodiments

In a synchronous embodiment, attesters return observations within a bounded window and the consensus solver runs once per request. In an asynchronous embodiment, observations accumulate against a request identifier and the consensus solver produces a tentative timestamp after a quorum is reached, with an option to revise (under preserved lineage) when late observations arrive within a declared admissibility window. In a hierarchical embodiment, regional attester groups produce intermediate consensus values that are then aggregated at a higher tier under separate weighting; this permits scaling to very large attester populations without quadratic communication.

In a delegated embodiment, an attester may itself be a consensus instance whose published value is signed under a delegated identity. In a sealed embodiment, observations are produced inside attestation hardware whose firmware identity participates in lineage, raising the burden on a would-be attacker to compromise both the operator's signing key and the hardware attestation root. In a redacted embodiment, attester identities may be withheld from public lineage but disclosed under credentialed audit access; the consensus value remains verifiable against an aggregate witness without revealing per-attester source classes.

In a streaming embodiment, the consensus solver maintains a rolling state across closely-spaced requests sharing an attester set, amortizing solver cost while retaining per-request lineage. In a cross-jurisdictional embodiment, the attester set spans multiple national authorities whose time scales differ by declared offsets; the aggregation operates in a credentialed common reference and the per-attester offsets are recorded in lineage so that a regulator in any participating jurisdiction can verify against its own scale. In a quorum-degraded embodiment, the solver admits a reduced-quorum consensus under a declared diagnostic flag when the full quorum is unreachable for a credentialed transient cause; the degraded record is auditable and may be retroactively augmented when delayed observations arrive.

Composition With Mesh Operation

The consensus timestamp composes with the broader mesh-time stack. It supplies the time coordinate consumed by ordering primitives that establish causal precedence among events, by lineage retention primitives that bind operational records to admissible time, and by governance primitives that schedule admissibility-window expiry. It composes with credentialed-identity primitives by inheriting attester identity into the timestamp lineage; the timestamp is thereby auditable against the same credential graph as the operational events it timestamps.

It composes with the disagreement-as-signal posture of the architecture: a high-dispersion timestamp is not discarded but is admitted with a diagnostic flag that downstream operations can refuse, accept under a declared lower-stakes class, or escalate for governance review. It composes with no-consensus-settlement primitives by furnishing time evidence for bilateral records that intentionally avoid global consensus on operational outcomes while still requiring trustworthy time.

It composes with continuity-settled currency primitives by supplying the timestamps that order pair-chain settlement events; with cross-pattern composition specifications by supplying the time coordinate against which composition phase boundaries are evaluated; and with credentialed marketplace primitives by supplying admissible time for participation gates whose admissibility windows are governance-declared. In each case the consumer inherits the structured lineage of the consensus timestamp and retains the option to re-aggregate from the named observations under a locally-preferred rule.

Prior-Art Distinctions

RFC 3161 time-stamp protocol relies on a single trusted Time-Stamping Authority whose signature certifies a payload at a claimed time; the security model collapses on compromise of the TSA's key or clock and the protocol does not produce a structured lineage of independent observations. Linked-token schemes (RFC 4998 evidence records) chain TSA outputs but inherit the single-authority root. Public-blockchain consensus timestamps (block-header time fields in proof-of-work and proof-of-stake systems) produce a single coarse time per block under miner- or validator-declared values, are not authority-class-weighted, do not preserve per-attester observations as first-class lineage, and embed the timestamp inside an unrelated consensus on transaction ordering rather than treating the timestamp itself as the object of consensus.

Network Time Protocol and Precision Time Protocol distribute a reference time but do not produce signed, lineage-bearing attestations of a specific event. Threshold-signature timestamping schemes produce a single aggregate signature over a single time value but do not retain dispersion, do not expose authority-class weighting in lineage, and do not admit a disagreement diagnostic. The disclosed mechanism is a structured admissibility-weighted aggregate over independently signed observations, retaining per-attester provenance and dispersion as first-class outputs, and is distinct from each of the foregoing.

Disclosure Scope

This disclosure covers: the multi-attester consensus timestamp as a structured lineage-bearing claim; the admissibility-weighted aggregation under governance-credentialed authority-class weights; the preservation of dispersion and per-attester observations as first-class outputs; the synchronous, asynchronous, hierarchical, delegated, sealed, and redacted embodiments; the composition with mesh-time ordering, lineage retention, governance, and credentialed-identity primitives; and the diagnostic posture under sustained attester disagreement. It does not claim any specific cryptographic signature scheme, time-source technology, or network protocol; those are admitted as substitutable components within the disclosed structure.