OpenTimestamps (OTS) in Bisq — Design Analysis

[HenrikJannsen]

OpenTimestamps (OTS) in Bisq — Design Analysis

Overview

This document explains:

• how OpenTimestamps (OTS) works
• which security guarantees it provides
• how Bisq could use timestamping
• the constraints specific to Bisq clients
• two possible integration models
• the trust and scalability issues that arise
• why oracle-based timestamping is currently the most feasible approach

The goal is not to achieve perfect trustlessness, but to reach a reasonable, auditable, and operationally safe design under real-world constraints.

---

What OpenTimestamps Is

OpenTimestamps (OTS) is a cryptographic protocol that allows proving that some data existed at or before a certain point in time.

It does this without trusted timestamp authorities and without embedding data directly into the Bitcoin blockchain.

Instead, OTS provides:

• existence proofs, not identity proofs
• upper-bound timestamps, not exact wall-clock time

OTS answers the question:

“This data definitely existed before Bitcoin block X was mined.”

---

How OpenTimestamps Works

1. Hashing

The user hashes some data:

H = SHA256(data)

Only the hash is used. The original data is never published.

---

2. Calendar aggregation

The hash is submitted to one or more OTS calendar servers.

Calendars:

• aggregate thousands of hashes
• build a Merkle tree
• return a partial proof

At this stage, the timestamp is incomplete.

---

3. Bitcoin anchoring

Calendars periodically anchor the Merkle root into Bitcoin using:

• an OP_RETURN, or
• another provable on-chain commitment

This creates a verifiable link between:

• the data hash
• the Merkle root
• the Bitcoin transaction

---

4. Proof upgrade

After the anchoring transaction is confirmed, the timestamp can be upgraded.

The final OTS proof contains:

• Merkle inclusion proof
• Bitcoin transaction ID
• block hash
• block height

This allows anyone to verify:

“This hash existed before block N.”

---

What OTS Does Not Provide

OTS does not provide:

• real wall-clock time
• timezone information
• guaranteed block timestamp accuracy
• identity binding
• prevention of future backdating attempts

OTS only proves:

data existed no later than the anchored block.

---

Bisq Use Cases for Timestamping

In Bisq, timestamping is primarily needed for:

• profile creation time
• payment account aging
• trade-limit verification
• risk assessment

Important properties:

• timestamps influence limits, not custody
• incorrect timestamps do not cause fund loss
• they affect risk evaluation only

---

Bisq Constraints

Network constraints

• Tor-only onion services
• no clearnet access
• preference to avoid Tor exit nodes

---

Client constraints

• We do not want a wallet dependency solely to retrieve block data, as this would add development effort for both Bisq 2 Java and Rust teams and would require block lookups for all timestamped data.
• We do not want to ship blockchain headers with the application.
• We do not want to perform block explorer lookups to verify block existence or timestamps, as this would result in a large number of external requests.
• We prefer not to introduce large new dependencies (OTS includes a bitcoinj dependency).

---

Operational constraints

• must scale to thousands of users
• must avoid request floods to calendar servers
• must not rely on trusted third-party explorers
• we do not want to operate Bisq-hosted calendar servers as onion services, as this would introduce operational burden and recurring Bitcoin transaction costs

These constraints strongly limit how OTS can be used.

---

Option 1 — Clients Perform OTS Themselves

Flow

1. client creates data
2. client submits hash to calendars
3. client waits for anchoring
4. client performs multiple upgrades
5. client verifies block data via explorer lookup

---

Problems

1. Incomplete timestamps

• anchoring can take hours
• user may want to trade immediately
• peers cannot verify incomplete proofs
• requires additional logic to manage partial timestamps

---

2. Massive request amplification

Thousands of clients performing:

• calendar submissions
• repeated upgrade polling
• explorer lookups

creates:

• denial-of-service risk
• calendar rate limiting
• unreliable user experience

---

3. Block verification problem

To verify a timestamp, the client must know:

• block height
• block hash
• or block time

Without:

• headers
• explorers
• or wallets

there is no independent way to verify this information.

OTS provides only the block hash.
Without validating that this block exists in the Bitcoin blockchain, the timestamp must be considered untrusted data.

---

4. Hidden trust

Although OTS appears trustless, in practice the client must trust:

• block explorers
• calendar-provided metadata

This re-introduces implicit trusted third parties.

---

5. Dependency concerns

• Adds a dependency on the OTS library, which includes bitcoinj.
• The project is relatively old and mostly in maintenance mode.
• Known vulnerabilities exist and would require additional development effort to resolve.

During evaluation this already caused issues with transitive dependencies, including incompatible protobuf versions.

We prefer to keep dependencies to a minimum.

---

6. Development effort

• The OTS library does not expose an interface to inject a custom HTTP client for Tor support.
• Calendar communication requires TLS; currently Bisq supports only HTTP connections to onion services.

Supporting Tor exit nodes would require integrating the Bisq Tor HTTP client into OTS, which would require modifying upstream library code and maintaining a fork.

---

Result

Client-side OTS becomes:

• complex
• slow
• unreliable
• non-scalable
• not actually trustless
• dependency-heavy
• associated with significant development effort

---

Option 2 — Oracle Performs OTS

Flow

1. user sends data to the oracle
2. oracle timestamps the data
3. oracle performs proof upgrades
4. oracle retrieves block data from a local Bitcoin Core node
5. oracle distributes finalized timestamps

Clients receive only:

• finalized timestamp data
• oracle-assigned creation time

---

Advantages

• no client complexity
• controlled calendar usage
• Bitcoin Core allows trustless block data retrieval

---

Drawbacks

• still requires Tor + TLS support and exit node usage
• avoiding exit nodes would require Bisq-operated calendar onion services
• clients must trust the oracle for correct timestamp assignment

---

Trust Implications

The oracle is trusted for:

• assigning timestamps
• availability
• correct operation

The oracle is not trusted for:

• cryptographic correctness
• forging OTS proofs

However, the oracle could:

• backdate data
• misreport creation time

This introduces explicit trust.

---

Why Fully Trustless Time Is Not Achievable Here

Given the client constraints:

• no headers
• no explorers
• no wallets
• no clearnet access

there is no scalable and secure way for clients to independently verify:

• block height
• block time
• anchoring validity

in real time.

---

Requirements for a Fully Trustless Solution

A fully trustless OTS integration would require:

• users delegating timestamping to the oracle
• oracle connectivity to Bisq-operated calendar onion services
• operation of calendar servers with recurring Bitcoin anchoring costs
• local Bitcoin Core node (already required in the current oracle setup)
• publication of full OTS proofs, which significantly increases data size
• client-side verification using blockchain data

Avoiding explorer lookups would likely require using the Bisq wallet:

• currently BDK with Electrum backend
• later possibly compact block filters

For Electrum, this would result in significant request volume (≈2000 profiles plus future payment account timestamps).

While technically possible, this approach introduces high operational cost and complexity that is not justified by the use case.

---

Alternative

Use the oracle as a trusted timestamp source, consistent with the existing profile-age model.

Multiple oracle nodes already provide a limited level of protection against abuse.

In the future, additional auditing mechanisms could be introduced, such as:

• collecting historical timestamp data
• anchoring aggregated oracle output using OTS
• verification by independent audit nodes

These mechanisms can be added later without affecting the current protocol design.

---

Conclusion

Given the constraints and trade-offs, oracle-based timestamping currently provides the best balance between:

• security
• decentralization
• usability
• maintainability

under real-world conditions.

This approach keeps the system simple today while preserving the option for stronger auditability in the future.

[ChrisSon15]

Great and detailed analysis! Sad to see that OTS is coming with such disadvantages. Seems like you digged quite deep into OTS. First question coming to my mind: What if all oracle nodes fail / shutdown will the network still be able to function? Is that a scenario we should consider at all?

[HenrikJannsen]

Yes, thats a good point and we have to avoid that oracle nodes are required for trades. But as far I see now that will not be the case. We use them for time stamping the user profile creation data (already done) and for time stamping a payment account creation. If no oracle-signed data is present in the network, it is considered age zero. As it can be assumed that oracle nodes are only temporary out of service, the requests sent to them will be processed once they are available again and then the data gets published. Worst case the user need to do a request again if the tolerated time difference of oracles clock and the users requested time is too large. But re-requesting will be anyway required when the data have been expired or are close to expiry date. In that case the oracle will look up its already persisted data and republish. A similar process could be applied in case the user did not see the data shortly after request but with a new time to avoid that the oracle side tolerance check fails. So worst case is that that users age is a bit less old as it would have been if oracles would have been available.

[ChrisSon15]

In option 2, section Flow number 5 you write:
"oracle distributes finalized timestamps" How does it do so. Does the Oracle distribute the info
to each user? Or only to the user making the timestamp and that user distributes the information
to other users as needed?

[ChrisSon15]

Since the Oracle node needs explicit trust and OTS is not a project we would like to be
dependent on, what about making oracle node independent of OTS like this:

Alice is a trader trying to get a timestamp (let's say for her profile creation)
Bob wants to trade with Alice.

1. Alice hashes the profile id and sends it to an oracle.
2. Oracle signs the id together with the current timestamp and sends it back to Alice.
3. Alice verifies that the signature and the timestamp are correct. (She has a built-in
   certificate for oracle signatures). If incorrect, she reports the malfunctioning oracle node.
4. Alice puts up an offer with her new profile id. (Note: It is not strictly necessary to send
   the signature of the profile id at this point in time. It is enough to verify the signature
   when the offer is taken, see below)
5. Bob sees the offer in the offerbook and takes the offer.
6. Alice sends the offer details and the signature to Bob.
7. Bob verifies the signature (with his built-in certificate for oracle signatures) for the
   profile id (and for the account data). If invalid, he rejects the offer.
8. Alice is unable to trick others into taking an offer with fake timestamps.

Important to notice:

• oracles don't need to store anything, the signature is persistent only with Alice. She is
  responsible for saving the signature.
• Traders need one or more built-in certificates. If ever needed, revoking and/or adding
  certificates can happen through distributing new versions of the bisq client.
• The oracle only signs a timestamp request. Alice is immediately verifying the signature, so if
  the oracle misbehaves, it won't do any damage and will be detected instantly. By having the
  oracle signature verifiable, I don't see any way the oracle node could take advantage by cheating.
• Obviously, if oracle nodes go down, nothing happens except that new timestamps cannot be signed.
• This scales very well.