Bitcoin Timestamp Server: Proof of Existence and Anchoring

Bitcoin as a Timestamp Server

Section 3 of the Bitcoin whitepaper describes the system as a "timestamp server" that takes a hash of a block of items and widely publishes it. Three of the eight references in Satoshi Nakamoto's paper cite Stuart Haber and W. Scott Stornetta, whose 1991 paper "How to Time-Stamp a Digital Document" laid the theoretical foundation for cryptographic timestamping. Bitcoin's core innovation is making that timestamp server decentralized: no single authority can alter or revoke a timestamp once it is confirmed in a block.

A Bitcoin timestamp proves that a piece of data existed before a specific block was mined. By hashing a document and embedding that hash in a Bitcoin transaction, anyone can later verify the document's existence at that point in time using only the public blockchain. This property has enabled applications ranging from document notarization to intellectual property protection and audit trails.

How OP_RETURN Enables Data Embedding

Before OP_RETURN was standardized, users embedded data in fake addresses and multisig outputs, creating unspendable UTXOs that permanently bloated the UTXO set. Bitcoin Core 0.9.0 (March 2014) introduced OP_RETURN as a clean alternative: a provably unspendable output that nodes can prune from memory.

The OP_RETURN payload limit started at 40 bytes (v0.9.0), was raised to 80 bytes (v0.11.0, February 2015), and in Bitcoin Core v30.0 (2025) the default -datacarriersize was increased to 100,000 bytes as a relay policy change. For timestamping, 32 bytes is sufficient: exactly the size of a SHA-256 hash or Merkle root. A typical OP_RETURN timestamping transaction with one SegWit input, one change output, and a 32-byte payload weighs roughly 140 to 160 vbytes, costing as little as 140 to 160 sats at 1 sat/vB.

You can inspect OP_RETURN data in any Bitcoin transaction using our OP_RETURN decoder. For a deeper look at how Bitcoin Script handles these opcodes, see the opcode reference.

The Merkle Tree Aggregation Model

Embedding one hash per transaction would be expensive and wasteful. Instead, timestamping services aggregate thousands of hashes into a single Merkle tree. Each submitted hash becomes a leaf node. Non-leaf nodes are the SHA-256 hash of their two children. Only the 32-byte Merkle root is written to the blockchain in one OP_RETURN output.

To verify any individual document later, you need only the "sibling" hashes along the path from your leaf to the root. For a tree with 10,000 leaves, that is approximately 14 hash operations (log₂(10,000) ≈ 13.3). The cost of one Bitcoin transaction is shared across all documents in the batch, making per-document costs negligible.

OpenTimestamps Protocol

OpenTimestamps (OTS), created by Peter Todd and announced in September 2016, is the most widely used open-source Bitcoin timestamping protocol. It is free, requires no registration, and has client libraries in Python, Java, JavaScript, and Rust.

The workflow proceeds in four steps:

1. Compute the SHA-256 hash of your file locally. A random 128-bit nonce is prepended for privacy, then re-hashed.
2. Submit the hash to one or more public calendar servers. Four calendars currently operate: two at btc.calendar.opentimestamps.org (alice and bob) and two at calendar.eternitywall.com (finney and a.pool).
3. Calendar servers aggregate submitted hashes into a Merkle tree and commit the root to a Bitcoin transaction via OP_RETURN. A single transaction can secure proofs for over 10,000 digests.
4. After Bitcoin confirmation (typically one to six blocks), the user upgrades their "incomplete" timestamp to a "complete" .ots file containing the full Merkle path to the Bitcoin block header.

A complete .ots proof is self-contained: verification requires only the original file, the .ots proof, and access to Bitcoin block headers. No calendar server or third party is needed after the proof is finalized. In May 2017, OpenTimestamps demonstrated its scalability by timestamping approximately 750 million files from the Internet Archive in a single Bitcoin transaction.

Timestamping Services Compared

Several services and protocols offer Bitcoin-anchored timestamping, each with different trust models, costs, and target audiences.

Proof of Existence, created by Manuel Araoz and Esteban Ordano in Buenos Aires, was one of the first blockchain timestamping services and used a DOCPROOF marker in OP_RETURN outputs. It was acquired by Canaan in May 2017. OriginStamp, founded by Prof. Dr. Bela Gipp from research at the University of Gottingen, originated in plagiarism detection and claims over 60 million proofs created. Chainpoint (v5), developed by Tierion, uses an intermediate Tendermint-based calendar chain and anchors to Bitcoin approximately once per hour, with fees paid via Lightning.

Bitcoin Timestamps vs. Traditional Trusted Timestamping

RFC 3161 defines the standard for trusted timestamping via a centralized Timestamp Authority (TSA). It is widely recognized under the EU's eIDAS regulation and used in legal, financial, and archival contexts. Bitcoin timestamping offers a fundamentally different trust model.

Italy's Intesi Group has bridged both approaches: they issue RFC 3161-compliant timestamp tokens that include Bitcoin blockchain anchoring via OpenTimestamps, and have authored an IETF draft for this extension. This hybrid model gives timestamps both immediate legal standing under eIDAS and long-term tamper resistance from Bitcoin's proof-of-work chain.

Use Cases for Bitcoin Timestamping

Document Notarization and Legal Evidence

A Bitcoin timestamp proves a document existed in a specific form before a given block was mined. Courts in multiple jurisdictions have accepted blockchain timestamps as evidence. China's Hangzhou Internet Court ruled in June 2018 that blockchain-stored evidence is admissible, and in September 2018 the Supreme People's Court formalized rules allowing blockchain evidence across all internet courts. Italy passed Law Decree 135/2018 (Article 8-ter) in February 2019, granting blockchain timestamps the legal effects of an "electronic time validation" under EU Regulation 910/2014 (eIDAS). A French court (Tribunal de Marseille) recognized blockchain proofs from Bernstein.io in 2025.

Intellectual Property Protection

Creators can timestamp designs, code, trade secrets, or manuscripts to establish prior art. Unlike patent filings, a blockchain timestamp is instant, inexpensive, and privacy-preserving: only the hash is public, not the document itself. Services like Bernstein.io create certified version histories anchored to Bitcoin, enabling IP holders to prove creation dates in disputes without revealing content until needed.

Audit Trails and Compliance

Organizations can anchor periodic hashes of their logs, databases, or financial records to Bitcoin. This creates an immutable audit trail proving that records have not been altered after the fact. Because the blockchain is publicly verifiable, auditors and regulators can independently confirm data integrity without trusting the organization that produced the records.

Scientific Research and Academic Credentials

Researchers can timestamp datasets, experimental results, or preprints to establish priority without relying on journal publication dates. OriginStamp originated from plagiarism detection research at the University of Gottingen, and its academic paper "OriginStamp: A blockchain-backed system for decentralized trusted timestamping" (2018) describes the approach in detail.

Data Embedding Methods on Bitcoin

OP_RETURN is the standard method for timestamping, but Bitcoin offers several ways to embed data, each with different tradeoffs.

• OP_RETURN: provably unspendable, prunable from the UTXO set, 80 bytes standard (100,000 bytes with Bitcoin Core v30.0 relay policy). Ideal for hashes and Merkle roots.
• Coinbase transaction: miners can embed arbitrary data in the coinbase scriptSig. Satoshi famously embedded The Times headline in the genesis block. Only available to miners.
• Witness data (post-SegWit): witness bytes count at 1/4 weight, making them cheaper per byte. Taproot removed size limits on witness data in script-path spends, enabling up to ~4 MB per transaction.
• Ordinals inscriptions: use Taproot witness space for NFT-like content. Designed for full-content storage, not hash-based timestamping, and far more expensive.

For timestamping, OP_RETURN remains optimal: it is minimal (32 bytes), universally relayed, prunable, and purpose-built for data anchoring. Use our OP_RETURN decoder to inspect timestamping transactions, or the timestamp converter to work with Bitcoin block times and Unix epochs.

Historical Context: Haber, Stornetta, and Surety

The concept of cryptographic timestamping predates Bitcoin by nearly two decades. Stuart Haber and W. Scott Stornetta published "How to Time-Stamp a Digital Document" in 1991, proposing hash-linked chains as a way to prove document ordering without a trusted authority. Their follow-up papers introduced Merkle tree aggregation for efficiency (1993) and secure naming for bit-strings (1997).

In 1995, Haber and Stornetta founded Surety Technologies, which published weekly hash digests in the New York Times classifieds: a physical-world analogue to blockchain publication that continues to this day. Satoshi cited their work three times in the Bitcoin whitepaper, more than any other body of research, making it clear that decentralized timestamping was a foundational motivation for Bitcoin's design.

Frequently Asked Questions

What is proof of existence on the Bitcoin blockchain?

Proof of existence is a method of proving that a document, file, or dataset existed at a specific point in time by embedding its cryptographic hash in a Bitcoin transaction. The hash is stored in an OP_RETURN output, which is recorded permanently in the blockchain. Anyone with the original file and the transaction ID can independently verify the timestamp by recomputing the hash and comparing it to the on-chain data.

How does OpenTimestamps work?

OpenTimestamps hashes your file locally, submits the hash to public calendar servers, which aggregate thousands of hashes into a Merkle tree. The Merkle root is committed to Bitcoin via a single OP_RETURN transaction. After confirmation, you receive a .ots proof file containing the full path from your file's hash to the Bitcoin block header. Verification requires only the original file, the .ots proof, and Bitcoin block headers: no third party or calendar server is needed.

Is a Bitcoin timestamp legally valid?

Legal recognition varies by jurisdiction. Italy explicitly granted blockchain timestamps the legal effects of electronic time validation under eIDAS in February 2019 (Law Decree 135/2018). China's Supreme People's Court ruled in September 2018 that blockchain evidence is admissible in internet courts. Under EU eIDAS, Bitcoin timestamps qualify as non-qualified electronic time stamps: they can be used as evidence but do not carry the automatic presumption of accuracy that qualified timestamps from a licensed TSA enjoy.

How much does it cost to timestamp a document on Bitcoin?

With OpenTimestamps, it is free. The protocol aggregates many timestamps into a single Bitcoin transaction using a Merkle tree, so the transaction fee (typically 140 to 160 sats at low fee rates) is shared across thousands of documents. Commercial services like OriginStamp and Bernstein charge per-timestamp or subscription fees that include additional features such as APIs, dashboards, and legal-grade certificates.

What is the difference between OP_RETURN and Ordinals inscriptions?

OP_RETURN embeds a small piece of data (typically a 32-byte hash) in a provably unspendable output. It is minimal, cheap, and designed for data anchoring. Ordinals inscriptions store full content (images, text, up to ~4 MB) in Taproot witness data, designed for NFT-like use cases. For timestamping, OP_RETURN is the appropriate tool: you only need to store a hash, not the entire document.

How accurate is a Bitcoin timestamp?

Bitcoin blocks are mined approximately every 10 minutes, so the timestamp resolution is on the order of minutes, not seconds. Block header timestamps themselves can vary by up to two hours under consensus rules, though in practice they are typically accurate to within minutes. OpenTimestamps calendar servers may also batch submissions for some time before committing to a transaction. For applications requiring sub-second precision, traditional RFC 3161 timestamp authorities are more appropriate. For proving existence before a given date, Bitcoin provides stronger long-term guarantees than any centralized system.

Can I verify a Bitcoin timestamp without running a full node?

Yes. A complete OpenTimestamps .ots proof contains the full chain of hash operations from your document to a Bitcoin block header. You need the original file, the .ots proof, and a trusted source of Bitcoin block headers (which can come from a light client or SPV node, a block explorer, or any Bitcoin node). The verification involves only standard SHA-256 operations and block header lookup, making it lightweight enough to run on any device.

This tool is for informational purposes only and does not constitute legal or financial advice. Legal recognition of blockchain timestamps varies by jurisdiction and may change. Data is based on publicly available information. Always consult qualified legal counsel before relying on blockchain timestamps for legal purposes.