Status: Draft for public review · Protocol · Privacy-first · No blockchain

ProofSpec — TimeProofs Open Protocol for Digital Proof of Existence

Defines how to create, sign, timestamp, and verify proofs that a specific data artifact existed at a point in time and has not changed since, without exposing the original content.

1. Abstract

ProofSpec binds a content-derived SHA-256 hash to a signed timestamp and a verification method. Transport-agnostic. Verifiable by anyone. Original content stays local.

2. Model & Terms

Actors

  • Author: computes the hash locally.
  • Timestamping Service: signs a tuple (hash, ts) and returns a proof.
  • Verifier: checks integrity and signature.

Core flow

  1. Hash input M with SHA-256 → hash as 64-hex.
  2. Submit hash (+ optional meta) → receive signed Proof.
  3. Verify signature and hash equality. Optionally, policy checks on ts.

3. Data Model

{
  "spec": "proofspec/1.0",
  "hash": "<64-hex>",
  "alg":  "HMAC-SHA256",
  "ts":   "2025-10-22T14:00:00.000Z",
  "sig":  "<hex(hmac_sha256(secret, `${hash}|${ts}`))>",
  "kid":  "tp-admin-v0",
  "meta": { "type":"event", "source":"api" },
  "ver":  { "endpoint":"https://timeproofs.io/verify.html?hash=<hash>", "method":"GET" }
}

meta is optional. Exclude personal data.

4. JSON Schema

{
  "$schema":"https://json-schema.org/draft/2020-12/schema",
  "$id":"https://timeproofs.io/schema/proofspec-1.0.json",
  "title":"ProofSpec Proof",
  "type":"object",
  "required":["spec","hash","alg","ts","sig","kid","ver"],
  "properties":{
    "spec":{"type":"string","const":"proofspec/1.0"},
    "hash":{"type":"string","pattern":"^[0-9a-f]{64}$"},
    "alg":{"type":"string","enum":["HMAC-SHA256"]},
    "ts":{"type":"string","format":"date-time"},
    "sig":{"type":"string","pattern":"^[0-9a-f]{64}$|^[0-9a-f]{128}$"},
    "kid":{"type":"string","minLength":1},
    "meta":{"type":"object","additionalProperties":true},
    "ver":{
      "type":"object",
      "required":["endpoint","method"],
      "properties":{
        "endpoint":{"type":"string","format":"uri"},
        "method":{"type":"string","enum":["GET","POST"]}
      },
      "additionalProperties":false
    }
  },
  "additionalProperties":false
}

5. Algorithms

5.1 Hashing

Use SHA-256. Text is UTF-8. Emit lowercase 64-hex.

5.2 Signing

HMAC-SHA256 with service key kid. Message is UTF-8:

message = `${hash}|${ts}`

Emit signature as lowercase hex.

5.3 Verification

  1. Recompute hash from input; compare to proof.
  2. Rebuild message; verify sig using the key bound to kid.
  3. Validate spec/alg and time policy on ts if applicable.

5.4 Transport

Out of scope. HTTP reference in ver.endpoint. HTTPS required.

6. Security & Privacy

7. Regulatory Mapping

EU AI Act / Data Act / DSA

Supports traceability logs, integrity checks, and auditability for generated/processed content.

GDPR

No personal data required. Keep meta non-identifying.

Complements C2PA: existence + integrity, not full provenance chains.

8. Versioning

9. Reference Implementation

Open reference implementation with public verification.

Create

POST https://api.timeproofs.io/api/admin/timestamp
Authorization: Bearer <ADMIN_TOKEN>
Content-Type: application/json

{"hash":"<64-hex>","meta":{"source":"spec"}}

Verify

GET https://timeproofs.io/verify.html?hash=<64-hex>

OpenAPI and examples: API Docs.

10. Test Vectors

# Input (UTF-8): "TimeProofs"
hash = "3940cae79aa443bfcdfc09b4f9fbb49bf16f0be354dee96e014a236d1c7ac9c3"  # example
ts   = "2025-10-22T14:00:00.000Z"
msg  = `${hash}|${ts}`
sig  = hex( HMAC_SHA256(key=K1, msg=msg) ).lower()
kid  = "tp-admin-v0"

Example only. Publish official vectors before final release.

11. FAQ

Is blockchain required?

No. Standard hashing and signatures. Lower cost. Higher privacy.

Can I verify offline?

Yes, with the proof object and the verification key policy for kid.

12. License & Copyright

© 2025 TimeProofs. ProofSpec text under Apache-2.0 (or MPL-2.0). “TimeProofs” is a trademark. Reference code is open-source under a compatible license.

13. Changelog