What Did They Know, and When Did They Know It?

This old question in law, journalism and commerce has decided the outcomes of criminal trials, ended political careers, and settled the fate of companies. But when it comes to digital information, until recently it was quite difficult to answer.

Not Before Time (NBT) is a public broadcast facility that connects information to time in three ways that can be trusted without trusting any single person or organisation:

  1. Information will not be readable before a certain future time — a message, document or file is sealed so that nobody can open it until the time comes.
  2. Information existed by a certain past date — a document can carry cryptographic proof of the earliest possible moment it was sealed.
  3. Information was not electronically signed before a certain time — a signature can carry proof that it could not have been applied before a certain date, closing a gap that has long undermined the value of digital signatures in courts.

These three guarantees — No Early Reading, No Late Denials, No Backdating — support human rights, democracy, journalism, and business. They are complementary to ordinary encryption.

NBT focusses on why people want to time-lock information like this, knowing that the technical details of how are mostly solved already.

A New Kind of Certainty

Very occasionally, a new kind of certainty is invented.

For example, reliable timekeeping gave sailors a way to know where they were on a featureless ocean, and in the centuries since, industrialised society has built itself around the assumption that everyone has access to accurate time. GPS extended the same idea to location: since the 1990s, continuous knowledge of where you are on earth became so important that the European Union built the Galileo satellite system to ensure that access could never be switched off by another country. Radiocarbon dating provded new certainties about the past, so historians could be sure when events happened and in what order, turning legend and guesswork into verifiable chronology. And in the tech field, public-key cryptography as used since the 1990s gave individuals the ability to communicate privately with a stranger without any prior relationship.

Each of these was a new kind of certainty that affected society strongly. NBT adds another certainty: the ability to connect any piece of information, digital or physical, to time, with strong cryptographic guarantees and no dependence on any single authority.

The underlying mathematics is not new, and the technology is ready to be deployed as public infrastructure. In 2026 the concerns of digital sovereignty for both individuals and nations suggest the time is right.

Who Needs This, and Why Now?

Journalists and Whistleblowers need NBT

A source needs to release damaging information, but not yet — perhaps while she is still in a position to escape, or before a legal embargo lifts, or to coordinate release across a hundred newsrooms simultaneously. She can encrypt her document using the NBT public key corresponding to a future date and distribute it freely, even publicly. The act of distribution is itself observable — a source with strong anonymity requirements should use an anonymous distribution layer — but nobody can read the document before that moment arrives, and nobody can later claim she back-dated the release.

This use case has grown significantly more urgent since 2023. Governments in the United Kingdom, the United States, and across the European Union have renewed pressure on technology companies to weaken encryption or provide backdoors. Any system that depends on a single company holding secrets is now a target. NBT, by distributing trust across mutually mistrustful parties in multiple jurisdictions, is structurally resistant to this pressure. Closing down the human rights application would require closing down commercial applications simultaneously — a political barrier that single-jurisdiction systems cannot offer.

Authors and Anyone Claiming Priority need NBT

A researcher has a result she isn’t ready to publish. A novelist has a manuscript she believes will be controversial. An inventor has a design. In each case there is a legitimate need to prove, later, that the work existed before a certain date, without revealing the work to anyone.

With NBT, she encrypts her work using the public key corresponding to today’s date and distributes the encrypted file. When the network later releases the key for that time slot, anyone can verify independently that the encrypted file was sealed using a public key that was only valid after today’s NBT timestamp. She cannot have done this yesterday. To prove priority she reveals the original document, which anyone can check against the published ciphertext.

This guarantee has gained a new dimension since the widespread deployment of generative AI from 2022 onwards. NBT proves when encryption occurred, not when content was created — an important distinction, since someone could encrypt old material under a fresh timestamp. But a document encrypted under an NBT timestamp predating a model’s training cutoff cannot have been produced by that model, and if the protocol commits to a content hash inside the encrypted payload, re-encryption of older material becomes detectable. With that protocol design, NBT creation proofs are an increasingly important tool for content provenance and authenticity.

Sealed Bids and Embargoed Announcements need NBT

A construction company wants to accept sealed bids for a new building. If bids are submitted as NBT-locked documents, no bidder can see any competitor’s price, and the procuring organisation cannot be accused of leaking prices from one bidder to another — because nobody can read any bid before the closing date, not even the procurer. This is verifiable and does not require trusting the procurer.

A company wants to make a major market announcement simultaneously in every timezone. An embargoed NBT-locked press release is distributed to journalists around the world days in advance. The embargo cannot be broken — not by a hack, not by a determined editor, not by any means — because the decryption key does not yet exist. When the embargo expires, it becomes readable everywhere at once.

The ability to create a document that becomes readable, and therefore actionable, at a specific future time has applications in wills, deferred payments, conditional disclosures, and time-limited legal obligations. An NBT-locked document requires no single trusted custodian and cannot be opened early by anyone.

How It Works for Everyone

NBT is a public broadcast clock that works for information. It is open to all regardless of nationality or affiliation, and the value is in what people build on top of it rather than in the NBT infrastructure.

Imagine that a group of organisations holds a safe. The organisations are drawn from different countries and institutions who do not trust one another but who have agreed to cooperate. Inside the safe is a long list of keys, one for every half-hour slot from now until some date in the future. Every half hour, they all agree to take out the key for that slot and broadcast it publicly to the world. Once a key is broadcast, it cannot be recalled. If they cannot agree, the key is not broadcast.

Before any of this, anyone can obtain the corresponding lock for any future slot. Locking a document uses that public lock. Opening the document requires the key that will only be broadcast when the time arrives.

Nobody can open the document early because the key genuinely does not exist in usable form until that moment — it is held in pieces, distributed among parties who do not trust each other and will not combine their pieces before the scheduled time.

This is the essence of NBT. The mathematics that makes it work is decades-old and trusted by the entire computing industry. The novelty is in deploying it as public infrastructure, and in the three distinct guarantees it makes. This describes one approach; alternatives exist that avoid a pre-generated key schedule entirely — see the Technical Appendix.

The Three Guarantees in Plain Terms

No Early Reading. An encrypted document cannot be decrypted before the scheduled time. This is true regardless of who holds the document, how powerful their computers are, or how much they want to read it. Under the threshold construction, the key simply does not exist in combined form until the time arrives. The guarantee depends on the beacon network continuing to operate — if the network fails, the key is never released and the document remains sealed indefinitely.

No Late Denials. A document signed using NBT carries proof that it could not have been signed before the NBT timestamp. The signature is anchored to real time in a way that is independently verifiable. Centralised timestamp authorities already offer this service, but their guarantees depend on trusting a single organisation; NBT replaces that contractual trust with cryptographic trust distributed across jurisdictions.

No Backdating. When a document is encrypted at a given NBT timestamp, this proves that the encryption occurred after that timestamp — the document could not have been sealed before the corresponding public key existed. The proof is independent of anything the document’s author says or does later. (NBT cannot verify whether the content is truthful or when it was originally created, only the timing of the encryption.)

Why Now, and Why This Approach?

The concept of time-locked encryption has existed in academic literature since the mid-1990s. Production-quality implementations now exist — notably the [tlock](docs.drand.love/docs/timelock-encryption) system operated by the League of Entropy, a consortium of organisations including Cloudflare, Protocol Labs, and EPFL. These implementations are evidence the technology is viable.

What does not yet exist is:

  • A quantum-resistant implementation designed for long-duration locks. Current production systems, including the League of Entropy’s, rely on cryptographic schemes that would not survive a sufficiently powerful quantum computer. This matters enormously for documents intended to remain sealed for decades, and the system needs to be designed with this in mind before it becomes a practical concern.
  • A governance and standardisation framework that gives the system standing in law, in regulatory contexts, and in international commerce. The League of Entropy has an operational governance model, but it was designed for randomness generation and carries no legal standing as a timestamping authority. A working demonstration is not the same as a standard.
  • Integration into the tools ordinary people already use. The tlock system has seen experimental use in vulnerability disclosure and blockchain applications, but it remains a command-line tool. The modifications to LibreOffice, email clients, and file managers that would make NBT available to a journalist, a solicitor, or a small business owner have not been built.
  • A specific application to the AI content provenance problem, which did not exist in its current form when the first implementations appeared and which has since become a serious information-integrity problem.

NBT’s contribution is not a new algorithm. It is the synthesis of timed-release encryption, verifiable timed signatures, and post-quantum cryptography into a public utility framework, with the governance, standardisation, and end-user integration needed to make it real infrastructure. The work is to build on what exists, fill what remains, and bring the result to the scale and accessibility of a public service.

Why Hasn’t This Happened Already?

Trusted timestamping already exists. RFC 3161, standardised in 2001, defines timestamp guarantees, and commercial Timestamp Authorities have operated for two decades. The ecosystem around it is substantial: ISO/IEC 18014 standardises timestamping services internationally, and ETSI TS 101 733 (CAdES) provides a legally binding electronic signature framework with timestamp support across the EU. Any new proposal must reckon with this institutional weight. But the guarantees these standards provide are contractual, not cryptographic: a TSA operating under a secret legal order can silently undermine the attestations it issues. NBT’s distributed architecture makes this impossible by construction.

The League of Entropy solved the hard technical problem — for developers. The tlock system is production-quality time-locked encryption running on a multi-jurisdictional threshold network. It hasn’t become public infrastructure because it has no integration into software ordinary people use, no governance framework giving its attestations legal standing, and no plan for cryptographic longevity.

Three things have changed since tlock launched. Generative AI has created a forgery problem that forensic approaches cannot reliably solve, and NBT offers a cryptographic guarantee where every alternative offers only statistics. Centralised trust has visibly failed — backdoor demands, secret legal orders, and jurisdictional fragmentation have made the case for distributed trust obvious to non-technical audiences. And the 2024 NIST post-quantum standards and advances in ceremony-free cryptographic constructions together close the two hardest open problems: long-term durability and the integrity of the initial key generation.

NBT hasn’t happened because the people with the institutional access to deploy it haven’t felt sufficient urgency. That has changed.

The Governance Problem

The implementation checklist looks straightforward: deploy nodes, write some plugins, draft an RFC. The governance is harder than all of these combined, and it is the reason trusted timestamping has never become universal infrastructure despite two decades of working technology.

If a key release fails — because nodes go dark, disagree, or are legally compelled to withhold — who bears responsibility to the parties who relied on the guarantee? A journalist whose timed release misfires, or a sealed bid that cannot be opened, needs a remedy. No cryptographic protocol provides one.

A threshold architecture distributes trust but does not eliminate it. A sufficiently determined government can approach node operators individually. The League of Entropy’s current arrangement has no binding legal framework governing how operators must respond to such orders, or whether they must disclose them. For NBT to have standing in courts and regulatory contexts, the operating agreement needs to address this — ideally by distributing nodes across jurisdictions where conflicting legal obligations make coordinated compulsion structurally implausible.

A 25-year key schedule outlives organisations. The operating agreement needs to specify what happens when a node operator dissolves, is acquired, changes jurisdiction, or loses interest. There is no cryptographic solution to an organisation ceasing to exist.

The League of Entropy is the natural template, and its operational experience is valuable. But it was designed for randomness generation, not for producing attestations with legal standing. Adapting it for NBT means negotiating a binding multilateral agreement — closer in character to a treaty than a terms-of-service — between organisations with different legal systems, different risk appetites, and different relationships with their respective governments. Governance is the primary deliverable, with the technical implementation following from it.

Next steps

The requirements are:

  1. A production deployment of an NBT node network with formal governance, jurisdiction diversity, and a legally defensible operating agreement between participating organisations.
  2. End-user software integrations — beginning with LibreOffice, Thunderbird, and a browser plugin — that make NBT accessible without any technical knowledge.
  3. A foundational cryptographic design decision on the construction (IBE, VDF, or hybrid), which should be the first technical deliverable.
  4. A pilot programme with at least two high-value use-case communities: investigative journalism organisations and legal professionals in sealed-bid procurement.
  5. An RFC-type standardisation proposal covering the NBT data format, key distribution protocol, and the three guarantee types.

The construction choice in item 3 determines the trust model, the governance architecture, and the quantum risk profile. Whether to use an IBE-based construction (as tlock does), a VDF-based ceremony-free construction, or a hybrid must be informed by the NIST post-quantum standards finalised in 2024. Everything else follows from it.

The base broadcast infrastructure should not carry a direct commercial model, because restricting access would undermine both the human rights and the commercial use cases. The value is in the applications built on top of it. Demonstrating that value through real deployments in journalism and law will attract the commercial application investment that follows.

If you want to contribute to experiments and refinements of this work I’d be delighted to hear from you.

Technical Appendix

This appendix is intended for cryptographers, engineers, and technically informed funders. It assumes familiarity with public-key cryptography.

A.1 Two Approaches to Time-Locked Encryption

The academic literature distinguishes two approaches to making information inaccessible until a future time. NBT belongs to the first category; the second is described here for completeness and because a well-informed NBT proposal must know when each is appropriate.

Server-based Timed-Release Encryption (TRE) requires a trusted network that holds (shares of) private keys and releases them at scheduled times. Decryption is computationally trivial for the recipient once the key is released. Trust is managed by distributing key shares across mutually mistrustful parties. This is the approach described in this document. The foundational academic treatment is Rivest, Shamir and Wagner (1996), and the most complete modern construction is Liu, Jager, Kakvi and Warinschi (2018), “How to Build Time-Lock Encryption”.

Verifiable Delay Functions (VDFs) require no trusted server. A VDF is a function that requires a specified number of sequential steps to evaluate — no amount of parallelism speeds it up — and whose output can be verified quickly by anyone. The recipient simply performs the computation; time itself is the lock. VDFs were formalised by Boneh, Bonneau, Bünz and Fisch (2018). They are actively used in blockchain contexts for randomness generation and anti-manipulation properties.

Choosing between them: TRE is appropriate when recipients have constrained computational resources, when short time horizons make VDF computation impractical, or when decryption must happen simultaneously for many parties. VDFs are appropriate when complete trustlessness is the paramount requirement and the receiver can afford sequential computation. For a public broadcast infrastructure with ordinary-user accessibility as a goal, TRE is the natural starting point, but VDFs deserve consideration for specific applications where trustlessness outweighs convenience. A hybrid construction — VDF-based key generation with IBE-style encryption for end users — may offer the trustlessness of VDFs without requiring recipients to perform sequential computation. This is an active area and the choice of construction should not be treated as settled.

A NIST overview of both approaches was presented at the Special Topics on Privacy and Public Auditability event, January 2025.

A.2 The Trust Problem and Its Solution

The fundamental obstacle to server-based TRE is keeping the list of future private keys secret until the moment of their release, while convincing users that no single actor has illicit access to them.

The solution is Shamir’s Secret Sharing (SSS), a secure multiparty computation algorithm with decades of analysis behind it. Each private key is split into n shares distributed across n parties such that any k of the n shares suffice to reconstruct the key, but any collection of fewer than k shares reveals nothing about the key. If the n parties are from different countries and institutions with no incentive to collude, the trust problem is reduced to a game-theoretic question rather than a cryptographic one.

The most complete recent theoretical treatment of this construction applied to timed-release encryption is Zhou et al., “Multiple Time Servers Timed-Release Encryption Based on Shamir Secret Sharing” (2023).

This analysis assumes the IBE/threshold construction used by tlock. A ceremony-free construction based on VDFs changes the trust problem: instead of “can we trust the key generation event,” it becomes “can we trust that the delay function is sequential.” These are different questions with different governance implications, and the choice between them is part of the foundational design decision described in A.1 and A.5.

A.3 The Existing Production Implementation

The drand project, developed by Randamu and operated by the League of Entropy — a consortium including Cloudflare, Protocol Labs, EPFL, Kudelski Security, the University of Chile, and others — has been running a distributed randomness beacon since 2019, with the production network launching in 2020. Since 2023 it has supported timelock encryption on its mainnet via tlock, a scheme using Identity-Based Encryption (IBE) over BLS12-381 elliptic curves combined with threshold BLS signatures.

The tlock scheme was independently audited by Kudelski Security. Implementations exist in Go, TypeScript, and Rust. A browser-based demo (Timevault) is publicly accessible.

The quicknet network operates at a 3-second beacon frequency across a consortium growing from its 23 nodes in October 2023. The threshold is set such that the system is secure unless a majority of those organisations collude.

Limitation: The drand/tlock system is not quantum-resistant. The IBE scheme (Boneh-Franklin 2001) and the BLS signature scheme are both vulnerable to a sufficiently powerful quantum computer. The drand team is explicit about this. This is the most significant open engineering problem for any TRE system intended to protect information for decades, as NBT must.

A.4 The Three Guarantees — Technical Statement

Guarantee 1: No Early Reading (Time-Locked Confidentiality)

A sender encrypts plaintext M under the public key pk_t corresponding to future time t. The corresponding private key sk_t is not released until time t passes. Under the security assumptions of the IBE scheme, no computationally bounded adversary can recover M before time t.

The formal security model requires care: an adversary may try to “put the clock forward” by corrupting threshold participants, so the security proof must account for adversarial time manipulation. This is addressed in Liu et al. (2018) and in the drand protocol’s treatment of equivocation.

Guarantee 2: No Late Denials (Verifiable Timed Signatures)

An ordinary digital signature carries a claimed timestamp that the signer chose. A timed signature, by contrast, incorporates a commitment to a future NBT public key at the time of signing, such that the validity of the signature can only be verified after the NBT network releases the private key for that time slot. This cryptographically binds the signature to real-world time in a way that is externally verifiable. This means timed signatures cannot be verified in real time — verification becomes possible only after the corresponding key is released.

The most directly relevant technical work is Thyagarajan, Bhat, Malavolta, Döttling, Kate and Schröder, “Verifiable Timed Signatures Made Practical” (2020). This paper gives a complete construction and security proof and should be the primary technical reference for this guarantee in any NBT standardisation effort.

The existing RFC 3161 Trusted Timestamping standard provides a weaker version of this guarantee using a single Timestamp Authority. NBT’s distributed approach eliminates the single point of trust. See RFC 3161.

Guarantee 3: No Backdating (Proof of Earliest Possible Creation)

This is the guarantee with the least prior academic treatment and the most novel application potential in NBT. Non-custodial existence proofs already exist — blockchain-anchored timestamps such as OpenTimestamps can prove a document existed at a given time without trusting a central authority — but they do not provide confidentiality. NBT combines the existence proof with secrecy: the document is sealed until the scheduled time. When a document is encrypted under a given NBT public key, this proves that the document existed and was in the encryptor’s possession at the time of the NBT timestamp corresponding to that key — since the public key schedule is fixed and publicly auditable, and no legitimate public key for that timestamp existed before it.

Two qualifications:

  • This proves that the encryption occurred after the given timestamp. It does not prove that the content of the document was created at that time. An encryptor could encrypt a document created years earlier and claim the NBT timestamp as a creation date. Protocols that depend on Guarantee 3 for content provenance need to be designed with this limitation in mind, typically by including a hash of the document and a statement of creation date within the encrypted payload.
  • The guarantee depends on the integrity of the NBT public key schedule. If the key schedule were compromised at generation time, false timestamps could in principle be created. This reinforces the importance of the key generation process and the distribution of private key shares.

The AI content provenance application of this guarantee is unexplored in the academic literature and represents a productive area for new work. A document encrypted under an NBT key whose timestamp predates the training cutoff of a given generative AI model cannot have been produced by that model. This is a useful forensic property, though the protocol needs to prevent an attacker from encrypting old content under a fresh timestamp and claiming it as new.

The principal existing approach to content provenance is the C2PA (Coalition for Content Provenance and Authenticity) standard, which uses metadata manifests and cryptographic hashes to record the origin and editing history of digital content. C2PA is more comprehensive for tracking how content was produced and modified, but its guarantees depend on the signing infrastructure and can be stripped from a file. NBT offers something different: a proof of time that is independent of any metadata chain. A C2PA manifest says who made this and how; an NBT timestamp says this existed before a given moment. The two are complementary rather than competing.

A.5 The Quantum Resistance Problem

The NIST post-quantum cryptography standardisation process concluded in August 2024 with the publication of three initial standards: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) for stateless hash-based signatures.

The specific challenge for NBT is that the key schedule — the pre-generated list of public keys — must be designed once and remain secure for the intended lifetime of the system. A 25-year key schedule generated today using BLS12-381 would be vulnerable if a cryptographically relevant quantum computer becomes available within that window. Expert estimates suggest this is plausible within 15 years at even odds — the Global Risk Institute’s 2024 Quantum Threat Timeline Report, surveying 32 experts, places the median estimate for a cryptographically relevant quantum computer at under 15 years, with some estimates considerably shorter. A construction that avoids a master secret — using VDFs or hash-based schemes instead of IBE — sidesteps part of this problem, since there is no long-lived secret to protect against a future quantum adversary, only the hardness of the underlying delay function.

No publicly available post-quantum TRE scheme suitable for NBT’s server-based architecture has been standardised. Active research directions include:

  • Time-Lock Puzzles from Lattices (Agrawal, Malavolta and Zhang, CRYPTO 2024), which gives the first VDF-style construction based on lattice assumptions, relevant to the trustless paradigm.
  • Isogeny-based VDF constructions, which may eventually offer post-quantum delay properties, though these remain less mature. See Chavez-Saab, Rodriguez-Henriquez and Tibouchi (2021).
  • Using SLH-DSA (FIPS 205) hash-based signatures for the key schedule itself, providing quantum-resistant authentication of key release events even if the encryption layer is not yet fully quantum-resistant.

No production-ready post-quantum TRE scheme exists today for either the server-based or VDF-based architecture. NBT’s long-term promise depends on cryptography that is currently at the research stage, not just on governance and engineering. A credible NBT proposal for 2026 onwards should include a post-quantum design review as a first-phase deliverable, producing a recommended cryptographic suite and a migration path from current BLS-based implementations.

A.6 Standardisation Status and Needed Work

The concept is not standardised. The following work is needed for NBT to reach the status of reliable public infrastructure:

Theoretical work: A paper narrowing the field of applicable schemes to the minimum required for a practical NBT deployment: specifying encryption scheme, threshold signature scheme, key distribution protocol, and time format. The Zhou et al. (2023) paper is the closest existing work. A companion paper addressing post-quantum requirements would follow.

Standards work:

  • An RFC or RFC-style definition of the NBT data types, including the format of an NBT-locked document, an NBT creation-proof, and an NBT timed signature.
  • An RFC-style definition of the protocols for: (a) threshold nodes that hold partial key shares, (b) key release broadcast, and (c) end-user clients that encrypt and decrypt.

Implementation work:

  • Integration into LibreOffice (File → Export as NBT-Locked PDF).
  • A Thunderbird plugin for NBT-locked email.
  • A browser extension for NBT verification of web-distributed documents.
  • An NBT virtual printer for Linux, Android, and Windows.

Governance work:

  • A formal operating agreement for a multi-jurisdictional node network, modelled on the League of Entropy’s arrangements but with additional legal standing for use in evidence.
  • A key generation protocol — whether ceremony-based or ceremony-free — with formal security analysis, following established best practices for verifiable key generation.

A.7 Threat Model

Threshold collusion. If k or more node operators collude, they can reconstruct any private key ahead of schedule. The defence is jurisdictional and institutional diversity — making collusion politically implausible rather than cryptographically impossible. The selection of k, n, and the node operators are governance decisions with direct security consequences.

Legal compulsion. A government with jurisdiction over k or more operators can achieve the same result without operator cooperation. Jurisdiction diversity is imperfect: operators in different countries may face coordinated pressure, and secret legal orders may prevent disclosure.

Key generation compromise. For IBE-based constructions, a compromised key generation event breaks all subsequent guarantees silently and permanently. This is the strongest argument for ceremony-free constructions.

Timing attacks. An adversary who can observe when encrypted documents are submitted can infer information about their contents, particularly if submission timing correlates with real-world events. NBT provides no traffic analysis protection.

Content vs. encryption timing. NBT proves when encryption occurred, not when content was created. Protocols relying on No Backdating for content provenance must commit to a content hash and creation-date statement inside the encrypted payload.

Post-release confidentiality. Once a private key is broadcast it cannot be recalled. NBT-locked documents offer confidentiality before the release time, not after it.

Beacon availability. NBT’s value depends on the beacon operating reliably for decades. A network partition, funding collapse, or loss of infrastructure dependencies (cloud providers, DNS) could prevent key release at the scheduled time — breaking the No Early Reading guarantee not by early disclosure but by indefinite deferral. This is a liveness problem distinct from the safety problems above, and the governance framework must address it through redundancy, funding commitments, and succession planning.

A.8 Selected References

Foundational

Threshold and Distributed Trust

Timed Signatures

Verifiable Delay Functions

Post-Quantum

Standardisation and Context