Skip to content

Bureau — Blue Team (defensive)

Graviton-Ghost

LIGO publishes gravitational-wave detections at nanosecond precision, and a real detection requires globally-separated observatories agreeing within milliseconds. The detection time is therefore a public, externally-verified timestamp that an earthbound adversary cannot fabricate. 

Posture: 🔵 Blue Team (defensive)   ·   Status: alpha (moonshot)

What it does

When two black holes (or two neutron stars) merge, they emit gravitational waves – ripples in spacetime that propagate at the speed of light. LIGO (Laser Interferometer Gravitational-Wave Observatory) operates four-kilometer-arm interferometers at Hanford, Washington and Livingston, Louisiana. Virgo is the European counterpart near Pisa, Italy. KAGRA is the Japanese one at Kamioka. Together, they publish gravitational-wave detection timestamps to nanosecond precision through the GraceDB low-latency alert pipeline and the GWTC catalog.

The property that makes this useful for cryptography is coincidence: a real gravitational-wave detection requires that at least two globally-separated observatories observe the same waveform within milliseconds. Earthbound parties cannot fabricate a coincident detection across Hanford, Livingston, and Virgo. The detection time is therefore an externally-verified timestamp anchored to public scientific data. Graviton-Ghost cross-references any cryptographic timestamp claim against the LIGO/Virgo catalog: if a log claims time T but contains content that references a LIGO event at time T+1, the timing relationship is inconsistent.

Who would use it

  • A journalist or whistleblower publishing a leak who needs proof that the document existed before a specific cosmic event (and therefore could not have been fabricated after the fact).
  • A court-of-law evidence custodian anchoring a sealed timeline to an un-fakeable external clock as a hedge against state-actor backdating.
  • A scientific-priority claimant (academic, biotech, crypto researcher) establishing that a result existed before a given LIGO event for prior-art purposes.
  • A national-security incident responder verifying that a captured adversary's logs were not retroactively edited after a known cosmic event.
  • An archive-integrity auditor (Wayback Machine, Internet Archive, national libraries) cross-anchoring snapshots to LIGO events for sub-week temporal proof.

What you'll need

  • The Pluck CLI installed (npm i -g @sizls/pluck-cli).
  • For real deployment: a GraceDB / GWTC mirror feed (the alpha uses synthetic stub events). LIGO's catalog is public; mirroring it is straightforward, just deferred.
  • A timestamp claim worth anchoring (a Rekor uuid, a SHA-256 of a document, or a signed blob).

Step-by-step

Shell
pluck bureau graviton-ghost demo

The demo synthesizes two stub LIGO events and four timestamp claims: one valid (claim made AFTER cited LIGO event, window envelopes it correctly), one causal-precedence-violated (claim made BEFORE cited LIGO event but references its content), one fabricated (cites an eventId not in the catalog), and one window-blown (window does not envelope cited event).

graviton-ghost/demo: ingesting 4 TimestampClaims + 2 LigoEvents -> 3 GravitonGhostProofs.
[Bureau/GRAVITON-GHOST] proof=264e0441… kind=causal-precedence-violated
[Bureau/GRAVITON-GHOST] proof=24244ee4… kind=ligo-event-fabricated
[Bureau/GRAVITON-GHOST] proof=502d9c44… kind=timestamp-window-blown

Production CLI (mirror-event to import a GraceDB event, claim to anchor a timestamp, verify to check a published claim) lands in a follow-up.

Run it yourself

Drop this into a Node 18+ project (npm install @sizls/pluck-bureau-graviton-ghost @sizls/pluck-bureau-core tsx). Real LIGO/Virgo catalog ingest is research-required; the example calls the deterministic fetchLigoEvent stub against a known eventId.

TypeScript
// index.ts
import { createHash } from "node:crypto";
import {
  createGravitonGhostSystem,
  fetchLigoEvent,
  fingerprintPrivateKey,
  signCanonicalBody,
} from "@sizls/pluck-bureau-graviton-ghost";
import { generateOperatorKey } from "@sizls/pluck-bureau-core";

const sha256 = (s: string) => createHash("sha256").update(s).digest("hex");
const flush = (n = 80) => new Promise<void>((r) => { let i = 0; const tick = () => (++i >= n ? r() : setImmediate(tick)); setImmediate(tick); });

async function main() {
  const op = generateOperatorKey();
  const opFp = fingerprintPrivateKey(op.privateKeyPem);

  const system = createGravitonGhostSystem({
    signingKey: op.privateKeyPem,
    disablePausePoll: true,
    disableLogging: true,
  });

  const stub = fetchLigoEvent("GW250215_034512");
  if (!stub) throw new Error("stub catalog miss");

  // Mirror the LIGO event.
  const ligoBody = {
    schemaVersion: 1 as const,
    eventId: stub.eventId, integratedTime: stub.integratedTimeISO,
    eventDigest: stub.eventDigest, detectorIds: stub.detectorIds,
    operatorFingerprint: opFp, mirroredAt: "2026-02-15T03:45:13.000Z",
  };
  const ligoEventRecordId = sha256(JSON.stringify(ligoBody));
  const ligoSig = signCanonicalBody({ ...ligoBody, ligoEventRecordId }, op.privateKeyPem);

  // Causal-precedence violation: claim BEFORE the LIGO event but cites its content.
  const claimBody = {
    schemaVersion: 1 as const,
    rekorUuid: "rekor-uuid-causal",
    claimedTime: "2026-02-14T00:00:00.000Z",
    contentDigest: stub.eventDigest,
    citedLigoEventId: stub.eventId,
    operatorFingerprint: opFp,
    signedAt: "2026-02-14T00:00:01.000Z",
  };
  const claimId = sha256(JSON.stringify(claimBody));
  const claimSig = signCanonicalBody({ ...claimBody, claimId }, op.privateKeyPem);

  try {
    system.observeLigoEvent({ ...ligoBody, ligoEventRecordId, signature: ligoSig.signature });
    system.observeClaim({ ...claimBody, claimId, signature: claimSig.signature });
    await flush();
    for (const p of system.facts.proofs()) {
      console.log(`proof kind=${p.kind} id=${p.proofId.slice(0, 16)}`);
    }
  } finally {
    await system.shutdown();
  }
}

main().catch((err) => { console.error(err); process.exit(1); });

Run with tsx index.ts. Expected output:

proof kind=causal-precedence-violated id=…

▶ Open in StackBlitz – runs in your browser, no install required.

What you get

A LigoEvent envelope per mirrored event containing the event id, integrated time, content digest, and contributing detector ids. A TimestampClaim envelope per anchored claim containing the Rekor uuid, claimed time, content digest, optional window endpoints, and optional cited LIGO event id. All Rekor-anchored.

Three classes of proof:

  • causal-precedence-violated – a claim says it was made before a LIGO event's integrated time, but the claim's content digest references the event's content. Impossible – the claimant referenced content that did not yet exist at the claimed time.
  • ligo-event-fabricated – the claim cites an event id that does not appear in the catalog, OR detector co-incidence verification fails (fewer than 2 detectors).
  • timestamp-window-blown – the claim's window endpoints are inverted or envelope the cited event with the wrong temporal direction.

What it can't do

  • Real GraceDB / GWTC catalog ingest is deferredfetchLigoEvent() is deterministic for stub event ids today. Production catalog mirroring (low-latency alerts, GWTC release cadence, KAGRA-O4 joint detections) is research-required.
  • LIGO events are sparse – a few per week during observing runs. For sub-weekly timestamp anchoring, this is the wrong tool. The package proves causal ordering relative to known cosmic events, not absolute wall-clock time.
  • A nation-state-grade adversary that compromises the LIGO data-products pipeline itself escapes detection. Defense is the redundancy of the global detector network – Hanford, Livingston, Virgo, KAGRA – plus the public cross-checks performed by the gravitational-wave research community.
  • Sub-millisecond detector-coincidence-window arithmetic is deferred – alpha enforces only the ≥ 2 detector count.
  • Real Sigstore Rekor notarize integration is stubbed.

A real-world example

In April 2027, an investigative team at Reuters publishes a leaked document concerning a national-security program. The agency disputes the document and asserts that no such version of the program existed in 2024. The leaker had earlier uploaded the document to Pluck Custody on March 12, 2024, and the timestamp claim cited LIGO event GW240312_171506 – a binary black hole merger detected jointly by Hanford, Livingston, and Virgo at 17:15:06 UTC that day. The claim's window envelope is [2024-03-12T17:00:00Z, 2024-03-12T18:00:00Z]. Disputing the document's existence at the claimed time would require fabricating coincident detections across three independent observatories on three continents. The cassette serves as third-party-verifiable corroboration of the document's pre-publication existence.

For developers

Predicate URIs

URIWhat it attests
https://pluck.run/GravitonGhost.LigoEvent/v1LIGO/Virgo event E with integrated time T, content digest D, contributing detectors.
https://pluck.run/GravitonGhost.TimestampClaim/v1Operator O signed a claim with Rekor uuid U, claimedTime T, contentDigest D.
https://pluck.run/GravitonGhost.Proof/v1Class: causal-precedence-violated | ligo-event-fabricated | timestamp-window-blown.

LIGO events are public scientific data – no PII to redact. The TimestampClaim carries content digests + a public Rekor uuid + a wall-clock string.

Programs composed

  • Custody – cryptographic timestamp anchoring (Rekor uuids feed in here).
  • Pluck core's DSSE in-toto envelopes + Sigstore Rekor client.
  • Directive's facts/constraints/resolvers.

Threat model + adversary

Adversary is a state actor or large vendor that wants to backdate a log. Defense is the redundancy of the gravitational-wave detector network – fabricating a coincident detection across three globally-separated observatories is operationally infeasible. The protocol fails against an adversary that compromises the LIGO data-products pipeline itself; the redundancy of the science community's cross-checking is the residual defense.

What's stubbed (alpha – moonshot)

  • Real GraceDB / GWTC-1/2/3 catalog ingest deferred.
  • dsseSign / notarizeAttestation Rekor integration stubbed.
  • Sub-millisecond detector-coincidence-window arithmetic deferred.
  • KAGRA-O4 joint-detection support deferred.

Verify a published cassette

Shell
pluck bureau verify <bundle-dir>
cosign verify-blob --key <pubkey.pem> --signature <sig> \
  --type https://pluck.run/GravitonGhost.TimestampClaim/v1 <body.json>

See also

Edit this page on GitHub
Previous
Cosmic-Drift
Next
Cherenkov-Witness

Ready to build?

Install Pluck and follow the Quick Start guide to wire MCP-first data pipelines into your agents and fleets in minutes.

Get started →