challenging protocol design problem, mathematical?, help wanted 
I have a difficult protocol design problem that I need some suggestions for to explore. Please read the requirements carefully because they are very specific, and leave the "it's impossible" comments at the door, because I *know* that this is a seemingly impossible problem already.
(The problem description is also intentionally generalized and reduced down to its core mathematical problem, to avoid unintentional assumptions.)
I have a distributed protocol. The different parties involved mutually distrust each other. They can each contribute mutations to a shared state log, based on some unspecified authorization algorithm which allows for revoking access of other parties. The parties eventually converge onto an identical view of the state, though temporary partitions may occur.
The problem is that a genuine partition followed by a delayed delivery of mutations, seems indistinguishable from a malicious attempt at subverting an access revocation through backdating of mutations.
In both cases, one or more mutations are received which are dated to a timestamp that was potentially a long time ago, and that may be working off an old version of the state.
There is (currently) no shared clock, and there is a small but non-zero span of time between the most recent accepted mutation from a revoked party, and the actual revocation of their access.
How do I prevent backdating, without losing resilience to partitions?
I'm not necessarily looking for full-blown solutions (though those would be welcome!), but even just pointers on relevant research would be welcome, as long as it is research that accounts for all the properties here: untrusted parties, no shared clock, exploitable timespan before revocation.
re: challenging protocol design problem, mathematical?, help wanted 
@joepie91 that's an interesting problem. Can you expand on "no shared clock" requirement?
I don't think it's possible to distinguish between the two scenarios by definition, but! Assuming you have more peers than two and some vector clock kind of structure is acceptable, it could possibly help with bullshit detection.
E.g. if node B says it did a thing 123 at T-10, but node C previously said it received messages about 121 from B at T-5, that's sus.
So like ugh blockchain but opposite, more like neighborhood watch.
re: challenging protocol design problem, mathematical?, help wanted
@joepie91 especially if "123" is a hash of previous states, so basically every node keeps its own ugh chain of changes that can't be rolled back.
In that case backdating can only be possible if a node did zero communication on the whole network for the whole duration of the supposed partition. So you need to have a whole node dedicated to pulling the stunt once.
Which may or may not be feasible depending on how much there is to gain and lose.
re: challenging protocol design problem, mathematical?, help wanted
@virtulis For the hash thing I have a specific concern: wouldn't this be a problem for *partial* partitions? If node C partitions from node A but not from node B, then node B might have a dfiferent idea about what node C's last mutation was, even though it was a legitimate partition, right?
This could presumably be solved by sharing a *log* of hashes but that seems like it would get pretty bandwidth-intensive pretty quickly.
For the vector clock scenario: that seems like a possibly viable avenue to explore with some modifications (like enforcing sequential submission of mutations from any given server, though that rules out mesh routing of mutations as a resilience improvement), but it does seem pretty complex to implement in a scenario where the set of participants can change significantly over time, and in this scenario it's actually credible that one might burn a node on a single backdating event 😐
re: challenging protocol design problem, mathematical?, help wanted
@joepie91 re partial, the point isn't to know what the last mutation was, but rather that no mutations from that node that supposedly occurred after the backdated one were observed elsewhere on the network (without the backdated one having been seen as well).
Hell, might even require an empty "ping" mutation once a minute or something if you are in contact with other nodes.
So the only way to backdate is to prepare to do it in advance and keep entirely silent. Which, if those authorizations are given manually to specific nodes, should be quite a pain.
re: challenging protocol design problem, mathematical?, help wanted
@joepie91 but yes this means every node keeping and sharing N bytes about every node it's ever seen.
For greater good!
Edit: since the hash is based on body + previous hashes there is no need to share full mutation "body" with every node. Just the list of all the hashes preceding the mutation actually being shared. If it also includes a sequence/timestamp, just knowing one of those should be enough to determine whether a supposedly earlier mutation did exist or not.
re: challenging protocol design problem, mathematical?, help wanted
@joepie91 ah damn, this does create a problem of rogue nodes just making stuff up about others.
re: challenging protocol design problem, mathematical?, help wanted
@virtulis (I'm still looking into your suggestions, by the way, it just takes a while to absorb all of this properly)
re: challenging protocol design problem, mathematical?, help wanted
@joepie91 don't read too much into it, i just saw an interesting question and threw some ideas at you.
I bet Lamport had some thoughts about scenarios like this but I haven't read any of his actual work myself so can't really point more specifically.
re: challenging protocol design problem, mathematical?, help wanted
@joepie91 Oh, I've got a silly alternative questgestion!
Is there any reason not to just apply revocations retroactively? Like, maybe you were authorized when you logged this, maybe not, tough luck either way.
I'm assuming you're not trying to solve the double spend "problem" here 🤣
Sure, the parties won't eventually converge in that case but i think "so what" is a question worth answering.
