Skip to main content

Seven Questions to Make Sense of Craig Wright's Signature Proofs

Technical - Seven Questions to Make Sense of Craig Wright's Signature Proofs

The Australian computer scientist Craig Steven Wright is sending shock waves throughout the Bitcoin world, as he once again claims to be the man who invented Bitcoin.

At the heart of the story, Wright himself published a blog post suggesting he signed a message with one of Satoshi Nakamoto's private keys. And importantly, Wright's claim was backed by Bitcoin-prominents including former lead developer Gavin Andresen and former Bitcoin Foundation director Jon Matonis; both believe to have witnessed Wright sign a message with Satoshi Nakamoto's private key.

Yet, the Bitcoin community remains highly skeptical. The answers to these seven questions explain why.

1. What does it mean to “sign a message”?

The option to sign a message is a feature of public key cryptography, the type of cryptography on which Bitcoin is based.

Public key cryptography makes use of two types of keys: public keys and private keys. Both are really just strings of numbers that correspond through a mathematical formula. But while it is very easy to calculate a public key from a private key, it is practically impossible to calculate a private key from a public key. It's a “one way street."

A private key can also be combined with any other data using a similar mathematical formula. This data could even be text or images; in that case the data is first hashed (“translated”) into a string of numbers (a “hash," or “digest”).

Combining a private key and other data creates a new and unique string of numbers, called a signature. And again, it is easy to calculate a signature from a private key and data, but it is practically impossible to calculate the private key or data from the signature.

And here's where the magic of cryptography kicks in: with only the public key and the data, it's possible to verify whether the signature was created using the corresponding private key. Message signing therefore proves ownership of the specific private key corresponding to a given public key, without needing to reveal that private key.

In Bitcoin's case, signing is typically used to spend bitcoins. The “owner” of a bitcoin signs the hash part of a transaction, as such approving that bitcoins are effectively sent “from” his public key, “to” another public key.

2. What could Wright do to prove he is Satoshi Nakamoto?

That is a tricky question, as the answer differs from one person to the next.

That said, many agree that Wright should at least be able to sign a message using a private key that only Satoshi should posses – which is indeed what Wright and others suggest he has done.

There's really only one private key we know for sure belongs to Satoshi Nakamoto: the private key corresponding to the public key on which the first-ever bitcoins were mined, as embedded in the so-called “Genesis Block." Additionally, there is anecdotal evidence that the private key used for the first-ever typical Bitcoin transaction belongs to Satoshi Nakamoto as well. It's also likely that Satoshi Nakamoto should posses many other private keys included in early Bitcoin blocks, as well as the private key that corresponds to a well-known public key (which is stored on a key server), but all this is harder to establish with the same level of certainty.

So, to prove he is Satoshi Nakamoto, Wright could sign a message using the private key corresponding to the public key from the Genesis block. Or, maybe, corresponding to the first-ever Bitcoin transaction. (Or he could spend bitcoins associated with these addresses; though of course it might be a bit more tricky to prove it was he who moved the coins, and not someone else.)

If done correctly, anyone should be able to verify the results.

It wouldn't really matter what kind of message Wright signs. Though it would help if the message itself identifies Wright as the creator of Bitcoin as well. And it should preferably be done in a controlled setting, so that only those in the room know which message is signed.

The message could for instance read:

“I, Craig Steven Wright, am Satoshi Nakamoto.”

3. Did Wright publish a signature corresponding to a private key only Satoshi should posses?

Technically: yes! (But not in any meaningful way.)

In his blog post, Wright published a signature that corresponds to both a hash (also published in his blog post), as well as to the private key used to make the first Bitcoin transaction.

So far so good.

But what Wright did not mention - and this seems very deceitful - is which data he used to create the hash he supposedly signed. And as it turns out, Wright did not sign a hash of a Jean Paul Sartre text, as he seemed to suggest in his blog post. Nor did he sign a hash of a message identifying himself as the creator of Bitcoin, as suggested above.

Instead, and without disclosing this information, Wright signed a hash of the first Bitcoin transaction--or rather, he claimed to. 

And remember, signing a transaction hash is how Bitcoin transactions are approved. Plus, of course, the signature itself is part of that transaction as well; it was included by Satoshi Nakamoto to approve of the transaction.

The absurdity of the “evidence” needs repeating.

Wright literally re-published a signature created by Satoshi Nakamoto seven years ago, using nothing but information that is already publicly available in Bitcoin's blockchain.

So while Wright technically published a valid Satoshi Nakamoto signature, that doesn't prove he is Satoshi Nakamoto, any more than publishing a signed Babe Ruth baseball card would have proven he is Babe Ruth.

4. Did Wright create any other signatures corresponding to private keys that only Satoshi should possess?

Andresen, Matonis and several journalists claim that Wright, in their presence, signed additional messages with private keys only Satoshi should possess.

So how did that happen?

According to Andresen, and as reported by Wired, Wright is said to have signed the message: “Gavin’s favorite number is eleven,” combined with Wright's initials, “CSW." Wright did this on his own computer, and then loaded the signature on a USB-stick provided by Andresen. This signature was transferred to what Andresen believed to be a newly bought, factory-sealed laptop provided by Wright's assistant. On this computer, they installed Electrum's Bitcoin wallet software, which can be used to sign and verify messages.

The signature as provided by Wright was checked against the message and one of Satoshi's public keys. According to the software (and after a failed attempt that didn't include Wright's initials in the message), the signature checked out.

Unfortunately, Andresen says he was not allowed to take the signature data with him; allegedly Wright feared Andresen would leak it. As such, it is impossible to cryptographically verify any part of this story.

As for Matonis's part of the story, as well as for the other journalists, not as many details are known. But so far none of them have delivered any cryptographic evidence either; and it seems unlikely they will.

5. Did Wright trick Andresen, Matonis and others?

Wright almost certainly attempted to trick readers of his blog post; there seems to be no other rational explanation. This has led many to believe he may have also attempted to trick Andresen, Matonis and the journalists, and did so successfully. Speaking to Wired, Andresen himself, too, acknowledged there is the possibility that Wright “bamboozled” him – though he considers it unlikely.

So how could Wright have possibly tricked Andresen, Matonis and the other journalists?

The easiest way to pull this off might have been the use of fake Electrum software. This fake software could, for instance, have been modified to approve any string of numbers as a valid signature. (Or perhaps any string of numbers as long as the inserted message includes Wright's initials – which fits the story.)

While this is definitely a very speculative explanation, Electrum's logs do suggest that no verification data was downloaded on the day Andresen met Wright. This at least suggests Andresen didn't check if the Electrum software was legit.

So how, then, could Wright have managed to install fake Electrum software on a brand new computer, even though he did this together with Andresen?

As Andresen himself suggested, this could have been done by hacking into the hotel wifi, to host a fake Electrum website with the fake software. Or, perhaps slightly easier, a fake hotel wifi (deceptively named “Hotel Wifi”) could have been set up near their room, to pull off a similar trick.

Or, perhaps the new, factory-sealed laptop was not really new or factory-sealed at all, and only made to look that way.

There are probably other tricks possible. But again this is all speculation.

6. Is anyone else backing Wright's story?


Shortly after Wright's media storm ignited, two more digital currency veterans spoke out to back Wright's claims: R3 architect Ian Grigg, and New Liberty Dollar issuer Joseph Vaughn Perling.

Going into more detail in a blog post, Grigg claims that Wright was part of a small team behind the pseudonym Satoshi Nakamoto, which would have also included the late Dave Kleiman. Grigg also notes that the team suffered much distress throughout the past years, suggesting Wright deserves to be left in peace now.

Perling did not provide much more background information, though his tweets echoed a similar sentiment as Grigg's: Wright – who is the man behind Satoshi Nakamoto – experiences much distress, and deserves some privacy.

As opposed to Andresen and Matonis, however, Grigg and Perling do not claim to have seen cryptographic evidence. Nor have they provided any.

7. So... Is Wright Satoshi Nakamoto or not?

All we know is that no cryptographic proof has been provided so far – worse yet, the only “cryptographic proof” Wright has provided so far is provably deceitful.

However, in Wright's latest blog post, he announced he will move some of Satoshi's coins (which is equivalent to signing a message). Unfortunately, the blog post itself was not signed, nor did it include a signature.

So for now, we can only speculate... and wait.

Thanks to Libbitcoinlead developer Eric Voskuil and BitonicCEO Jouke Hofman for fact checking.