It has become an annual exercise for the press to jump on a Satoshi sighting that it has almost become an ordinary event. What is extraordinary is when a previously attempted and debunked contender emerges with, yet again, unconvincing "proof."
Today, BBC, The Economist, NPR and a slew of respectable media outlets are running with the story that Craig Wright, a beleaguered Australian entrepreneur with tax troubles, is Satoshi Nakamoto. The bulk of the story rests on two factors, a post by Craig Wright wherein he strongly insinuates signing a message by Sartre, and a post by Gavin Andresen where Gavin claims that he is convinced of Craig Wright's authenticity as the Father of Bitcoin.
This is not the first time Criag Wright emerged on the scene as a self-proclaimed Satoshi. In response to the last time Wright made his claim back in December 2015, I wrote this piece saying that the claims were not credible. And Greg Maxwell debunked his claims to the purported Satoshi keys, saying that the keys Wright presented could not have been produced by GnuPG on the date they were claimed to have been produced. Craig Wright then resurfaced, this time accompanied by an anonymously authored paper, but written in his inimitable style, arguing that a patched up version of GnuPG could have had access to that specific ciphersuite on that date.
And now, we have the Craig Wright post and the attestation by Gavin Andresen.
I remain firm that the evidence we have seen is nowhere near convincing.
We have yet to see proper, independently verifiable cryptographic proof. Even with cryptographic proof, there's still the possibility that the real Satoshi's keys may have been compromised, reverse-engineered or handed over by Satoshi to Craig Wright.
So a reasonable question is: what would it take to make a credible claim to be Satoshi Nakamoto at this point in time?
As a result of the increase in bitcoin's value and the publicity around Satoshi Nakamoto's identity, the standard of proof is fairly high. Yet the criteria I'm about to lay out should be very easy to achieve for the true Satoshi Nakamoto.
Satoshi claims need to be accompanied by "multi-factor authentication," that is, multiple, independently verifiable pieces of evidence, tied together by a credible narrative.
At a minimum, a convincing proof requires the following items:
But the standard of proof isn't uniform for everyone -- people with a past history have some explaining to do, and I might be willing to waive #3 and lower the bar for #4 for some, or raise them even higher for Craig Wright given his past and current attempts to mislead.
So, let me debunk what has been provided so far, and provide some explanations for what we may be seeing.
Craig Wright has so far provided proof of possession of a PGP key, of a private key for an address that appears in block #9, and a complex backstory.
For proof, we should accept none other than the coinbase key for the Genesis block.
The easiest public proof the real Satoshi can provide is to move the funds from this address.
Instead, we saw a series of confusing screenshots, directing the reader towards believing that a particular passage from Sartre was signed with a key belonging to an address mentioned on block #9.
The post is thoroughly misleading, if not fraudulent. The Internet has effectively crowdsourced the verification of this claim. And they discovered that Craig Wright did not sign that passage from Sartre. Instead, he either swapped the file, or used a doctored hash function, to create a hash value that is identical to one that was previously used by Satoshi. Known as a replay attack, he essentially showed us a good file, and then a good signature that verifies as Satoshi's, but the good signature is not over that good file. It's just a signature that was lifted from a transaction that Satoshi signed back on January 12, 2009. This is the kind of elementary sleight of hand you'd expect a masters student who has studied crypto to try to pull.
I challenge Craig Wright to sign a unique message with the key named in the Genesis block, and to reveal the signature to the public. I suggest the string "Experts doubt Craig Wright's claim to be Satoshi." It's not hard, for the real Satoshi.
For proof, we should accept none other than Satoshi's original key. It is trivial to generate a key with anyone else's email address in it. It is trivial to generate a key with a back-date on it. It is perhaps non-trivial but nevertheless possible to compromise a key server and modify the keyserver's own internal record of when the key was inserted. We need the keyserver's records vetted by keyserver archives.
We need a key that is known to be in the keyservers, with Satoshi's email address, during the early days of Bitcoin. Only a single key fits the bill. And we need a key other than one found in the blockchain, as the keys generated for the blockchain may suffer from a common weakness. The second factor ensures that the claimant has not just compromised a coinbase key, but also has access to Satoshi's PGP keyring as well.
Instead, we saw, back in December 2015, Craig Wright use a key that bears Satoshi's email address with an early date, but was (a) inserted into key servers after 2011, (b) was issued by GnuPG with ciphersuites that were not available in standard GnuPG at the claimed date on the key. Sarah Jeong's post sums up the case against the keys.
Perhaps a souped up version of GnuPG could have generated those cipher suites on that date, but the last thing I'm going to trust when it comes to GnuPG's historical abilities is a rambling, unsigned document. That paper is clearly written in Craig Wright's style, and I didn't spend too much time on it, partly because it is unsigned, partly because it is too incoherent, but mostly because if there was real substance, it could be stated succinctly. The Bitcoin whitepaper does not ramble on. And even if the key could have been created by GnuPG at the time claimed in the key, it was not inserted into keyservers, and consequently carries no weight in my eyes.
Just the fact that Craig Wright pushed that key as evidence makes his motives suspect, and raises the bar for all future claims by him.
I challenge Craig Wright to sign with Satoshi's email key. It's not hard, for the real Satoshi.
It is, in general, impossible to falsify that "persona Z is person A" when persona Z is identified by online credentials, such as keys. Anyone could have gained access to those credentials, and is thus indistinguishable from the true deserving person who created persona Z. Further, person A might be deliberately fronting for person B, who wishes to remain anonymous.
There is no way to rule out such claims, except by making it very expensive for person B to lend credibility to person A. In the case of Bitcoin, a simple way to do this is to ask that person A prove his/her access to the funds that belong to persona Z. Any substantial stake would lend weight to the claim; the more incredible the claimant, the higher the required stake. Just spending the coins, or moving them, is not difficult for the real Satoshi.
For definitive identification, we need a proper story that explains the stream of forged or faked evidence we have seen emerge from this case. In particular, Craig Wright needs to explain every other debunked claim he made in the past. This is not difficult for the real Satoshi.
There still exist huge discrepancies between Craig Wright and the Satoshi Nakamoto writings in the historical record.
First of all, on the superficial but easily checkable side, the writing styles of Craig Wright and Satoshi Nakamoto are nothing alike. Who wrote the Bitcoin white paper? If David Kleiman is the coder and Craig is the intellectual father of Bitcoin, shouldn't Craig's writing style match Satoshi's? What happened to the well-structured, concise prose style of Satoshi?
Second, on the deeper side, when Ittay Eyal and I discovered the biggest known shortcoming of Bitcoin's mining algorithm known as Selfish Mining, Wright's response was far short of anyone who actually understood how Bitcoin mining works, let alone Satoshi. A masters student would have written a better digest. One would expect the person who innovated on this core to understand Bitcoin mining at a non-superficial level. I'd expect Satoshi to be able to understand the Selfish Mining strategy, which debunked a critical false belief that Satoshi himself had expressed, and established new boundaries for Nakamoto consensus that turn out to be analogous to the boundaries established by Lamport for regular consensus. Why would the system architect fail to grasp the most fundamental result that concerns his creation?
Third, every single thing coming from Craig Wright, including and especially the latest post on his blog, shows him to be someone who spends his time on the command line, using computer security related tools. This is in stark contrast with Satoshi, the programmer behind the 0.1 version of the Bitcoin code. Who wrote the code? If the claim is that the coding was performed by David Kleiman, what exactly was the arrangement with him? Why did he not tap into the proceeds during his ill health? Where are the independently verifiable code samples from Kleiman?
As of right now, the only thing that supports the case of Craig Wright are in-person accounts. Andresen is a technically sophisticated, trustworthy developer, and he repeated this morning that he has observed Craig Wright sign a document using a key named in the Genesis block.
We should have no doubt that Andresen has seen this happen. So the question is: what could explain it?
There are three possible explanations for what we are seeing, besides the obvious claim:
Craig Wright is indeed Satoshi Nakamoto. If so, providing the kind of proof I outlined above should be trivial. It would remove all doubt about his identity. That this has not happened yet, with simple, independently-verifiable proof, is quite perplexing. The sheer amount of forged evidence stemming from Craig Wright forever taints all future claims from him that I cannot verify personally.
Andresen and others may have been tricked. While Andresen's technical competence is beyond question, anyone can be tricked. Craig Wright's expertise lies in computer security -- I have no doubt that he possesses the skills to infiltrate systems using command-line tools; in fact, having read his publications, I believe that this is his core competency. He may have staged such a feat by exploiting a security vulnerability on the platform that Gavin Andresen used during the demonstration. It is possible to stage such an act, for instance, through a malicious payload on the USB stick used to transfer the signature file from Craig Wright's computer to Gavin Andresen's, by taking advantage of a remote exploit in the freshly installed computer Andresen used, or by selectively fooling the client used in the verification of the signed message by presenting to it an alternative blockchain concocted for this purpose, with modified keys.
Craig Wright may have reverse-engineered some of Satoshi's keys. It is possible that Satoshi used a faulty random number generator and therefore his keys could have been reverse-engineered by someone with enough patience and a large enough cluster. I am not aware of anyone who checked the strength of Satoshi's key generation, so I cannot rule out this possibility. If Craig Wright reverse-engineered any keys, one would expect the real Satoshi to move his funds to new addresses. The fact that this has not happened yet renders this possibility very unlikely, though I'll give it another 48 hours before ruling it out.
Craig Wright may be fronting for Satoshi. It is possible that the real Satoshi has provided Craig Wright with some of his credentials. Such a pact may be beneficial for both: Satoshi would retain his anonymous identity and deflect all attention to Craig Wright, presumably for a fee that covers Craig Wright's tax issues with the authorities and feeds his desire to be known as Satoshi. Craig emerged on the scene with a clearly false claim to Satoshi's crown back in Fall 2015. It would be easy for Satoshi to locate Craig and agree on such a pact, which can never be ruled out definitively, but signatures from keys holding 15% or more of Satoshi's substantial stake in Bitcoin would provide sufficient for me.
I'm going with the second bullet point until Craig Wright fulfills the proof criteria outlined above. We could, of course, be getting played by Craig Wright as Satoshi Nakamoto: he could be releasing deliberately misleading and incomplete proofs so as to force reasonable people to take a stand and point out that the proofs are partial and incomplete, a message all too easily confused with "Craig Wright is not Satoshi.". He may then release definitive proof later, to create an even bigger splash. Neither I nor any of the other experts are saying "Craig is definitely not Satoshi." We are saying that the proof presented so far is not convincing.
Overall, Proof of Satoshi should not be difficult for Satoshi to provide. Yet we're still at square 1, without an independently-verifiable and credible proof.
We all know of Uri Geller, who charmed a generation with nothing more than slightly bent keys. We have seen professional stage magicians pull off impossible stunts. Fooling computer professionals is not trivial, but it can be done with enough preparation. And Craig Wright has had 6 months to prepare his latest "proof."
The beauty of cryptography is that the evidence can be made public, for all to see. Bitcoin itself is built on this. It's high time for Craig Wright to provide it, in full. Until then, Satoshi remains undiscovered.