Craig Wright’s ‘Proof’ He Invented Bitcoin Is the ‘Canadian Girlfriend of Cryptographic Signatures’


The grandiose Australian computer scientist Craig Wright, who yesterday announced to the world in a coordinated media campaign that he is Satoshi Nakamoto, the mysterious inventor of Bitcoin, said today that he will move some of the Bitcoin known to belong to Nakamoto “in the coming days.” He had better, because the evidence he has proffered so far is not at all convincing.

Wright spoke with three media outlets for stories published yesterday, but the most salient new point in favor of his contention is that Gavin Andresen, for many years Bitcoin’s lead programmer, and one of the few people on Earth known to have corresponded with the true inventor of Bitcoin (though they never met face to face) professed himself convinced that Wright is the real deal. Likewise John Matonis, a founding director of the Bitcoin Foundation, is 100-percent persuaded of the authenticity of Wright’s claims. Matonis sent out an email on Monday morning to various journalists interested in Bitcoin, with the subject line “HOW I MET SATOSHI,” underscoring his conviction: “I have no doubt that Craig Steven Wright is the person behind the Bitcoin technology.”

But the additional proof of his identity offered online by Wright yesterday morning began immediately to crumble, and was reduced to powder in a matter of hours, throwing even the testimony of Gavin Andresen into doubt.

Both Matonis and Andresen apparently traveled to London to meet Wright in recent weeks, along with various members of the press; Wright submitted himself to some of their questions, and reportedly demonstrated that he could sign a message of Andresen’s choosing — “Gavin’s favorite number is eleven” — using a key known to have belonged to the real Nakamoto. One of Bitcoin’s most useful features is a complete, irrefutable public ledger of every transaction that’s ever occurred since the currency’s launch, in January of 2009, so a number of Nakamoto’s Bitcoin addresses are known, since he was the first person to use the system.

For the purposes of this discussion, an easy way to think of Bitcoin’s public-key encryption is that a public key is like a mailbox at the post office: Anyone can know where your personal mailbox is, but only you can open it, with your own private key. Similarly, anybody could know of Bitcoin addresses and public keys belonging to the real Satoshi Nakamoto, but only he (or a beneficiary, or a thief) has the private keys that could be used to transfer a bit of his known stash of a million or so bitcoins, or to sign an encrypted message.

In order to prove his identity, then, Satoshi Nakamoto would need to transfer some of the early bitcoins we know belong to him, or sign a message using the private key to one or more of those bitcoins. If we were to extend the mailbox metaphor, we might say that he’d need to show us mail that we knew to have been in the mailbox, whether because its existence has been public and known, or because we’d sent it to him.

And here the trouble begins. For in addition to providing private proofs that convinced two very credible Bitcoin experts — Andresen, in particular, being known as a very straight shooter — Wright published a long, ill-written, confusing blog post in which he demonstrated his control over one of Satoshi’s private keys by providing putative evidence that he’d used this key to “sign” a passage written by Jean-Paul Sartre.

Unfortunately for Wright, however, the sages of Hacker News, Reddit, and the Bitcoin forums weren’t about to take that assertion on faith, and within hours they’d discovered that the “proof” Wright offered had simply been copied from an early, genuine transaction of Satoshi’s on the Bitcoin ledger. (Which is the nice thing about having complete, unfalsifiable records!) Rather than encrypt the Sartre passage using Satoshi’s private key, thus demonstrating he had it, Wright had merely fiddled with a bitcoin transaction signed with that key from 2009. Patrick McKenzie, patio11 on github, has a particularly clear explanation of Wright’s deception. It’s clever, but, McKenzie says (and I believe him) that he too could have fooled a non-crypto-expert in a similar manner, with a couple of hours’ preparation. Other experts weighed in on the obvious hoax here, here, here, here, and here.

(The Economist, among all the press organizations involved in this case, is to be commended for asking all the right questions, and for refusing to take what now appears to have been the spurious bait.)

To continue our mailbox metaphor, Wright basically produced an envelope with Satoshi’s address on it, only for experts to discover and announce that the envelope was simply a copy of one already taken out of the mailbox in 2009. As another expert noted, switching metaphorical gears entirely, the blog post “proof” is like a thief producing a photocopy of your signature and claiming it as his own. The deception really is this obvious. And in the few hours since the announcement was made, the consensus of the Bitcoin community has grown very rapidly against Wright’s claims. “This is the Canadian girlfriend of cryptographic signatures,” observed one Redditor.

Vitalik Buterin, a Bitcoin expert and founder of Ethereum, put the matter this way at yesterday’s Consensus conference, in New York:

I will explain why I think he’s probably not Satoshi [applause] He had the opportunity to take two different paths of proving this. One path would have been to make this exact proof, make a signature from the first bitcoin block, put the signature out in public […] he would let the crypto community verify this. But instead he has written a huge blog post that is long and confusing and it has bugs in the software and he also says he won’t release the evidence. Signaling theory says that if you have a good way to prove something and you have a noisy way to do it, then the reason why you picked the noisy way was because you couldn’t do it the good way in the first place.

Had Wright really been Satoshi, it seems altogether likely that he would simply have used the method Buterin suggests, mailed himself his own brand-new envelope, if you will, and removed it from the mailbox in full view of the public — which can be done instantly, anonymously, and free of cost using Bitcoin. Had he done that, we wouldn’t even be having this discussion. From the start it would have been clear as day that this was the guy. Instead, security expert Dan Kaminsky yesterday characterized Wright’s proofs as “intentional scammery.”

As a longtime Bitcoin watcher, I consider that Wright’s failure to conduct the obvious demonstration is the most damning strike against him. But running a close second to that failure is his consistent inability to string together a tolerably clear English sentence. The real Satoshi Nakamoto is a calm, educated, articulate man. Craig Wright is by comparison a self-consequential, illiterate blowhard; his writing is imprecise and clumsy, full of misspellings and primitive solecisms never committed by the real Satoshi. If he is not the guy, then why the scammery?

I’ve met Gavin Andresen in person, and spoken and corresponded with him at length, and until yesterday morning I would have told you that his word on this matter was law. But certain developments have altered Andresen’s position in the Bitcoin world. He has been stripped of “commit access” to Bitcoin Core, which is to say, the right to alter the original version of Bitcoin’s code without permission from the other current “core devs,” all of whom he appointed himself. Andresen began mastering, maintaining, and protecting this code with the real Satoshi in 2009; he shepherded it through thick and thin, through near-fatal bugs, exchange crashes, and government bans, through the massive runup in the currency’s value in late 2013, and its waxing and waning since. Throughout, he has been a model of mild, level-headed probity, in sharp contrast to the pompous libertarian kooks often found in the Bitcoin world.

Whatever else may have happened, this is a palace coup, pure and simple, likely connected to the deep fracture in the Bitcoin developers’ community with respect to future growth: The furious debate around “block size” in particular can be seen as an attempt to effectively privatize Bitcoin. Some of the remaining core developers are involved in a a startup called Blockstream, a company that will likely benefit if Andresen’s long-sought recommendation to increase block size is not followed. When I asked Andresen, was your commit access really revoked? How, and by whom? He replied: “Yes, by Wladimir [van der Laan], by poking some buttons at github.” So far, he has declined to say more than this.

Without a doubt there are powerful commercial impulses at work in the Bitcoin world, notably those connected with Blockstream; the fate of this commercial enterprise might very easily be involved in the Craig Wright circus, as various observers on Reddit and elsewhere have noted. Was Gavin Andresen’s agreement to identify Craig Wright as Satoshi connected in some way to his fate as a Bitcoin core developer, and if so, how?

Andresen’s involvement aside, interesting as it is, The Economist demanded yesterday that Wright produce new proofs of his control of the private keys involved in the London “demonstrations.” This is the best place to look for further corroboration — or otherwise — of Craig Wright’s claims. His refusal to comply with these requests so far speaks volumes.