Over the past four years, nChain chief scientist Craig S. Wright’s layers of attempts to prove that he created Bitcoin have grown more complex. But according to cryptography experts consulted by CoinDesk, assessing Wright’s recent claim about how Bitcoin message signing works is straightforward – it’s just wrong.
Since 2016, Wright has tried to use cryptographic evidence to prove that he is Satoshi Nakamoto, the pseudonymous creator of Bitcoin. But the pieces of proof Wright has provided, at least so far, have been vigorously disputed by experts in these forms of mathematical proofs. (Back in 2016 for instance, White Ops chief scientist Dan Kaminsky went so far as to call him the “world’s first cryptographically provable con artist.”)
Debating digital signatures
In the most recent round of drama, an anonymous user signed a public message using 145 of those same keys claimed by Wright, calling him a “liar and a fraud” and asserting that “[Wright] doesn’t have the keys used to sign this message.”
Wright responded in a recent interview at the virtual REIMAGINE 2020 conference that “no message was signed. You cannot have a digital signature that is anonymous, by definition. Sorry. So, no signature. You can run a digital signature algorithm. It’s not signing a message.”
He added, “You either have to have an identity attribute or an identity to sign a message. Someone can’t go and say, ‘Hey, I’ve got a key, I’m signing.’ If you think that, you don’t understand digital signatures at all.’”
The four cryptography experts CoinDesk talked to disagree.
“I am very surprised by the statements he’s making,” Symbolic Software applied cryptographer Nadim Kobeissi told CoinDesk. “The usage of digital signatures is indeed correct and Wright’s subsequent claims that ‘this is not how digital signatures work’ seems vague and misleading.”
Johns Hopkins associate professor and cryptographer Matthew Green argued that Wright’s explanation “makes zero sense to me as a cryptographer,” adding: “If Craig Wright is saying something meaningful here then he needs to slow down and explain it more clearly. Because the words he’s using sound like nonsense to me.”
Diving into the cryptography
Typically, disagreements on the internet devolve into “he-said, she-said” quagmires, where each side has their facts with little definitive truth to go around. But in this case, the math can’t lie, cryptographers argue. One plus one must always equal two, even if it’s inconvenient.
Digital signatures are crucial to Bitcoin or any blockchain project. Every time bitcoin is sent from one person to another, behind the scenes a digital signature is created proving ownership and authorizing the transfer. It is impossible to send bitcoin without them. The user takes a private key (that presumably only they have access to), then produces a signature proving that they actually control the address and are the rightful owners of the bitcoin held by it.
Users can do more than transfer bitcoin in this way. A lesser-known application is that a bitcoin owner can use their private key to sign written messages, proving the owner of the key is the one who signed the message.
That’s what happened here, according to cryptographers.
Sending a message
Using such a Bitcoin private key, an anonymous person was able to sign the aforementioned message calling Wright “a liar and a fraud.” The experts say this very action strongly implies that Wright does not control the addresses he claims he does, (or at least, that he isn’t the sole possessor of the keys).
What follows this message is a lengthy list of seemingly random strings of characters. According to cryptographers, these are digital signatures associated with each address, proving that the anonymous poster is the true owner of the private key associated with the list of bitcoin addresses.
This is all public information that anyone with the know-how to do so can mathematically verify. By looking at the signature, the signed message and the bitcoin addresses, anyone can “check” that the owner of an address, that is, the one who holds that private key, indeed signed the message.
Cryptographer and Blockstream developer Tim Ruffing, for instance, said that he checked a “few, random signatures” himself, and found them to be valid.
Green outlines two possibilities for why these signatures would be valid. One is, simply, that “the person who signed the message possesses the corresponding wallet secret keys for those addresses.”
The alternative, according to Green, is technically possible but extremely improbable. “The other is that they’ve broken the ECDSA signing scheme on the Secp256k1 elliptic curve. [It] would be an amazing feat of cryptanalysis that would fundamentally shake the cryptographic foundations that secure the Internet, and it would certainly break Bitcoin. I do not think that is likely at all, and so I’d bank on the first possibility,” he said.
Missing the mark on identity
In short, cryptographers told CoinDesk that these keys are sufficient to sign such a message. And while Wright argues in the REIMAGINE 2020 interview that an additional “identity attribute” is required, cryptographers dispute that assertion.
“The ‘identity’ that Wright talks about is in fact the wallets themselves, because in Bitcoin, wallets are public signing keys,” Kobeissi said. Green concurred, pointing to bitcoin addresses as the built-in identity attribute to bitcoin.
Bitcoin security researcher and IOV Labs head of innovation Sergio Demian Lerner said he believes that Wright was conflating two phrases in an effort to mislead listeners.
Lerner pointed to the “colloquial” definition of a digital signature, which he describes as “a method for an entity (legal or individual) to sign a document and not be able to deny it later or back-date a signature,” he said.
Wright “used a colloquial definition of the term to confuse non-technical people, because a technical person knows that the published signatures are enough to prove that the publisher has the private keys, and the identity of the owner is irrelevant for the proof,” Lerner said.
Given that the digital signatures are valid in a cryptographic sense, Kobeissi argues there aren’t many possible interpretations.
According to Kobeissi:
“There are only two possible explanations: Craig Wright does indeed own these 145 wallets and used them to sign a message claiming that he himself is a liar and a fraud. [Or,] Craig Wright is indeed a liar and a fraud and was exposed by one or more wallet-owners who did not appreciate him making false claims on their wallets.”
Because of these claims, as well as others that Wright has made, Kobeissi went further: “Having followed Craig Wright’s tale, I personally think that there is as much validity to the claim that Craig Wright is the inventor of Bitcoin as there is validity to the claim that the Earth is flat.”
In an emailed response to CoinDesk, Wright doubled down on his claims about digital signatures.
He framed digital signatures as a legal matter, rather than a technical one. The definition of a digital signature that Wright provided in his emailed response to CoinDesk is pulled from Stroud’s Judicial Dictionary.
“Advanced digital signatures include the use of digital signature algorithms. Unfortunately, many so-called cryptographers and armchair experts failed to comprehend the nature of the system or the problem they are seeking to solve. They attempt to solve insoluble issues such as non-repudiation. Non-repudiation is not a technical issue; it is a legal concept, and it remains a fact that repudiation may always occur and that no matter what algorithm is used, a person could have been forced or coerced. No technical systems solve this problem,” Wright told CoinDesk.
He added: “When judges talk about the need for a signature to provide that ‘an authenticating intention can be demonstrated,’ they are stating the authentication of the individual and their name. They are not talking about the authentication of the algorithm. Unfortunately, too many people in the Cryptocurrency space think that they can alter the meaning of words and create a new reality. They cannot.”
(CoinDesk has included a full version of Wright’s comments in a Scribd document below.)
Cryptographers are not convinced
Kobeissi’s response was brief, calling Wright’s statement “an incredible amount of bullshit.”
Lerner, after also reading Wright’s response, restated his suggestion that Wright is using the wrong definition of “digital signatures” to confuse people.
“Any person understands that ‘the square root’ is a mathematical term, and it has nothing to do with the colloquial meaning of the words ‘square’ and ‘root,’” he said. As such, Lerner said, even non-cryptographers can also understand that Wright’s comments don’t make sense.
Lerner further argued Wright is using this parallel definition in an attempt to further his argument in the court case he is involved in.
Wright’s full statement:
“This person emphasises that if he somehow convinces a judge that he owns a million bitcoins that nobody has claimed (and that some people think belong to Satoshi), then the judge may rule in his favour and magically give him control,” he said.