├── README.md
├── bitcoin-address.txt
├── claimed-public-key.txt
├── sartre.txt
├── sig.asn1
├── signature.der
├── sn7-message.txt
└── verification.rb
/README.md:
--------------------------------------------------------------------------------
1 | # Attempting (Failed) Verification of the Wright Signature
2 |
3 | Craig Wright [claims](http://www.drcraigwright.net/jean-paul-sartre-signing-significance/) to be Satoshi, the pseudonymous creator of Bitcoin.
4 |
5 | His proferred proof for this is a cryptographic signature. This gets complicated:
6 |
7 | 1) A certain [well-known transaction](https://blockchain.info/tx/f4184fc596403b9d638783cf57adfe4c75c605f6356fbc91338530e9831e9e16), Bitcoin's first, was between Satoshi and Hal Finney.
8 | We treat the provenance of this transaction as a settled question.
9 |
10 | 2) Anyone controlling the private key corresponding either the input address or the change address from that transaction is, presumptively, associated with Satoshi.
11 |
12 | 3) Craig claims that he can sign an arbitrary message with the private key corresponding to the input address, 12cbQLTFMXRnSzktFkuoG3eHoMeFtpTu3S
13 |
14 | 4) Craig claims to have signed a passage about Sartre.
15 |
16 | ## The Part Which Actually Works
17 |
18 | Craig is successfully able to go from a Bitcoin address to the public key associated with it, and you can, too!
19 |
20 | [Here](http://gobittest.appspot.com/Address) are the steps, with handy on-page execution of them.
21 |
22 | We can see, via inputing Wright's claimed public key (transcribed in claimed-public-key.txt), that it does match the 12cbQLTF address which sent Finney Bitcoin.
23 |
24 | ## The Part Which Doesn't Work
25 |
26 | Let's review the proferred signature.
27 |
28 | To review Public/Private Crypto 101, you sign with your private key. One verifies with the public key.
29 |
30 | We don't possess Satoshi's private key. We do possess one public key presumptively belonging to him. We also possess a bag-of-bytes from Wright, which he claims signs the Sartre text.
31 |
32 | First, we generate the sig. Wright has provided `MEUCIQDBKn1Uly8m0UyzETObUSL4wYdBfd4ejvtoQfVcNCIK4AIgZmMsXNQWHvo6KDd2Tu6euEl1
33 | 3VTC3ihl6XUlhcU+fM4=` for us, which is transcribed into signature.der in this repository.
34 |
35 | We then use a Wright-blessed command to transform the signature into a form that our utilities can work with.
36 |
37 | ```
38 | # Base64 decode the signature into ASN1 form.
39 | $ base64 --decode signature.der > sig.asn1
40 | ```
41 |
42 | We've got the public key, we've got the signature, now we just need the text which the signature claims to match.
43 | Dan Kaminsky generously [transcribed](https://dankaminsky.com/2016/05/02/validating-satoshi-or-not/) the hash of the text, which Wright claims the signature corresponds to. I've included hash as sn7-message.txt. You can verify that it matches the claimed hash from Wright.
44 |
45 | ```
46 | # Verify signature of hash file.
47 | hexdump sn7-message.txt
48 |
49 | # You'll have to visually compare this against Wright's screenshots, but it matches.
50 | # If this sounds *fishy* to you, well, you're right. Also fishy: making people hand-edit hex values
51 | # to verify trivial parts of this evidence chain.
52 | ```
53 |
54 | (Psst, _this is where magic happens._)
55 |
56 | And now we try to validate the message, using Ruby's OpenSSL bindings.
57 |
58 | ```
59 | ruby verification.rb sn7-message.txt
60 | ```
61 |
62 | Feel free to inspect the code and tell me if I'm misunderstanding those bindings, but I rather don't think I am.
63 |
64 | You cannot validate this signature against the purported hash of the Sartre message. You can only validate it against the hash of the hash.
65 |
66 | Why is that? Because Wright did not actually sign any derivative of the Sartre message.
67 |
68 | ## Spoiler: It Isn't Random Bytes
69 |
70 | The signature provided isn't actually a signature of any text of Sartre. It is actually a bag of bytes already taken from the blockchain,
71 | as [discovered by /u/JoukeH on /r/Bitcoin](https://www.reddit.com/r/Bitcoin/comments/4hf4xj/creator_of_bitcoin_reveals_identity/d2pf70v).
72 |
73 | _Major credit to this explanation:_
74 |
75 | [Ryan Castellucci](https://twitter.com/ryancdotorg/) [did some legwork](https://rya.nc/sartre.html)
76 | if you want to see how the scriptSig that Wright re-used corresponds to a transaction already on the blockchain, on the verifying-the-transaction level.
77 | This is apparently how Wright constructed the signature (from the published scriptSig).
78 |
79 | You'll note that Bitcoin, for reasons known only to Satoshi, takes the signature of hash of a hash to generate the scriptSig. Quoting Ryan:
80 |
81 |
82 | I mentioned that normally, when using ECDSA to sign or verify a file, it is unnecessary to hash it manually. This is where CW's slight-of-hand lies. ECDSA computes the signature operation on a 256 bit integer referred to as z. Normally this is computed as sha256(message), but Bitcoin does sha256(sha256(modtx)). CW showed the signature verification using OpenSSL's ECDSA on sha256(modtx). OpenSSL's does another sha256 on the data, which makes the z value match.
83 |
84 |
85 | ## My Head Hurts. What Does This Mean?
86 |
87 | Wright's post is flimflam and hokum which stands up to a few minutes of cursory scrutiny, and demonstrates a competent sysadmin's level of familiarity
88 | with cryptographic tools, but ultimately demonstrates no non-public information about Satoshi.
89 |
90 | ## Do You Believe Wright Is Satoshi?
91 |
92 | But for the endorsement of core developer [Gavin Andresen](http://gavinandresen.ninja/satoshi), I would assume that Wright used amateur magician tactics to distract
93 | non-technical or non-expert staff of the BBC and the Economist during a stage-managed demonstration. I'm reasonably confident that
94 | I could have sold the same story, with approximately two hours of preparation. The non-experts did not ask to see things which would
95 | be hard for non-Satoshi to provide -- they were at the mercy of the charlatan (paging James Randi, James Randi to the courtesy phone please).
96 |
97 | I'm mystified as to how this got past Andresen, though.
98 |
99 | The entire protocol for the verification is suspect: you shouldn't ask the purported Satoshi to do a series of operations under his own control,
100 | on his own machine or anyone else's. You should simply give him an arbitrary message (e.g. "I, Wright, am Satoshi -- here's a random nonce: 4203234."), have him sign it and transfer you the signature, then *you* verify the signature on your own machine against a public key that *you*
101 | trust belonged to Satoshi.
102 |
103 | One of the very few things that Bitcoin meaningfully has accomplished as an ecosystem is a world-readable repository of reasonably-well-attested-to-keys. Why was this demonstration so hard?! It's bleeping trivial to the real Satoshi (or anyone possessing his private key) and nigh-upon impossible for anyone else. (An acceptable alternative would have been "Move any Bitcoin from that same output, to anywhere, on command", but there are at
104 | least conceivable reasons why that would have been unwise.)
105 |
106 | ## You Mentioned Magic Earlier, Twice
107 |
108 | Yep. The magic is replacing the message we think was signed (here, Satre's text) with another message. The hash that is getting signed
109 | isn't getting calculated honestly from the Sartre text, as you can verify by spending an hour trying to coerce Sartre and SHA256 into
110 | telling you their secrets. Wright just asserts the hash, and if you don't bother checking it, you don't see that he's substituted a hash
111 | that he already has a matching signature for. For full details of this, read Ryan's writeup and about Bitcoin transaction structure.
112 |
--------------------------------------------------------------------------------
/bitcoin-address.txt:
--------------------------------------------------------------------------------
1 | 12cbQLTFMXRnSzktFkuoG3eHoMeFtpTu3S
2 |
--------------------------------------------------------------------------------
/claimed-public-key.txt:
--------------------------------------------------------------------------------
1 | 0411db93e1dcdb8a016b49840f8c53
2 | bc1eb68a382e97b1482ecad7b148a6
3 | 909a5cb2e0eaddfb84ccf9744464f8
4 | 2e160bfa9b8b64f9d4c03f999b8643
5 | f656b412a3
6 |
--------------------------------------------------------------------------------
/sartre.txt:
--------------------------------------------------------------------------------
1 | Sartre on the Nobel Prize
2 | Jean-Paul Sartre, translated by Richard Howard
3 | December 17, 1964 Issue
4 |
5 | Jean-Paul Sartre
6 | Jean-Paul Sartre; drawing by David Levine
7 |
8 | Jean-Paul Sartre explained his refusal to accept the Nobel Prize for Literature in a statement made to the Swedish Press on October 22, which appeared in Le Monde in a French translation approved by Sartre. The following translation into English was made by Richard Howard.
9 |
10 | I deeply regret the fact that the incident has become something of a scandal: a prize was awarded, and I refused it. It happened entirely because I was not informed soon enough of what was under way. When I read in the October 15 Figaro littéraire, in the Swedish correspondent’s column, that the choice of the Swedish Academy was tending toward me, but that it had not yet been determined, I supposed that by writing a letter to the Academy, which I sent off the following day, I could make matters clear and that there would be no further discussion.
11 |
12 | I was not aware at the time that the Nobel Prize is awarded without consulting the opinion of the recipient, and I believed there was time to prevent this from happening. But I now understand that when the Swedish Academy has made a decision it cannot subsequently revoke it.
13 |
14 | My reasons for refusing the prize concern neither the Swedish Academy nor the Nobel Prize in itself, as I explained in my letter to the Academy. In it, I alluded to two kinds of reasons: personal and objective.
15 |
16 | The personal reasons are these: my refusal is not an impulsive gesture, I have always declined official honors. In 1945, after the war, when I was offered the Legion of Honor, I refused it, although I was sympathetic to the government. Similarly, I have never sought to enter the Collège de France, as several of my friends suggested.
17 |
18 | This attitude is based on my conception of the writer’s enterprise. A writer who adopts political, social, or literary positions must act only with the means that are his own—that is, the written word. All the honors he may receive expose his readers to a pressure I do not consider desirable. If I sign myself Jean-Paul Sartre it is not the same thing as if I sign myself Jean-Paul Sartre, Nobel Prizewinner.
19 |
20 | The writer who accepts an honor of this kind involves as well as himself the association or institution which has honored him. My sympathies for the Venezuelan revolutionists commit only myself, while if Jean-Paul Sartre the Nobel laureate champions the Venezuelan resistance, he also commits the entire Nobel Prize as an institution.
21 |
22 | The writer must therefore refuse to let himself be transformed into an institution, even if this occurs under the most honorable circumstances, as in the present case.
23 |
24 | This attitude is of course entirely my own, and contains no criticism of those who have already been awarded the prize. I have a great deal of respect and admiration for several of the laureates whom I have the honor to know.
25 |
26 | My objective reasons are as follows: The only battle possible today on the cultural front is the battle for the peaceful coexistence of the two cultures, that of the East and that of the West. I do not mean that they must embrace each other—I know that the confrontation of these two cultures must necessarily take the form of a conflict—but this confrontation must occur between men and between cultures, without the intervention of institutions.
27 |
28 | I myself am deeply affected by the contradiction between the two cultures: I am made up of such contradictions. My sympathies undeniably go to socialism and to what is called the Eastern bloc, but I was born and brought up in a bourgeois family and a bourgeois culture. This permits me to collaborate with all those who seek to bring the two cultures closer together. I nonetheless hope, of course, that “the best man wins.” That is, socialism.
29 |
30 | This is why I cannot accept an honor awarded by cultural authorities, those of the West any more than those of the East, even if I am sympathetic to their existence. Although all my sympathies are on the socialist side. I should thus be quite as unable to accept, for example, the Lenin Prize, if someone wanted to give it to me, which is not the case.
31 |
32 | I know that the Nobel Prize in itself is not a literary prize of the Western bloc, but it is what is made of it, and events may occur which are outside the province of the members of the Swedish Academy. This is why, in the present situation, the Nobel Prize stands objectively as a distinction reserved for the writers of the West or the rebels of the East. It has not been awarded, for example, to Neruda, who is one of the greatest South American poets. There has never been serious question of giving it to Louis Aragon, though he certainly deserves it. It is regrettable that the prize was given to Pasternak and not to Sholokhov, and that the only Soviet work thus honored should be one published abroad and banned in its own country. A balance might have been established by a similar gesture in the other direction. During the war in Algeria, when we had signed the “declaration of the 121,” I should have gratefully accepted the prize, because it would have honored not only me, but also the freedom for which we were fighting. But matters did not turn out that way, and it is only after the battle is over that the prize has been awarded me.
33 |
34 | In discussing the motives of the Swedish Academy, mention has been made of freedom, a word that suggests many interpretations. In the West, only a general freedom is meant: personally, I mean a more concrete freedom which consists of the right to have more than one pair of shoes and to eat one’s fill. It seems to me less dangerous to decline the prize than to accept it. If I accept it, I offer myself to what I shall call “an objective rehabilitation.” According to the Figaro littéraire article, “a controversial political past would not be held against me.” I know that this article does not express the opinion of the Academy, but it clearly shows how my acceptance would be interpreted by certain rightist circles. I consider this “controversial political past” as still valid, even if I am quite prepared to acknowledge to my comrades certain past errors.
35 |
36 | I do not thereby mean that the Nobel Prize is a “bourgeois” prize, but such is the bourgeois interpretation which would inevitably be given by certain circles with which I am very familiar.
37 |
38 | Lastly, I come to the question of the money: it is a very heavy burden that the Academy imposes upon the laureate by accompanying its homage with an enormous sum, and this problem has tortured me. Either one accepts the prize and with the prize money can support organizations or movements one considers important—my own thoughts went to the Apartheid committee in London. Or else one declines the prize on generous principles, and thereby deprives such a movement of badly needed support. But I believe this to be a false problem. I obviously renounce the 250,000 crowns because I do not wish to be institutionalized in either East or West. But one cannot be asked on the other hand to renounce, for 250,000 crowns, principles which are not only one’s own, but are shared by all one’s comrades.
39 |
40 | That is what has made so painful for me both the awarding of the prize and the refusal of it I am obliged to make.
41 |
42 | I wish to end this declaration with a message of fellow-feeling for the Swedish public.
43 |
--------------------------------------------------------------------------------
/sig.asn1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/patio11/wrightverification/b8babea215719a8b7d36276553faed34628d59d5/sig.asn1
--------------------------------------------------------------------------------
/signature.der:
--------------------------------------------------------------------------------
1 | MEUCIQDBKn1Uly8m0UyzETObUSL4wYdBfd4ejvtoQfVcNCIK4AIgZmMsXNQWHvo6KDd2Tu6euEl1
2 | 3VTC3ihl6XUlhcU+fM4=
3 |
--------------------------------------------------------------------------------
/sn7-message.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/patio11/wrightverification/b8babea215719a8b7d36276553faed34628d59d5/sn7-message.txt
--------------------------------------------------------------------------------
/verification.rb:
--------------------------------------------------------------------------------
1 | # Usage: ruby verification.rb
2 | require "openssl"
3 |
4 | file_to_verify = ARGV[1] || "sn7-message.txt"
5 |
6 | claimed_public_key = File.read("claimed-public-key.txt").split.join.strip
7 | claimed_public_key_bign = claimed_public_key.to_i(16).to_bn
8 |
9 | group = OpenSSL::PKey::EC::Group.new('secp256k1')
10 | curve = OpenSSL::PKey::EC.new(group)
11 |
12 | curve.public_key = OpenSSL::PKey::EC::Point.new(group, claimed_public_key_bign)
13 |
14 | signature = File.binread("sig.asn1")
15 | claimed_signed_hash = File.binread(file_to_verify)
16 |
17 | verifies = curve.dsa_verify_asn1(claimed_signed_hash, signature)
18 |
19 | puts "File #{file_to_verify} " + (verifies ? "verifies" : "does not verify") + " against Wright's provided signature."
20 |
21 | double_hashed = OpenSSL::Digest::SHA256.digest(claimed_signed_hash)
22 |
23 | verifies = curve.dsa_verify_asn1(double_hashed, signature)
24 |
25 | puts "*The hash of* #{file_to_verify} " + (verifies ? "verifies" : "does not verify") + " against Wright's provided signature."
26 |
27 |
--------------------------------------------------------------------------------