July 27, 2023

Private Presentations Aren't Proof, part 2: Explaining the fake key signing video

As a follow-up to the previous article about Craig Wright's supposed key signings, last year I produced a short proof-of-concept video showing a similar seemingly legitimate key signing with Satoshi's genesis block key. It was fake of course, which most people immediately understood, but it might be informative to go through exactly how it was faked, so as to highlight the kinds of tricks used and what to watch out for when scrutinizing this kind of evidence.


When Satoshi Nakamoto created and released Bitcoin they chose to do so entirely under said pseudonym. This choice, while presumably being for the sake of their own privacy (and perhaps, in retrospect, safety), ended up adding a tantalizing air of mystery to the world's first working peer-to-peer electronic cash system, even more so when Satoshi later disappeared entirely from public view, never to be heard from again.

But suppose Satoshi (assuming they're still alive) one day chose to return, and maybe even reveal their true identity. How would we know whether this was the same person who originally operated under the pseudonym and created Bitcoin? Given the steady stream of people who have claimed to be Satoshi over the years, this isn't some hypothetical question but a perpetually relevant one. What questions should we ask a person claiming to be Satoshi, and what are the correct answers for us to recognize them as the real deal?

First things first, let's not mince words: out of everyone who has claimed to be Satoshi Nakamoto thus far, no one has been able to provide appropriate evidence for their claim; not even close. It isn't so much about what supposed evidence they have provided — which includes poorly backdated documents, faked signatures, historical anecdotes, and even numerology, but usually just naked assertions — but rather about what they haven't provided.

It's not like the "Satoshi Test" is some closely kept secret; there's been near-universal consensus all along on what it would take to convince the community that you're really Satoshi. For example, here's a 2016 Wired article describing this shortly after Craig Wright's questionable claim first became public (after which the holes in his story immediately started appearing). In fact, the only people who seem to disagree and argue for different standards of evidence are, predictably and conspicuously, the Satoshi pretenders.

Given that Satoshi Nakamoto is a mere pseudonym of someone who took great care to guard their privacy, we know very little about Satoshi the person, and most of what is known is public knowledge (and thus also known to a pretender). Satoshi did have private conversations with various people which in a properly conducted test a pretender would struggle to feign knowledge of, but such tests would be inexact and would at best provide circumstantial evidence (for one, we would have to trust the other party). Internal knowledge of the development of Bitcoin (such as being able to produce credible early development versions of the code) could support someone's claim but wouldn't be proof in itself as we couldn't verify its authenticity, merely judge its credibility.

Instead, the single strongest piece of evidence that could be provided is appropriately enough intrinsically linked to Bitcoin itself, in the form of cryptographic signatures. One of the few things we do know about Satoshi Nakamoto the Bitcoin inventor is that they possessed certain cryptographic keys, in particular a key used in the Bitcoin Genesis block but also other keys used in well-known transactions where Satoshi sent bitcoins to various people.

In fact, possession of those keys is a more uniquely identifying trait of Satoshi than anything else we know about Satoshi. And while signatures from those keys (either in the form of a signed message, or through moving Satoshi's bitcoins) wouldn't absolutely prove someone is Satoshi — the keys could theoretically be stolen etc. — they would mathematically prove possession of Satoshi's keys. This is about as close as we can get in terms of evidence, and it's fair to say most of the Bitcoin community would consider either sufficient or at least required evidence to prove you're Satoshi (or at least connected to Satoshi).

The fake key signing video

So given that a signature from Satoshi's keys would practically prove someone is Satoshi, and since the published video shows a key signing and validation with the Genesis key, was it produced by Satoshi? Or are Satoshi's keys spreading in the wild?

The answer is neither, of course. The video isn't a key signing with the Genesis key; it's merely made to look that way. Cryptographic signatures provide incredibly strong mathematical guarantees when used correctly, but are meaningless if proper procedures are not followed, as said guarantees only result from an unbroken mathematical chain of custody, so to speak; any skipped or insufficiently verified step breaks the chain and gives a malicious actor the opportunity to fool you with a forgery.

The reason you can typically trust digital cryptography without worrying too much about the details (such as when you do online banking) is because smarter people have already done the worrying for you and carefully built the software and systems you use to properly validate all this stuff behind the scenes. (Though this still leaves you forced to trust the software.)

So what if you're faced with someone who is deliberately trying to deceive you with false cryptographic "evidence"? How might they go about tricking you, and what would you need to do in order to spot the fraud?

Maybe you already spotted some suspicious or conspicuous parts when you watched the video. Let's go through it step by step and this time point out everything that's really happening. Think of it as revealing a magic trick, which is appropriate — magic tricks are after all just lies covered up by psychological tricks of misdirection, much like this "key signing".

What you see: The demonstration starts with a view of a clean MacOS desktop, with Bitcoin Core running. The machine looks as though it's just running the factory defaults, with an open Bitcoin wallet. The wallet is named "satoshi" and appears to contain a large number of bitcoins, in line with the number of bitcoins Satoshi is believed to have mined, and also shows an address labeled "Genesis".

What's actually happening: While everything you see happening on screen was recorded live, this is a computer under someone else's control. Any assumption you make about it working as expected can be exploited, and this demonstration will do its best to keep you thinking inside the box. This is not the real Bitcoin Core but a patched version. It and its disk image were intentionally left on the desktop to suggest an innocent explanation for its presence (having been recently downloaded and installed) rather than it just somehow already being there. The demonstration could easily include the actual download too; more on that below.

What you see: A signature is created, selecting the Genesis address as the signing key and a message inspired by what Craig Wright supposedly signed for Gavin Andresen. In a live performance you as the witness would be free to choose any message you like. A fairly long password is entered, and a signature is successfully generated. Obviously, you can only generate signatures for an address if your wallet contains the corresponding private key, so this seems to show that the wallet indeed contains Satoshi's Genesis key.

What's actually happening: The wallet is password protected because that's what you expect; it would look weird if it was missing. When the signature is created, the patched Bitcoin Core is secretly swapping out the selected address with another predefined address: 1MparShuDmte9PCnrrX28QPPDPMpJqrkri (whose private key the wallet does contain). This means the generated signature (IHbD1kMF8tXN/ZuKoIzPTOpMQeDfP8awdgAQgw2LhHz4T+1Rh+XFNrLcmZtIkP9lQ6XWGG2gyHtZ8OLosVOvqvg=) is a valid signature for the message — that is, it will only validate for that exact message and no others — but it's signed with the wrong key. Just like in Wright's "key signing", you're not allowed to independently verify the signature (as this will fail); instead a "verification" will be performed for you as believably as possible.

What you see: The default Safari browser is opened and directed to electrum.org. Electrum is another Bitcoin wallet implementation and will be used to "verify" the signature. The address bar indicates the connection is secure (and while the video doesn't show it, clicking the certificate will show a valid HTTPS certificate for electrum.org, with the seemingly correct certificate chain). The latest executable for MacOS is downloaded, along with the corresponding digital signature file.

What's actually happening: A man-in-the-middle proxy is running on the machine, serving a patched version of the electrum.org website. The HTTPS certificate chain consists entirely of lookalike certificates (having the same names as the originals) derived from a pre-installed custom root certificate. The downloading of a second wallet is just meant to manipulate you into thinking it's "independent" from the first wallet and thus unlikely to both be compromised. In reality the performer is in control, and this Electrum wallet has also been patched to accept the fake signatures. Note the Bitcoin Core download still visible in the Downloads directory, again subtly reinforcing the impression that it was freshly installed.

What you see: A terminal is opened, and the files in the Downloads directory are inspected. The SHA256 hash digests for the downloads are calculated (they match the authentic Electrum and Bitcoin Core downloads), and the digital signature for the downloaded Electrum wallet is verified. It validates that this is the original authentic download as signed by the Electrum maintainers. Everything is as you would expect.

What's actually happening: The terminal has been tampered with, by adding certain command aliases to the user's profile. The ls, sha256sum and gpg commands are actually rerouted to execute in a different directory containing the unaltered originals of these downloads, which is why they all show the expected output as if no tampering had taken place. Performing these extra verifications in a fashion that looks as though it's a low-level "raw" operation makes it look like we have nothing to hide and are trying to provide as much verifiable information as possible, but this is just misdirection; since this part looks strong the obvious idea of tainted downloads is downplayed in your mind and you're more likely to consider other more convoluted possibilities (e.g. live tampering with process memory) that would require far more effort and thus feel unlikely.

What you see: The downloaded Electrum wallet is opened. We get a warning about this software being downloaded from the internet when launching it.

What's actually happening: As the patched wallet was downloaded (as opposed to having been planted on the machine in advance), you get the standard MacOS warning as expected. Making sure the demonstration displays the expected behavior of a factory-default MacOS environment keeps suggesting to you that the machine hasn't been tampered with (when in fact it has).

What you see: The Electrum wallet is configured to a new watch-only wallet.

What's actually happening: Nothing to see here. Making a watch-only wallet just happens to be the fastest way to get through the initial configuration of a new Electrum install so we can access the signature functionality. But this being a process that takes time still helps the performer, since it distracts from the other important parts.

What you see: In Electrum's signature window, the signed message is entered, along with the Genesis address and the signature previously generated by Bitcoin Core. The signature fails to validate.

What's actually happening: This failure is intentional. The Electrum wallet has been patched to similarly swap out whatever address is entered with the predefined address mentioned above, so it will recognize the signature as valid, but the message is intentionally typed wrong. Having the verification initially fail demonstrates that the software isn't simply rigged to say that any signature is valid. A witness suspecting the software has been tampered with might ask for an incorrect message or signature to be entered, with the expectation that it should correctly fail. This failed validation preempts and dissuades that suspicion.

(This also borrows a page from magic stage performances, where a performer will sometimes intentionally fail a trick in order to make the trick look difficult and thus make the eventual successful performance seem more impactful.)

Once the correct message is entered, Electrum reports that the signature is valid. We have apparently been shown a key signing using Satoshi's Genesis key. You saw two different wallets create and validate the signature, and you were shown cryptographic evidence that the validating wallet had not been tampered with.

And yet, it was of course all fake. That's not a real signature with the Genesis key, and if you manually verify the signature yourself it will fail validation. Craig Wright simply refused to allow Gavin Andresen to perform any independent verification, whereas this demonstration just relied on psychology — the signature is right there, but are you really going to type it in character by character just to verify it? (Good work everyone who did!)

What if the last ten characters of the signature had been obscured, forcing you to try millions of different variations to rule out the possibility that one of them was valid? Would you still have gone through that effort just to be sure of something that seems legit? Should you have to?

This leads us to the bigger point: if someone is presenting a supposed digital signature to you, but doesn't provide you with the necessary information to independently verify it on your own equipment, or in any way obfuscates or makes it hard to do so, you should assume you're being tricked. Cryptographic signatures only have evidentiary value when properly performed and independently verified, and anyone who wants to prove something cryptographically knows this and will strive to make it as easy as possible to properly validate. No one honest will ask you to accept a cryptographic signature without personally validating it; validating it yourself is the whole point.

In conclusion

If you've gotten this far, perhaps you're thinking that this seems like a whole lot of effort just to fake a key signing, and why would anyone go through all that trouble — especially given how seemingly easily you could get caught?

But that's just the final psychological trap: this isn't a lot of effort — preparing this demonstration was literally just a few hours of work and could be surreptitiously deployed to a clean machine in seconds. Second, someone like Craig Wright would have every reason to try to fake this. At the time of the supposed key signings he stood to gain millions from investors while having very little left to lose after ending up on the run from the Australian Tax Office.

Third, Wright's preferred procedure was railroading non-technical witnesses by talking over their heads while controlling every part of the demonstration from start to finish, leaving no opening to actually verify or scrutinize anything, making this a fairly low-risk trick. The only gamble requiring luck was betting that Gavin Andresen would turn out to be just as susceptible to psychological manipulation as the other targets; Gavin had the technical knowhow to know what evidence to demand, but was talked out of sticking to it and endorsed Wright anyway.

Never forget: the validator sets the rules. Someone attempting to convince you with cryptographic evidence should be able to do so to your satisfaction, not the other way around. Genuine cryptographic evidence not only withstands scrutiny; it welcomes it. The real Satoshi, if they ever wanted to demonstrate their identity, would certainly understand this and present simple, easily verifiable proof rather than try to distract with theater or technobabble.

If all of this seems simple and obvious in hindsight, you're partly right in that it should be, but the other lesson I hope I have imparted is that you shouldn't underestimate the psychological aspect. It's depressingly easy to be manipulated and misled, and similarly it's very easy to miss details in the moment, even when you're paying attention. For example, did you spot the obvious clue at the very beginning of the video, immediately revealing it as a fake?

The wallet shows the Genesis address as a watch-only address, revealing that the wallet doesn't contain its private key, and thus wouldn't be able to sign messages with it. It would have been simple to patch out this clue to make the demonstration more believable, but even left in plain sight like this, in the year since the video was published not a single viewer commented on it.

Stay safe and beware of charlatans. Digital signatures should always consist of a clear, meaningful message, the key/address it was signed with, and the signature data itself readily available for inspection and verification on your own device and under your own control.

Gavin's favorite number is eleven and Craig Wright is not Satoshi Nakamoto.