Here’s how Craig Wright probably tricked Gavin Andresen

Gavin Andresen

What an exciting and dramatic day for Bitcoin.

I woke this morning to my girlfriend asking if I had seen the news that “Satoshi Nakamoto had been uncovered as that Craig Wright guy”.

My initial reaction was scepticism, in my mind he was a scammer, definitely not Satoshi. There it was however, on the trusty BBC home page, with the promise of proof. The proof, however, was elusive.

A quick trip to Craig Wright’s blog and I came away more confused. Had he proven he was Satoshi? Then I encountered Gavin Andresen’s blog where he verified that Craig Wright had signed a message of Andreson’s choosing with a private key known to be Satoshi’s – this looked like case closed.

The problem is, as the day progressed, all the other evidence crumbled under scrutiny. The one shred that retained any credibility was Andreson’s account. How could this proof have been faked?

Let’s find out what happened. In his blog Andresen says:

I witnessed the keys signed and then verified on a clean computer that could not have been tampered with

Only a person with a private key can ‘sign’ a message. Once a message is signed, people can use software to check that the signature is genuine and was created by someone in possession of the private key.

With open source software, anybody can download the source code themselves. This makes it incredibly easy to make small modifications to the otherwise identical software.

It would be quite trivial to find the bit of code that verifies whether a signature is valid and then change the word invalid to valid. Depending on the software it could literally be as easy as deleting the proceeding letters IN.

The modified software would then say that every signature tested was valid, regardless of whether it was or not.

This is the reason the “clean computer” is relevant. If I invite you to view my computer where I show you a validation, I could easily have modified the software. If we go to a shop and buy a brand new computer and then download fresh software, that would eliminate this risk.

This is Andresen’s account of what happened in a post on Reddit:

Craig signed a message that I chose (“Gavin’s favorite number is eleven. CSW” if I recall correctly) using the private key from block number 1.

That signature was copied on to a clean usb stick I brought with me to London, and then validated on a brand-new laptop with a freshly downloaded copy of electrum.

I was not allowed to keep the message or laptop (fear it would leak before Official Announcement).

I don’t have an explanation for the funky OpenSSL procedure in his blog post.

As far as we can tell, Andresen bought a new USB stick. This stick was put into Wright’s computer and a file was copied over containing the signature.

This USB stick was then put inside a brand new laptop.

A remote possibility is that Wright’s computer secretly copied files to the USB stick, files which were then transferred to the new laptop and ran behind the scenes to modify the freshly downloaded Electrum software. This seems unlikely though.

All the scenarios involve Wright somehow running a modified version of Electrum, but another remote possibility is that he somehow discovered a bug in the code that allows you to trick the software into displaying a valid message for an invalid signature. Again, this is unlikely.

Let’s look for more clues, this time from a Wired article:

Andresen says an administrative assistant working with Wright left to buy a computer from a nearby store, and returned with what Andresen describes as a Windows laptop in a “factory-sealed” box. They installed the Bitcoin software Electrum on that machine. For their test, Andresen chose the message “Gavin’s favorite number is eleven.” Wright added his initials, “CSW,” and signed the message on his own computer. Then he put the signed message on a USB stick belonging to Andresen and they transferred it to the new laptop, where Andresen checked the signature.

At first, the Electrum software’s verification of the signature mysteriously failed. But then Andresen noticed that they’d accidentally left off Wright’s initials from the message they were testing, and checked again: The signature was valid.

“It’s certainly possible I was bamboozled,” Andresen says. “I could spin stories of how they hacked the hotel Wi-fi so that the insecure connection gave us a bad version of the software. But that just seems incredibly unlikely. It seems the simpler explanation is that this person is Satoshi.”

There’s a bit of a smoking gun here. A factory seal doesn’t prove something hasn’t been tampered with any more than writing ‘this is genuine’ on a CD makes it genuine. Instead of buying a laptop himself, he allowed one of Wright’s representatives to source the laptop. This means the laptop can no longer be considered ‘clean’. It could have been preloaded with modified software, either to trick the computer into downloading a modified version of Electrum, or by modifying a legitimately downloaded version of Electrum during or after installation.

As Andresen mentions himself, it is also possible the Wifi connection was compromised to point to a different download location, in which case even an clean computer could be compromised.

Either way, a major weakness of Andresen’s is that it sounds like he already was convinced of Wright’s story before he arrived and was the victim of a confidence trick. This means he may have let his guard down in permitting one of Wright’s associates to source the ‘clean’ machine, or in his verification of the legitimacy of the software installed. It is possible to verify a software has not been modified by checking the MD5 checksum, it would be interesting to know if Andresen performed this test. It is also very suspect that Wright insisted on keeping the laptop and USB stick without a compelling reason after the demonstration as that would have allowed Andresen to verify the test.

There are other possibilities too. Andresen may have not witnessed any of this and may be in on the scam, or acting under duress. Another unlikely possibility is that Craig Wright is Satoshi Nakamoto.

As Gavin Andresen says himself, the simpler explanation is often the most likely, and in this case it seems most likely he was bamboozled by a world class con artist.

John Hardy
Follow me

John Hardy

Software developer living in Bristol, UK.
Bitcoin advocate since 2011.
Email [email protected]
Donations welcome: 1H2zNWjxkaVeeE3yX6uVqng5Qoi6gGvYTE
John Hardy
Follow me

Author: John Hardy

Software developer living in Bristol, UK. Bitcoin advocate since 2011. Email [email protected] Donations welcome: 1H2zNWjxkaVeeE3yX6uVqng5Qoi6gGvYTE

  • Jamie Cansdale

    Are we talking a custom version of Windows that installs a rootkit upon first boot when the Administrator account is created? The rootkit would launch a custom build of Electrum that was modified that validate any message that ends with “CSW”.

    If he managed to pull that one off, it was certainly clever! I wonder why Gavin didn’t use his own laptop and what reason Craig would have given to stop him if he’d wanted to (to prevent him from keeping the proof I guess).

    All very strange!