alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Craig Wright fails, again, to prove he's the bitcoin creator

Craig Wright's second attempt to prove he's the bitcoin creator, Satoshi Nakamoto, was debunked after fooling the mainstream press, but his motives are still a mystery.

Craig Wright, an Australian cryptocurrency expert, has tried and failed once again to prove definitively that he is Satoshi Nakamoto, the mysterious creator of bitcoin. Wright had been suspected last year of being the bitcoin creator.

For an audience of invited journalists from the BBC, The Economist and GQ, Wright reportedly digitally signed a file as Nakamoto in order to prove his identity as the bitcoin creator and explained the method on his blog. His claim was even backed up by Gavin Andresen, chief scientist at the Bitcoin Foundation, but examination found a number of flaws in his actions.

Nicholas Weaver, senior researcher of networking and security for the International Computer Science Institute at the University of California, Berkeley, said Wright's choice of media outlets for this story was the first red flag.

"He couldn't pitch this to a more tech-savvy press venue, because such venues witnessed the first go-round -- making him inherently less trustworthy to begin with," Weaver told SearchSecurity. "Such press venues would simply go, 'Prove it.' If Craig Wright is Satoshi, it is easy for him to prove it. Just cryptographically sign 'Craig Wright is Satoshi,' and publish it and anyone can verify the signature."

The second red flag was that Wright did not use the only known PGP key associated with Satoshi Nakamoto, which was supposedly created in October 2008 using DSA-1024 encryption. Instead, according to Dan Kaminsky, security researcher and chief scientist for White Ops Inc., based in New York, Wright used Nakamoto's signature pulled from the public bitcoin blockchain.

"Wright is pretending he has Satoshi's signature on Sartre's writing. That would mean he has the private key and is likely to be Satoshi. What he actually has is Satoshi's signature on parts of the public blockchain, which, of course, means he doesn't need the private key and he doesn't need to be Satoshi. He just needs to make you think Satoshi signed something else besides the blockchain," Kaminsky wrote on his blog. "Of course, the blockchain is totally public and, of course, has signatures from Satoshi, so Wright being able to lift a signature from here isn't surprising at all."

Various threads popped up on Reddit to debunk various aspects of Wright's claims. Andresen said Wright used a "clean computer that could not have been tampered with" to sign the keys, but one redditor noted the shell script explained in Wright's blog post "was intentionally designed to mislead people."

"The way his script is written, it looks like it verifies the data on the file path '$signature,' which is the second command-line parameter. But in fact, it reads from a file referenced in the variable '$signiture.' The contents of [the text file] would be output to the screen when you run 'cat,' but OpenSSL would actually read a completely different file -- whatever you'd set the '$signiture' environment variable to."

Kaminsky told SearchSecurity that Wright's actions were sneaky and "obviously intentional, unambiguous fraud." Kaminsky said the media outlets were scammed by Wright.

"These outlets had every right to expect that Gavin et al would have been the right people to ask," Kaminsky said. "That being said, if there was a mistake, it's that the material provided to GQ et al should have been vetted by cryptographers independent of any personal knowledge also granted to the vetters. Basically, Wright should have been forced to use the same scam on both, which would not have worked."

Kaminsky went on to say media organizations are unendingly fascinated by the mystery of Satoshi Nakamoto's true identity, calling it "Moby Dick for tech reporters." He said revealing the identity of the bitcoin creator would mean "bitcoin would have to decide if there was a decider now."

Weaver said the bigger issue is Nakamoto holds approximately 1 million bitcoins -- currently worth $443 million -- and what happens with those bitcoins could have a huge effect on the market.

"The early coins do matter very much, since bitcoin's value depends on belief: Someone who dumped a huge amount of coins could negatively affect the small market," Weaver said. "Since Satoshi's motives are very important over the possibility of such a dump happening in the future, there is a good reason to want to know who Satoshi is."

Matthew Green, cryptography professor at Johns Hopkins University, echoed this idea on Twitter.

Both Craig Wright and Gavin Andresen refused to comment for this story.

Rory Cellan-Jones, technology correspondent for the BBC, tweeted that Wright would provide further proof that he is the bitcoin creator. Wright posted that he would be providing "extraordinary proof" over the coming days. However, skeptics have already jumped on the wording used in both.

Matt Blaze, cryptographic researcher and associate professor of computer and information science at the University of Pennsylvania, summed it up:

Next Steps

Learn why bitcoin security is still a concern.

Find out if white box cryptography can save your apps.

Discuss if open source cryptography libraries can be trusted.

Dig Deeper on Information security laws, investigations and ethics