Something else that stinks about all this that I haven't seen commented on:
Supposedly, Chris Wright did his ridiculous laptop dance with Gavin Andresen because he didn't want Gavin to leak the signature early.
What a load of crap. These are supposedly real cryptographers we're talking about here. If you ask a cryptographer (including, presumably, Satoshi) how they would prove their identity to someone else such that the other person couldn't leak the proof, the answer doesn't involve airplanes and fishy laptops running dubiously authentic Windows programs. The answer is deniable authentication.
In the bitcoin case, it's trivial. Satoshi's public key is g^p for some p that only Satoshi knows (using multiplicative notation) on a well-known and hopefully secure elliptic curve. You can use this key for ECDSA, but you can also use it for, drumroll please, Diffie-Hellman. Gavin picks a random scalar b and tells Craig Wright g^b. Chris replies with (g^b)^p [1]. Gavin checks that the result is the same as (g^p)^b.
This is deniable: Gavin can trivially make up the transcript of the protocol, so Gavin can't use it to prematurely convince anyone of anything. No airplanes needed.
There are plenty of other ways to do this. Pretty much any zero-knowledge proof of knowledge would work.
[1] In practice, this should be blinded to avoid cross-protocol attacks and relay attacks. Craig could send something like H("Hi Gavin, I am Craig Wright, aka Satoshi Nakamoto" || (g^b)^p). A real cryptographer could double-check me here.
Even easier: Gavin could ask Satoshi which public key he still has the private keys for and then encrypt a message like "Gavin dfHte48FswdeIgre35VGFqwOIhedds" using the public key and ask Satoshi to send him back the text. This proves to Gavin that Satoshi is Satoshi and Gavin can't turn and take that proof to anyone else.
That would be the rational thing to do, but you assumes Wright is sane. Witch he probably is not.
Also has someone look into the claim that he has the 17. fastest Super Computer? This things draw a loot of power (4,499.87 kW he claims) and produces a loot of heat. You cant hide it in your mothers basement.., local authorities will know about it. So will the power company! So there should be a paper trail there? (also SGI denied selling him the system)
Wright's alleged system, was 15. now 17. fastest in the world: http://www.top500.org/system/178468
I assume Wright is sane and clever. His "magic" (as in "smoke and mirrors") presentations, a sample of which we saw online on his blog clearly demonstrate his talent and the invested time to research, plan and organize the events. The only thing he underestimated is the speed with which the old and existing signature was recognized to be part of his public "proof." Without that if would stay long at "he said, she said" which would perfectly suit him. He planned that kind of development and he knows very well how he'd use his status of "claimed but not-fully-confirmed Satoshi."
An example:
"About six months ago, before he was publicly outed in the technology press, he approached Andrew O’Hagan, a Scottish novelist who wrote an “unauthorised autobiography” of Julian Assange, the founder of the whistle-blower site WikiLeaks. Since then the author, whose most recent novel, “The Illuminations”, was longlisted for the 2015 Man Booker Prize, has had complete access to Mr Wright and his family, as well as to his research and business colleagues. Mr O’Hagan is writing a long article for the London Review of Books(2) on Mr Wright and “his journey towards revealing his work.” (Mr O’Hagan, too, has come to be convinced that Mr Wright is Mr Nakamoto.)" (1)
2) http://www.lrb.co.uk/2016/05/01/andrew-ohagan/the-search-for... "Online exclusive · 1 May 2016: The full, long-form account will be published here later this month." "In a world exclusive for the London Review of Books, Andrew O’Hagan spent many months with Craig Wright, the man responsible for what Bill Gates has called ‘the technical tour de force of this generation’."
I can't wait reading O’Hagan's story. He should publish it even if he understands that he'll thus show how credulous he was.
> but some people start believing there own delusions
Like the belief that there "must be something more" than a clever trickster doing what's reasonable for him to do. For thousands years, always a good start of the new religions.
I like Atheros' solution better as it doesn't involve any new "constructing" (like "pick a scalar p") just using the existing tool with the public key.
I am going to take your word for it that this makes sense. However, I think what you may be missing is that it doesn't matter if Wright convinces you or even "any" of the crypto/alt coin community. While mathematical proofs are hard/impossible to fake, you are a subset of people that understand them to the degree that you could employ them here.
I have no idea what Wright's end game is, as you are obviously correct: his assertions make no sense. However, if somehow he believed there was value in convincing non-technical members of the public he was Satoshi, I think that is quite possible. I find this truth to be self-evident:
A quick witted conman or charismatic person can certainly convince an untrained group that he is X, much easier than even a charismatic person could convince a group how to understand and employ a non-trivial group of mathematical equations.
We see this every day. It is totally possible, likely even, that if I can't understand your math- even if it is correct, and even if it is corroborated by others who understand it, I am weighing(or the general idea of "I" as the population) which person is correct based on a standard that is subjective. Possibly:
* He said he was Satoshi
* He had a crypto key I read about in wired.
* Gavin Andreessen appeared to corroborate and I googled him and he is important.
So, you are totally correct. I agree with you as even if I don't understand your math, I am sure there is a mathematical way to prove he was Satoshi by using a different set of keys, a signature or other mathematical proof. Unfortunately, he will likely be able to exploit Satoshi's name.
> A quick witted conman or charismatic person can certainly convince an untrained group that he is X
Which, given my limited understanding of bitcoin, is what makes the blockchain exponentially incorruptable. An attacker must convince all, not just X that she is Satoshi. Even if she manages this once, on the second iteration it becomes nearly impossible unless she has some capabilities outside the set of known possibilities.
So, he convinced people the first time around, just like Leah McGrath Goodman (about two years ago?) but the remainder of the compute nodes raised an inchoate response which invalidates those in agreement.
Eventually the consensus that he is an impostor propagates through the system. Eventually after the "buzz of the story" has died down the insight of experts (such as here) will be sought.
His attack "could" work if the experts were not consulted in this way, which I think is only possible in a pervasive 1984 scenario, but even still would bitcoin even be relevant in such a world?
It's hard to believe a cryptographer could think such an attack could work so I can only imagine, given he is an academic he has some sort of surreptitious goal in mind, such as to demonstrate to students the difficulties in attacking this system?
> An attacker must convince all, not just X that she is Satoshi.
I don't see how you make any connection between how blockchain operations work and "convincing somebody who is Satoshi."
"Convincing" even "everybody" wouldn't get Wright the chance to use the bitcoins of real Satoshi, Wright'd still need a real key. Which wasn't used since the original times, certainly not by Wright.
I'm echoing blockchain as a metaphor for consensus - conflating even. I just thought there were interesting parallels between the technology and the actual social scenario that is being played out here.
Another thing is that Gavin is a trusted individual the Bitcoin community, and CW is someone who back dated PGP keys in Satoshi's name. A zero-knowledge proof would perhaps have been logical with a more anonymous member of the community. But Gavin's word is the only evidence to this whole story.
If Gavin had leaked the signature, that would probably have spawned more speculation that Gavin is Satoshi rather than that CW is.
And presumably the reason to control the signature release is to make a big public bang. Kept secret it is useless. The only reason for that would be to make a public fool out of Gavin. Not very nice any way you look at it.
Note that your protocol isn't actually a zero-knowledge proof. While transcripts can be made up, a third person observing everything Gavin does would absolutely be convinced by the exchange. For real interactive zero-knowledge proof, even a dishonest prover has a good chance to provide a correct answer at each step. This isn't the case with the DH exchange.
Only sort of. Gavin would have a hard time convincing the eavesdropper that he didn't leak b to Wright.
A much bigger issue in my mind is that, if Wright doesn't hash the final derived key properly, then Gavin can steal money from Wright/Satoshi -- Gavin would never have proved that he generated the challenge the way he said he did, and Gavin could use Wright as an exponentiation oracle.
Also, I suspect that my protocol can be abused by Gavin to defeat the deniability property if he properly manipulates his challenge. I'm not sure and haven't looked carefully, though.
Supposedly, Chris Wright did his ridiculous laptop dance with Gavin Andresen because he didn't want Gavin to leak the signature early.
What a load of crap. These are supposedly real cryptographers we're talking about here. If you ask a cryptographer (including, presumably, Satoshi) how they would prove their identity to someone else such that the other person couldn't leak the proof, the answer doesn't involve airplanes and fishy laptops running dubiously authentic Windows programs. The answer is deniable authentication.
In the bitcoin case, it's trivial. Satoshi's public key is g^p for some p that only Satoshi knows (using multiplicative notation) on a well-known and hopefully secure elliptic curve. You can use this key for ECDSA, but you can also use it for, drumroll please, Diffie-Hellman. Gavin picks a random scalar b and tells Craig Wright g^b. Chris replies with (g^b)^p [1]. Gavin checks that the result is the same as (g^p)^b.
This is deniable: Gavin can trivially make up the transcript of the protocol, so Gavin can't use it to prematurely convince anyone of anything. No airplanes needed.
There are plenty of other ways to do this. Pretty much any zero-knowledge proof of knowledge would work.
[1] In practice, this should be blinded to avoid cross-protocol attacks and relay attacks. Craig could send something like H("Hi Gavin, I am Craig Wright, aka Satoshi Nakamoto" || (g^b)^p). A real cryptographer could double-check me here.