A few days ago, another sensationalist news story emerged, promising new clues regarding the true identity of Satoshi Nakamoto: Allegedly, an old message signed by Hal Finney had surfaced (published by Martin Shkreli in this blog post), suggesting that Paul Le Roux was the person behind the synonym of Satoshi Nakamoto.
I briefly highlight the facts surrounding this story:
Right away, yes indeed, a valid signed message has surfaced:
Bitcoin address:
1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3
Signature:
HM7vpPSUbNsfDHRX6gv8xxWcVNHEc/3pOk0YrVehaGoUdbWizznfzOdELkLd1EjSXsW1oE5vHAkNAPzrAVzhuoI=
Signed text message:
This Transaction was made by Paul Leroux to Hal Finney on January 12, 2009 #bitcoin
Everyone can verify with his own Bitcoin Node (or a Bitcoin wallet like e.g. BlueWallet or Electrum or online e.g. here) that this signature is indeed cryptographically valid:
Here for example on the command line of a Bitcoin Core full node:
> bitcoin-cli verifymessage "1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3" "HM7vpPSUbNsfDHRX6gv8xxWcVNHEc/3pOk0YrVehaGoUdbWizznfzOdELkLd1EjSXsW1oE5vHAkNAPzrAVzhuoI=" "This Transaction was made by Paul Leroux to Hal Finney on January 12, 2009 #bitcoin"
> true
Yes, the address 1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3 did indeed belong to Hal Finney. This address (more technically correct: the public key behind this address) was the recipient of the very first Bitcoin transaction ever made and it’s publicly known that Satoshi Nakamoto sent this transaction to Hal Finney (Hal also mentions this here in his post on the Bitcointalk forum). You can this first Bitcoin transaction here on block explorers:
On mempool.space you can see (correctly) that the transaction didn't actually go to the address, but to the raw (unhashed) public key (pay-2-pubkey, or "P2PK" for short – this was an alternative format for transaction output scripts in early days used for the pay-to-IP-address feature and coinbase transactions).
- yes, this public key results in the address 1Q2TWHE....
- yes, the private key behind this address belonged to Hal Finney in 2009
- yes, the signature mentioned at the beginning can only have been created with knowledge of this private key (this is cryptographically assured)
So, what now? Is Paul Le Roux really Satoshi? Or are there still points that should be questioned in this story?
Well, there are several points that indicate that there are at least some inconsistencies in this narrative:
The transaction from Satoshi (allegedly Paul Le Roux) to Hal Finney mentioned in the signed message took place in January 2009.
However, the functionality to sign text messages with the private key of Bitcoin addresses was only integrated into the Bitcoin software in 2011. Of course, it was already possible to create cryptographic signatures with the private key of a Bitcoin address in 2009 (after all, this is the core of every Bitcoin transaction), but these signatures use a different format.
An important detail about such signatures of text messages is the fact that not the message itself but the hash value of the message is signed (this is common practice in cryptographic systems), however – and this is an important indication in this story – the text messages are prefixed with a constant text before hashing (this is also common practice in cryptographic systems to avoid unknowingly signing a piece of data that might be used elsewhere).
In Bitcoin, this static prefix is: "Bitcoin Signed Message:\n".
The signature of the text message mentioned at the beginning of this blog post is only cryptographically valid if you prefix the text message with exactly this prefix before the hash value of the message is calculated.
However, this prefix was first mentioned in this commit of September 27, 2011. Before that, this prefix was not defined yet (in fact, even a different prefix was proposed before, namely "Padding text - " – see this commit).
This means that the signature quoted at the beginning could not have been created in this form in 2009 at all. Nobody could have known back then that almost 3 years later developers would agree on using this prefix for signing text messages.
An additional indication also speaks against the year 2009:
The signatures of Bitcoin transactions at that time were encoded in DER format (a technical standard for representing signature data that existed before Bitcoin) at that time. This format was adopted from the "openssl" software library used at the time.
In general, signatures in ECDSA (a cryptographical system based on elliptic curves used by Bitcoin) basically consist of only two large integer numbers: the "r" and the "s" value (see also ECDSA signature).
However, for text message signatures such as the one above, it has been agreed on to use an abbreviated representation format of the signature (not DER format). This representation simply consists of these two numbers (each 256 bits long, i.e. 32 bytes each) plus one byte of meta information as a prefix (i.e. 65 bytes long in total).
This format (called "Compact signatures" at that time) also was introduced in the course of the "signmessage" feature in this commit in September 2011.
While it would be technically possible to convert a signature represented in DER format to this "compact signature" format, the fact that the published signature is encoded this way it still is an indication that it had been created after 2011 (but it's not as strong as the argument in the previous paragraph).
And last but not least, why would the receiver (i.e. Hal Finney) sign himself a message saying that Paul Le Roux sent him a transaction. It would be much more convincing if the sender (i.e. Satoshi) had signed a message with his private key. But that never happened...
Whoever created the signature of the message was definitely in possession of the private key that Hal Finney had in use at the beginning of 2009. However, it can be ruled out that this signature was actually created in 2009.
Furthermore, it was already known before that this private key was still in use after Hal Finney's death († 2014) (for example this transaction from 2017 proves this).
Fact is, it is not known who currently holds possession of this key, nor how they came into possession of it and I refrain from useless speculations on this matter.
- In April 2011 (i.e. more than 2 years after the transaction from Satoshi to Hal Finney) the feature "
signmessage" was discussed for the first time, at that time suggested by Bitcointalk user "khal": here is his Bitcointalk thread about it and the discussion in his pull request (#183) on Github. - Like today, before the hash value of the text message is calculated, it is prefixed with a static string. In khal's initial proposal, however, this was still (unlike today) the string "
Padding text -" (see his commit). The pull request did not get merged back then, but has been discussed further on the Bitcointalk forum (at that time actually still forum.bitcoin.org). - It wasn't until a few months later (late September 2011) that the feature was actually added to Bitcoin's codebase, with pull request #524.
- It was this pull request from September 2011 where the message prefix in its current form actually was added (see here in the commit), as well as the "compact signature" encoding as it is used today for signatures of text messages (see here in this commit).