2016-05-16

Deniable proof of Satoshi

About two weeks ago in the Bitcoin community we were dealing with a bit of drama surrounding dr. Craig Wright claiming to be Satoshi, convincing Gavin Andresen of the fact with a shady signature, and then proceeding to be thoroughly debunked when a public proof was released. After which, Craig continued with his claim for a little while, saying he would move some old coins to prove he is indeed Satoshi, before quitting the Internet because people are such meanies.

What Craig's "signature proof" essentially looked like


One of the reasons why this hoax gained any legitimacy, was because Craig was able to convince Gavin by providing a signature of some random phrase allegedly using Satoshi's private key. However, he didn't want anyone to release that proof, so everything was done in a controlled environment and nothing was allowed to leave the room to be analysed in more detail:

Gavin explaining how Craig convinced him,
and Vitalik Buterin explaining why it was very unlikely Craig was really Satoshi

While some people blame Gavin for being duped, I personally wouldn't hold any grudges - everyone makes mistakes, it's no big deal. However, lets look at how we could prepare ourselves for when the next bidder to the title of Satoshi comes along.

Deniable proof of Satoshi


One reason why Gavin was unable to debunk the claim early was due to Craig not letting Gavin perform deeper analysis on a signature of a random phrase. This was allegedly to ensure Gavin couldn't leak the proof before the big reveal was supposed to happen. A reasonable precaution a legitimate claimant might make. If you would skip all of the drama, all the proof you would need would look like:


However, if the claimant would still insist on a big reveal or otherwise keeping his identity rather secret, /u/emansipater came up with quite a clever way to create a deniable proof of being Satoshi. Simplified:


  1. Verifier creates a random phrase, number or whatever with sufficient enough entropy
  2. They encrypt the message with Satoshi's public key
  3. They send the encrypted message to the claimant
  4. The claimant then proceeds to decrypt the message and return it unencrypted

This proves that the claimant is indeed in the possession of the private key (otherwise they wouldn't be able to decrypt anything), but at the same time the proof is completely deniable as it relies on the negative - the claimant NOT knowing what the random phrase is. As you cannot at any point prove the secret was NOT shared with anyone before being decrypted, the proof only works for you - you know you haven't released the secret, but you can't prove that.

This simple challenge would be enough to allow Gavin to have a strong proof of whether or not Craig was Satoshi, and it would allow Craig to be able to deny any leaks before doing a proper reveal. However, as his intent didn't appear to be to create a proof, but rather to deceive, obviously this wouldn't be the approach taken.

Conclusions


It is possible to create a deniable proof of owning a particular private key. Any future claims to someone being Satoshi or not should first pass through at least such a filter before they are given any credibility. Alternatively, you could just expect Satoshi to flat-out publish his proof for anyone to verify and possibly falsify without any drama.

Perhaps verifiers could also require some moderate BTC deposit (perhaps 50BTC?) before any claims are verified, to be returned if the claimant reveals themselves to be Satoshi within a certain amount of time. The deposit could either stay with the verifier, or be deposited at some Bitcoin charity.

EDIT:

The original wording of the article implied a personal attack on Gavin. It was not intentional. The sentence has been rephrased.

3 comments:

  1. Shouldn't #2 be "They encrypt the message with Satoshi's public key"?

    ReplyDelete
  2. Requiring a deposit can be done trustlessly using a timelocked transaction. (Require a Satoshi key to spend it before the timelock expires, else permit the verifier to use his own key.) Nice article!

    ReplyDelete