A trace of Satoshi? Hal Finney's signed message under the magnifying glass

The emergence of a signed message from Hal Finney, the recipient of the very first Bitcoin transaction, has had the rumor mill surrounding Satoshi Nakamoto's identity bubbling for several days. One of our developers, Johannes Zweng, got to the bottom of the story.

A few days ago, another sensationalist news item emerged, promising new clues to the true identity of Satoshi Nakamoto: Allegedly, an old message signed by Hal Finney had surfaced (published by Martin Shkreli in a blog post), suggesting that Paul Le Roux was behind the synonym of Satoshi Nakamoto.

Let's look at the facts about this story.

The signed message

Right away: Yes, a valid signed message has indeed appeared!

Bitcoin Address:

1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3

Signature:

HM7vpPSUbNsfDHRX6gv8xxWcVNHEc/3pOk0YrVehaGoUdbWizznfzOdELkLd1EjSXsW1oE5vHAkNAPzrAVzhuoI=

Signed text message:

This Transaction was made by Paul Leroux to Hal Finney on January 12, 2009 #bitcoin

Source: twitter.com

Anyone can use their own Bitcoin Node, or a Bitcoin Wallet such as the Blue Wallet, Electrum Wallet, or even verify online themselves that this signature is cryptographically valid:

Here we see the validity on the command line of a Bitcoin Core Full Node:

> bitcoin-cli verifymessage "1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3" "HM7vpPSUbNsfDHRX6gv8xxWcVNHEc/3pOk0YrVehaGoUdbWizznfzOdELkLd1EjSXsW1oE5vHAkNAPzrAVzhuoI=" "This Transaction was made by Paul Leroux to Hal Finney on January 12, 2009 #bitcoin"

> true 

Fact check

The address 1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3 actually belonged to Hal Finney. This address, or more technically "the public key behind this address", was the recipient of the very first Bitcoin transaction that ever took place. It is publicly known that this transaction was sent by Satoshi Nakamoto to Hal Finney (Hal also mentions this here in his bitcointalk forum post). Here we see this first bitcoin transaction on various block explorers:

On mempool.space you can see (correctly) that the transaction did not actually go to this address, but to the raw (unhashed) public key. These unhashed public keys were known as "pay-2-pubkey" or "P2PK" for short, which was an alternative format for transactions in the early days, but that's a story for another blog post ;-).

In summary

  • Yes, this public key results in the address 1Q2TWHE...
  • Yes, the private key behind this address belonged to Hal Finney in 2009
  • Yes, the signature mentioned at the beginning can only have been created with knowledge of this private key (this is cryptographically secured)

Source: twitter.com

What does it mean?

So, what now? Is Paul Le Roux really Satoshi now? Or are there still points that should be questioned in this story?
Inany case, there are several points that indicate that there are inconsistencies in this story:

Technical indications

Message prefix

The transaction from Satoshi (allegedly Paul Le Roux) to Hal Finney mentioned in the news took place in January 2009.

But: The functionality to sign text messages with the private key of Bitcoin addresses was only integrated into the Bitcoin software in 2011. Of course, it was already possible to create cryptographic signatures with the private key of an address in 2009 (after all, this is the core of every Bitcoin transaction), but these signatures use a different format.

An important detail about such signatures of text messages is the fact that it is not the message itself that is signed, but the hash value of the message. This is a common practice in cryptographic systems. However, and this is an important clue in this story, the text messages are "prefixed" with a constant text before hashing. This, too, is common practice in cryptographic systems to prevent unknowingly signing a block of data that might be used elsewhere.

This static prefix is for Bitcoin: "Bitcoin Signed Message:\n".

The signature of the text message mentioned at the beginning is only cryptographically valid if the text message is provided with this prefix and the hash is calculated afterwards. 

But: this prefix was first mentioned in this commit of September 27, 2011. Before that, this prefix was not defined (in fact, another prefix was considered before, namely "Padding Text " - see this commit). 

This means: the signature in question could not have been created in this form in 2009 at all. Nobody could have known then that almost 3 years later this prefix would be used when signing text messages.

Coding the signature

An additional indication also speaks against the year 2009:

The signatures of Bitcoin transactions were represented in DER format (a technical standard for representing signature data that existed before Bitcoin) at the time. This format was adopted by the "openssl" software library used at the time.

In general, signatures in ECDSA (a cryptography system based on elliptic curves used by Bitcoin) actually consist of only two large integers: the "r" and the "s" value (see also ECDSA signature).

However, for signatures of text messages, like the one above, a shortened representation format of the signature has been agreed upon (not the DER format). This representation simply contains these two numbers (each 256 bits long, so each 32 bytes) plus one byte of meta information as prefix (so in total 65 bytes long).

But also this format, at that time named "Compact signatures", was only developed in the course of the "signmessage" feature in this commit, in September 2011 introduced.

Although it would be technically possible to convert a signature represented in DER format into this "Compact Signature" format (this indication is therefore not as relevant as the one in the previous point), the fact that the signature mentioned at the beginning uses the Compact format indicates that this signature was created only after 2011.

Signature not from Satoshi himself:

And last but not least, why would the recipient (i.e. Hal Finney) sign himself a message that Paul Le Roux sent him a transaction? It would be much more meaningful and credible if the sender (i.e. Satoshi) had signed a text message with his private key. But that never happened!

Conclusion

Whoever created this message signature was definitely in possession of the private key that Hal Finney had in use at the beginning of 2009. However, it can be ruled out that this signature was actually created back in 2009. 

Furthermore, it was known before that this private key was still used after the death of Hal Finney († 2014)(this transaction from 2017 proves this, for example).

Which person or which group is now in possession of this key, and how they came into possession of it, is not known, and we do not want to engage in speculation at this point.

Source: braiins.com

Sources and further information

History of Bitcoin's "signmessage feature":

  • In April 2011 (i.e. more than 2 years after the transaction from Satoshi to Hal Finney) the feature "signmessage" was discussed for the first time, at that time suggested by Bitcointalk user "khal": here is his Bitcointalk thread about it and the discussion in his pull request (#183) on Github.

  • As today, before the hash value of the text message is calculated, it is provided with a static prefix. In khal's initial proposal, however, this was (unlike today) the string "Padding text -" (see his commit). The pull request was not yet merged, but further discussed in the Bitcointalk forum (at that time actually still forum.bitcoin.org).

  • It wasn't until a few months later (late September 2011) that the feature was actually added to Bitcoin's codebase, as part of Pull Request #524

  • And only in this pull request the today used messag prefix was added (see here in the commit), as well as the today used signature encoding "compact signature" (see here in this commit).

Thanks for reading my contribution to this topic and until next time - yours Johnny.