If you spend any time at all reading about history of Bitcoin and other related currencies, it's clear that Satoshi was a cypherpunk. And at least an active lurker, if not a well-known participant, in the cypherpunks mailing list during the 1990s and early 2000s. Just look at the sources in the bitcoin paper. Satoshi cites lots of cypherpunks, and not many mainstream academics. The code borrows time-stamping ideas from Usenet and takes inspiration from command-and-control architectures of IRC botnets.
The pieces of the puzzle are:
- (1997) Adam Back's hashcash proof of work system
- (1998) Wei Dai's b-money
- (1998-2005) Nick Szabo's writings about git gold
- (2004) Hal Finney's reusable proof of work (RPOW)
Satoshi brought these ideas -- cypherpunk ideas -- together to make Bitcoin, not the ideas about improving Chaumian blind signatures and anonymous e-cash that were being discussed in the academic crypto literature of the time. Remember, cypherpunks (and others inspired by Tim May's crypto-anarchy) have a long history of communicating anonymously. Anonymous remailers and pseudonyms were expected on the list, so it's not unusual to see Satoshi Nakamoto come out of this tradition.
There are probably people that know who the identity of Satoshi Nakamoto, but they're not going to tell. They're cypherpunks, after all. And if Satoshi stays anonymous, it just means that everything is going exactly as planned.
He might be one of these people:
Here are some forum posts timestamps:
I also feel it is necessary to point out that it is completely possible to spoof forum posts to match his writing style and C++ idioms. So there might be someone posing as a "second satoshi" waiting to be discovered by phrase analysis. This is one of the vulnerabilities of his pseudonym.
You should all use it too, because it just makes too much sense. :)
No, seriously, please start using yyyy-mm-dd whenever wherever you can. It is most especially useful when you're doing text analysis, makes life very easy there.
The file "datetimes.yaml" contains a list of serialized ISO 8601 timestamps because that's how you represent timestamps in yaml. These timestamps represent the different timestamps that bitcointalk.org gives to the posts made by the Satoshi pseudonym.
I am not implying that anyone who uses ISO 8601 might be Satoshi. Rather, I am providing you with a list of timestamps in ISO 8601 format. I am making no claims about how Satoshi tends to write timestamps (and I don't remember if I even looked at that, I think I got bored).
These timestamps can be used to determine which timezone he is a member of, or which timezone he wanted you to think he was a member of, or to compare against other email headers. For example, I would love to compare this data against a historically-accurate cypherpunk email archive. (I do not have one at the moment.)
However, he could have written some small amount of software to delay the posts he wrote to the forum, but some of them look very timely. He could also have written software to delay the times that his posts were posted, to make it sync up with the timestamps of another cypherpunk member (which would be hilarious and evil).
I think a more thorough analysis would have to look at each individual Satoshi forum post and determine whether or not it was written "probably delayed", because sometimes the delta between the post he wrote and the post he was replying to was very tiny, which would improve the chances that he was not on a delay timer (unless he spoofed all questions he replied to, which I also doubt).
Satoshi was definitely familiar with discussions of smart contracts and smart property. You can see this in the design of Bitcoin transaction scripts. While most of the opcodes were disabled in late 2012 due to security concerns, the overall design shows some incredible forethought.
- (2005) Aspnes and Jackson. Exposing Computationally Challenged Byzantine Impostors. Yale Tech Report.
This is (more) evidence that Satoshi isn't a distributed systems academic.
Anyone who is looking at professional cryptographers or accomplished researchers is looking in the wrong place. Bitcoin is the work of amateurs and enthusiasts, the sort of people who flood sci.crypt with claims about new cryptosystems and ignore the experts who still take the time to post there. It only caught on because it appeals to libertarians and anarchists, and eventually was promoted enough that mainstream media outlets were afraid that they would be left behind on reporting "the next big thing."
That it is popular does not demonstrate that it was not designed by amateurs and enthusiasts. Many popular systems were hacked together by amateurs. Fidonet was the work of amateurs -- a global computer network that remains in use to this very day.
It is also not the case that systems trusted with large amounts of money must necessarily be secure. If the past 20 years have taught us anything, it is that security is not even within the consciousness of most users of payment systems, at least when it comes to online payments. That credit cards were ever used for Internet payments, rather than Chaum's systems, should be proof enough of that. All that standards between most people's bank accounts and a potential thief is a password, yet there is little demand for smartcards or other more secure systems.
"Message encryption, TLS, and Secure Shell are generally trusted as being secure, but all pale in comparison to the complexity of bitcoin in terms of what they attempt to achieve"
Why separate encryption from TLS and SSH? TLS and SSH are encryption (and authentication) systems. Here, on the other hand, is a secure multiparty computation system that has served a large user base for over a decade without major incident:
The most major attack on remailers so far was the recent attempt to de-anonymize the Pittsburgh bomb threats. It is unclear if the FBI was able to break the security of Mixmaster even after compromising numerous remailers; a man has been indicted, but the evidence (last I checked) remains secret. It seems unlikely, unless the FBI had compromised all the remailers except for the ones they raided prior to their investigation; that would mean that the FBI had effectively compromised the whole network, which is beyond what any secure computation system can protect against.
Similarly, there is the Danish Sugar Beet Auction system. This system has fewer workers than Mixmaster, and certainly less than Bitcoin, but it was designed and engineered by prominent researchers and serves thousands of users (only a slightly smaller scale than Bitcoin). The system has been used for a few years now:
"Yes, bitcoin is vulnerable to a 51% network attack"
Let's be very clear here: Bitcoin is not merely vulnerable to a majority of parties behaving maliciously; that would be acceptable in a multiparty computation system. What Bitcoin is vulnerable to is one party working just slightly harder than all the other parties. In other words, a single malicious party, working in polynomial time, can successfully attack Bitcoin (whatever the definition of a successful attack actually is). The attack allows one party to deny confirmations on transactions involving another party. It allows one party to double-spend the currency. It allows one party to prevent other parties from being paid for mining.
This is why I said Bitcoin is the work of amateurs and enthusiasts. This is the sort of attack that nobody in the cryptography research community would consider acceptable. This is not merely a disconnected between theory and practice (as is the case with PGP, TLS, and Mixmaster, all of which diverge somewhat from their theoretical foundations); the vulnerability exists in the very design of the Bitcoin protocol.
There are other signs that Bitcoin is the work of amateurs. The protocol specification is hard to pin down; much of the design is documented only with code, rather than in the original paper. There is no threat model and no formal security definition. The security analysis in the original paper focuses on a specific method of attacking Bitcoin, without ruling out any other methods. None of this is something you would expect to see out of expert cryptographers, and to suggest that it is the work of an accomplished mathematician is beyond wishful thinking.
If you want to compare Bitcoin to the work of experts, why don't you take a look at the work of experts? Here, for example, is some important work in the field of secure multiparty computation:
Does the original Bitcoin paper even remotely resemble this? Here is an earlier, shorter work; can you honestly say that the original Bitcoin paper even resembles this:
I understand the risk of a single party attacker who controls more than half the network. But at this point, what kind of attacker can muster up that much computing power? Only a nation-state, billionaire, or large corporation could conceivably do so. And it's daily growing beyond their reach. Not only that, but their motive must be not just to make gains. They would have to want to destroy the bitcoin economy. Interestingly, the bitcoin economy has already survived a 24-block split without major calamity.
I had a look at the papers you linked to. The Canetti paper certainly seems more rigorous and formal. But the Danish Beet Auction paper actually doesn't seem too far from the Bitcoin whitepaper. The bitcoin paper is certainly the most concise.
Amateur or not, bitcoin may be the "worse is better" solution to low transaction fee, decentralized, online payments. If a better solution comes out, I'd love to hear about it.
There is already a single mining pool that nearly controls that much computing power. In general, though, it is a bad idea to ask these sorts of questions; what is really important is not "who might amass this much power" but rather, "what will the honest users do about it?" In the case of Bitcoin, once an attacker amasses enough computing power for the attack, the honest users would have to increase their own computing power to prevent the attack -- but the attacker would only have to add as much to their own computing power as the honest users add to theirs.
By comparison, Mixmaster uses 1024 bit public keys. Suppose someone amassed enough computing power to compute the corresponding secret keys, thus breaking the security of Mixmaster. Without adding any additional worker nodes, Mixmaster could be updated to use 2048 bit keys, or 4096 bit keys, or even larger keys. This would result in an exponential increase in the work needed to attack the system, at the cost of only a small increase in the work needed to run Mixmaster (small to the point of probably not requiring any new hardware).
"Not only that, but their motive must be not just to make gains. They would have to want to destroy the bitcoin economy."
I would also be wary of trying to guess an attacker's motives. The attacker may only be interesting in blocking confirmations on transactions involving a specific party (e.g. maybe the US government wants to prevent Wikileaks from receiving donations). The attacker may have some goal that we cannot even imagine without knowing the attacker's particular circumstances.
"Interestingly, the bitcoin economy has already survived a 24-block split without major calamity."
Yes, but that incident was (apparently) accidental. The fact that such a thing can accidentally happen is pretty bad news. To borrow Bruce Schneier's analogy, a house can accidentally burn down; an arsonist will maliciously cause that to happen, and will do so in the worst way possible. An attacker will try to trigger such a fork, whether by spending a large amount of computing time or by exploiting some implementation bug (e.g. maybe the attacker will do only slightly more work than other miners, searching for that one block that triggers a subtle bug in some version of Bitcoin).
Compare this to a secure multiparty computation system in the malicious model. In such a system, a node cannot accidentally break a security property -- because no node can deviate from the protocol in a way that breaks the security property.
"the Danish Beet Auction paper actually doesn't seem too far from the Bitcoin whitepaper"
There are a few key differences:
1. The security model is precisely defined: the adversary corrupts a minority of the worker nodes, any number of clients, and no node will deviate from the protocol.
2. While the security model is weak, the authors (a) acknowledge that it is weak, (b) give a justification for choosing a weak security model, and (c) explain how to strengthen the security model and what the trade-offs would be.
3. There is a formal proof of security, which rules out all polynomial time attacks within the security model.
The Bitcoin paper has none of the above. There is no clear security model, no justification for accepting the attack described in the paper itself, and no evidence that other attacks do not exist. The paper does not spend any time considering an attack conducted by some colluding subset of nodes, not even to explain why such an attack is unlikely or will not be considered.
"Amateur or not, bitcoin may be the "worse is better" solution to low transaction fee, decentralized, online payments."
Perhaps, but so what? The point was that Bitcoin was almost certainly not designed by a mathematics or cryptography researcher. Amateurs can certainly create systems that become popular. The Linux kernel was originally written by an amateur; if this were 1993 and someone tried to tell you that Ken Thompson was behind the Linux kernel, would you have believed it?
There are probably 10000 people who fit this profile and the profile of the bitcoin creator even better. This is dumb
Finally reveals the true identify of Satoshi Nakamoto,
Nobody believes him.
Methinks Ted Nelson is pulling someone's chain. Maybe he can tell us the identity of The Joker, or Fuzzy Dunlop from The Wire.
I don't think it took evangelizing. Did Linux take evangelizing for it to get big? Bitcoin was something that, once properly implemented, was bound to get a lot of attention from cypherpunks. The big feat. here is actually coding it up and having it work without too many issues. As for it getting big this year (with the value of BC going really high a month back), it was just one more way to get 'rich', so people jumped on it. It has an intrinsically viral nature.
for some definition, Linus Torvalds has awesome collaboration/evangelizing skills. a lot of otherwise great engineers can't be bothered to communicate and get people to adopt/contribute, sometimes they think evangelizing is a dirty word.
If he had wanted to speak to the man directly, he could have cryptographically done so. Tell the world that you know who he is, but not reveal the name, then publish a cryptographic hash of his name. That probably catches the real guy's attention (regardless of whether Ted got it right or not).
I see a lot of papers there in ordinary peer-reviewed journals.
Fast Company's investigation brought up circumstantial evidence that indicated a link between an encryption patent application filed by Neal King, Vladimir Oksman and Charles Bry on 15 August 2008, and the bitcoin.org domain name which was registered 72 hours later. The patent application (#20100042841) contained networking and encryption technologies similar to Bitcoin's. After textual analysis, the phrase "...computationally impractical to reverse" was found in both the patent application and bitcoin's whitepaper. All three inventors explicitly denied being Satoshi Nakamoto.
Nelson tells Quartz that he is offering to donate to charity if Mochizuki denies
being Satoshi Nakamoto. "If that person denies being Satoshi, I will humbly give
one bitcoin (at this instant worth about $123) to any charity he selects. If he is
Satoshi and denies it, at least he will feel guilty. (One month time limit on
denial-- bitcoins are going UP.)
Sadly, Xanadu never became the success that Nelson forsaw, but "Computer Lib/Dream Machines" was full of all sorts of incredible new ideas, some Nelson's, some from others that he just collected in one accessible place. Keep in mind that the book was first published in 1974, two years before Jobs & Wozniak formed Apple Computer to sell the Apple I, and seven years before the first IBM PC.
He only became a computer scientist incidentally due to no one being capable of listening to the ideas of a filmmaker/philosopher and attributing technical fortitude to them. Like the previous poster, I recommend Computer Lib/Dream Machines
I assume he would be honest and deny it if he had no involvement. (but still would be cool to get this amazing guy's opinion about bitcoin tech)
If he was involved with bitcoin, I doubt he would lie about it. Instead he would simply not respond, and thus confirming he really might be "Satoshi".
People raised in the Japanese culture express themselves very differently, though, and I'm not seeing that in this writing. This tends to survive, even when they're highly skilled in English, because they're not saying anything incorrectly, just differently. For example, one of my friends always refers to Earth as "our Earth" instead of "the Earth" (I rather like that one, personally).
Those patent applications don't really have anything to do with Bitcoin. But I guess if you're a journalist, anything crypto related looks like it has to do with Bitcoin.
And if I remember correctly, the bitcoin.org domain was registered by Satoshi using anonymousspeech.com, so that's also a clue.
Okay this example is too harsh but his few posts doesn't meant that he didn't.
seriously though, it's a coincidence that could easily be explained in other ways. for instance, many people in niche fields tend to use the same phrases and discover things at the same time. were Alexander Bell and Elisha Gray the same person?
I'd call it interesting evidence, but not a smoking gun.
Was there a date on Nelson's? I don't really buy it as being correct, but hey.
Reality is getting Hollyweirder by the minute...
In reality, a mathematician doesn't make significant contributions to two different completely separate fields that both get widespread media attention within the span of a few years.
Japanese is rather easy to pronounce once you learn which vowels to use and a few small tricks. The 'long' vowels are really just two separate syllables that get blurred together a little when adjacent. For example, 'ai' == ahh + eee blurred together and sounds like the word eye.