Conclusions on the private signing sessions
It is clear that Dr Wright never publicly undertook a signing session or publicly posted a signature that would prove his possession of any of the keys associated with Satoshi. What he instead sought to do was conduct such sessions behind closed doors, with selected individuals who signed non-disclosure agreements (Mr Matonis, Mr Andresen and a few journalists). Prof Meiklejohn concluded: “In my view, the evidence provided in the signing sessions cannot be considered as reliable in establishing possession of the private key(s) corresponding to the public key(s) used”. In the Joint Statement, Mr Gao agreed with almost all parts of Prof Meiklejohn’s report concerning the signing sessions, including with that conclusion. As Prof Meiklejohn explained, the signing sessions omitted key steps which would have been required to make them reliable. All these matters remained common ground between the experts in their oral evidence.
Furthermore, there were numerous flaws in the signing sessions which were conducted. For those with Mr Matonis and the journalists, Dr Wright used just his own laptop and adopted a method which would have been very easy to fake. The session with Mr Andresen was a little different, because he insisted on verification being performed on a computer other than Dr Wright’s own. However, Mr Andresen’s evidence in Kleiman, which was given with reference to earlier notes, makes clear that various steps were not taken to ensure reliability of the session. Furthermore, it is striking that Dr Wright’s evidence disagrees with Mr Andresen’s on precisely those critical points.
In Wright2, Dr Wright gave a complex explanation of the signing sessions, setting out various technical measures he took. Professor Meiklejohn disagreed with a number of technical points Dr Wright made:
Dr Wright said that the first stage in verification entails installing the Bitcoin Core software. Prof Meiklejohn explained that that software was not needed in relation to the keys which were to be signed, because the relevant coin generation transactions for the early blocks were P2PK transactions so that they contained the full public keys.
Dr Wright claimed that he underwent the time-consuming exercise of downloading the entire Bitcoin blockchain as a preliminary to each signing session. Professor Meiklejohn explained that this was unnecessary. For a reliable signing, all one requires are the relevant keys or addresses and message. Downloading the blockchain is time-intensive and does not bolster the security of the process. This was agreed by Mr Gao.
Dr Wright said that, for the signing sessions with Mr Matonis and the journalists, he had a single laptop but used the Windows laptop itself for signing and a virtual machine running Linux for verification. He added that this element was “essential” for integrity of the exercise. Prof Meiklejohn explained that that was unnecessary and added nothing to the reliability of the exercise, since it is only the verification setting that needs to be assured to avoid corruption falsely indicating success. Again, there was no dispute about this between the experts.
Dr Wright insisted that the procedure he used, with a second system or computer used for verification, avoided the risk of exposing the private key. Prof Meiklejohn disputed that this procedure has such a benefit over other methods. Importantly, she explained that one can give out a signature freely and let somebody else verify it on their computer without any risk of compromising the private key. Mr Gao agreed in his evidence. This shows that Dr Wright adopted complex methods based on a spurious risk of key compromise, when all he needed to do was sign a message with the private key relating to an identified block and hand over the signature.