Faketoshi’s Nonsense Signature

“Satoshi” signature from a now-deleted Tweet

Some Red Flags

The first thing that clued many people into this being not up to snuff was the fact that this account didn’t use the standard sign/verify feature found in almost every Bitcoin wallet. Further, Faketoshi decided to release their own verification software, which is highly unusual. What happened? Why use something brand new? As the next section will show, this was entirely to mislead people.

Some Math

The actual math is not going to be understandable without a grasp of Finite Fields, Elliptic Curves and ECDSA. The links are to my new book, currently in technical review, but if you don’t want to learn about the math, feel free to skip this section.

  • u = z/s
  • v = r/s
  • R = uG+vP
  • if R.x = r, we have a valid signature
a and b in Pieter’s tweet are u and v in my construction
  • R = uG+vP
  • r = R.x
  • s = r/v, which comes from v = r/s as per the validation formula
  • z = us, which comes from u = z/s as per the validation formula
from ecc import S256Point, Signature, G, N
from random import randint
# key from genesis block coinbase transaction
# 4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b
GENESIS_BLOCK_PUBKEY = '04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f'
point = S256Point.parse(bytes.fromhex(GENESIS_BLOCK_PUBKEY))
# generate random u and v values
# (these will be different every time this script is run)
u = randint(0, N)
v = randint(0, N)

# calculate the x-coordinate of r
r = (u*G+v*point).x.num % N

# calculate s and z using Fermat's Little Theorem
s = r * pow(v, N-2, N) % N
z = u * s % N

# instantiate the Signature class
sig = Signature(r, s)

# This will crash if the signature is invalid:
assert point.verify(z, sig) is True

print("Valid signature of a garbage message:")
print("z: ", z)

Doing the same thing

The supposed “signature” from the “Satoshi” Tweet was nothing more than a trick that’s easy to expose with a little bit of a math. To prove it, here’s my “signature” using Satoshi’s genesis block public key (I used u=1, v=1):

z = d20a8b8b4d25086d71f03358d26d8564fc199aefd2a0239c49e9ab4c93a7025e
sec = 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
der = 3046022100d20a8b8b4d25086d71f03358d26d8564fc199aefd2a0239c49e9ab4c93a7025e022100d20a8b8b4d25086d71f03358d26d8564fc199aefd2a0239c49e9ab4c93a7025e


The Tweet is equivalent to someone that’s “proving” that they ran a marathon in under 2 hours while allowing us to only observe them at the finish line. The nonsense signature is equivalent to someone “running” a marathon in under 2 hours by starting close to the finish line.

Original Tweet
z = 2e1d1cc2a4ca52c6f6178570da8375365bc06416b898eb9436f328a4eb72d22d



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jimmy Song

Jimmy Song


Bitcoin Educator, Developer and Entrepreneur. Book: https://amzn.to/2RSlnTb PGP Fingerprint: C1D7 97BE 7D10 5291 228C D70C FAA6 17E3 2679 E455