Skip to content

Satoshi’s secret in the Genesis block

[Recommend my two-volume book for more reading]:

BIT & COIN:  Merging Digitality and Physicality

Much fruitless thinking (especially mine own) is going on about the mysterious 26.9 BTC transferred to the address in the Genesis block of Bitcoin.

This is largely due to the lack of clear and definite information.

Dr. Wright has said something about the Genesis block in the past. But in his typical fashion, he speaks in his domain and at his own level, with little sympathy for how others are positioned.

For example, in one context, he says, “No key is associated with the Genesis block.” But in another, he says, “the keys vary between the genesis block that is public and the early code that was distributed,” suggesting the Genesis block has keys in it.

It is not necessarily self-contradictory. Words can mean different things in different contexts. In a strict sense, a block does not have a key “associated” with it like a transaction or an address does. So let’s not get into that kind of a debate over words. Most accusations thrown at Dr. Wright are based out of context and often multiplied by misinterpretation of the very words he spoke.

My conjecture

We all know Satoshi created the Genesis block manually instead of using mining software to mine it automatically.

But how?

Based on the available information, my best conjecture is as follows (and I want this to be my last guessing work until real revelation becomes available):

— Satoshi generated a self-signed ECDSA signature in the Genesis block. It essentially reverses the usual order of operations in ECDSA signature generation. Instead of starting with a private key and a message and then computing the signature, Satoshi started by choosing parts of the signature and a secret scalar factor (a random number), from which he could, when needed, derive (reverse-compute) a private key that would make the signature valid for a given message.

— At the same time, Satoshi intentionally linked the Genesis block’s only address to an invalid public key. This makes the real public key of the Genesis block a secret. And this is going to be critical for the purpose of proving identity.

The signature procedure

Instead of starting with a private key, the self-signed signature begins by selecting a random scalar k and a random value s as one part of the signature, then computes the other part of the signature r.

The real private key is unknown until it is reversed-computed.

Here’s a breakdown of the steps of creating a self-signed signature with an unknown private key and subsequently reverse-computing the private key:

  1. Choose a random number k.
  2. Construct the signature (r, s):
    • Choose random s.
    • Compute r : Calculate r by first computing the elliptic curve point [k]G (where G is the generator point of the elliptic curve) and then applying a function f , which takes the x-coordinate of the point [k]G.
  3. Construct the Message m containing the signature (r, s): The message m is created to include the signature components r and s.
  4. Compute hash e = H(m): Calculate the hash of the message m using the hash function H, resulting in e.
  5. Solve for private key x: Now, calculate the private key x using the equation x = (±ske) / r. This equation is derived from rearranging the standard ECDSA verification equations.

NOTE 1: The signature constructed using this method would be self-signed. When not connected with the secret k, the signature alone means nothing to the world without the knowledge of the secret. But once they are connected, it uniquely associates the secret and thereby the secret keeper with the self-signed signature.

NOTE 2: To just post the signature (r, s) with the signed message m, the signer does not need to carry out the above steps 4 and 5, which are only necessary to verify the self-signed signature.

NOTE 3: Theoretically, the message m can even be identical to the signature, as long as it results in a solvable private key x in the subsequent steps. However, the method can be used to sign any message as long as the message includes the signature.

NOTE 4: Because the private key x depends on e (the hash of the message m), it also depends on the message m, meaning that the private key x created this way is unique with the message m signed. This makes it less useful for normal cryptographic signatures where a single key can be used to sign an unlimited number of messages. But as shown in this article, the method has its unique characteristics valuable to Satoshi’s special purpose hidden in the Genesis block.

An anatomy of the Genesis block

The Genesis block is very simple. It contains only one transaction (txid: 4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b), which has an input and output. The output has a locking script (or at least something looks like a locking script – see more below), but the input does not have an unlocking script (as it does not have a previous output to unlock).

The transaction contains the following data:

The input field (where normally an unlocking script or scriptSig is found):

ScriptSig (ASM):

OP_PUSHBYTES_4 ffff001d OP_PUSHBYTES_1 04 OP_PUSHBYTES_69 5468652054696d65732030332f4a616e2f32303039204368616e63656c6c6f72206f6e206272696e6b206f66207365636f6e64206261696c6f757420666f722062616e6b73

Where, the string of hexadecimal characters after the opcodes, when decoded, read the famous message “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks”.

Unlike typical transactions, the input field in the Genesis block’s coinbase transaction does not contain an unlocking script with a signature but rather some arbitrary bytes and an encoded message.

The output field (where normally a locking script or ScriptPubKey is found):



ScriptPubkey (ASM):

OP_PUSHBYTES_65 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f OP_CHECKSIG


Public Key:

  • 04: The prefix indicates an uncompressed public key.
  • The next 128 hexadecimal characters represent the public key. This has 64 bytes (every two hexadecimal characters represent one byte), of which 32 bytes for the X-coordinate and 32 bytes for the Y-coordinate.
  • X-coordinate: 678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
  • Y-coordinate: 49f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f


  • This opcode is used in Bitcoin’s scripting language to indicate that the next transaction that attempts to spend this UTXO must include a signature that needs to be checked against the provided public key.

Where is the self-signed signature found in the Genesis block?

If Satoshi placed a self-signed signature in the Genesis block, where exactly is this signature? (Note, this is different from any signature in an unlocking script contained in a subsequent transaction attempting to spend the coins in the Genesis block.)

The ECDSA signature components s and r are integers that are typically as large as the order of the curve used in the signature process. In the case of Bitcoin, the curve used is secp256k1, which has a 256-bit prime as the order. Therefore, both s and r in a valid ECDSA signature would be 256 bits (or 32 bytes) long.

The part that contains the famous encoded message cannot be the signature, because a signature generated using ECDSA is at least partially random, and cannot be decoded into an explicit message with clear human meaning.

Therefore, there seem to be no parts of the Genesis block that can be construed as being the s and r components of a self-signed ECDSA signature.

But there is a secret.

The secret:

The 128 hexadecimal characters (64 bytes) in the output field of the coinbase transaction in the Genesis block is the self-signed signature.

Now this must be surprising, because in a P2PK transaction, those 128 hexadecimal characters are always considered to be a public key, according to the standard interpretation of a P2PK locking script.

But the Genesis block is nothing but standard. The ostensible public key is not a public key. It only appears to be a public key but is intentionally invalid (see below). In reality, it is a self-signed signature, which has two segments, 32 bytes each, representing s and r of the signature respectively.

This self-signed signature is the signature of the message m which includes both the famous encoded text message and the signature (s, r) itself. But because the corresponding public key is kept a secret by Satoshi, no one else except Satoshi can verify this self-signed signature.

That is the secret of the Genesis block.

But Dr. Wright said no key in Genesis block?

Now you can see why in one context, Dr. Wright said there’s no key associated with the Genesis block.

It’s because Satoshi did not put a real public key in the Genesis block. Both the public key and the private key are hidden. In fact, they are unknown even to Satoshi himself until he reverse-computes these keys. That is, unless Satoshi has computed the key (see the above procedure), the key does not even exist yet.

Besides, in general, a key is said to be associated with a bitcoin address, not with a block. With the Genesis block, the key is associated with a particular message, not even with an address, much less the block.

The dependence of the key on the specific message chosen to be signed also explains why Dr. Wright said in another context that the keys vary between the genesis block that is public and the early code that was distributed.

As far as the cryptographic nature of the signature and the key is concerned, the self-signed signature can be placed in any block. The only reason why the Genesis block is implicated is because (1) that’s the block Satoshi chose to place the self-signed signature; and (2) that block is unequivocally associated with the identity of Satoshi. See below.

And none of this is accidental. It is all an elaborate design by Satoshi.

The use of an invalid public key

Therefore, it follows that, if Satoshi placed a self-signed signature in the Genesis block, then he must have intentionally linked the Genesis block’s one and only transaction to an invalid public key.

This is significant.

First, with an intentionally invalid public key, coins cannot be spent by anyone with normal verification performed by the mining nodes. Even Satoshi, who could reverse-compute the private key, can’t spend it because a correct signature signed by the correct private key cannot be verified by an incorrect (invalid) public key. Even though the explicit public key is invalid, the locking script itself is valid. To validate any future transaction to spend the coins in the Genesis block, the nodes must execute and validate a matching unlocking script. But such an attempt is always guaranteed to fail because the public key required by the locking script is intentionally invalid.

This is important because even if somebody else stole Satoshi’s secrets about the Coinbase transaction in the Genesis block, he still cannot spend the coins in the output, as the nodes will all automatically reject it.

The unspendability makes the Genesis block an anchor to the entire Bitcoin blockchain. This does not mean that if the bitcoins in the Genesis block ever move, the Bitcoin blockchain will lose its anchor. The “anchoring” effect is operative in the chain establishment. When the miners have disputes over transactions contained in the blocks, the active blocks may be subject to competitive reorganization which causes instability of the blockchain. By manually creating the Genesis block (versus mining it using competitive mining software) and making the bitcoins in the Genesis block unspendable, Satoshi made sure that the bitcoins in the Genesis block may not appear or be implicated in any subsequent blocks. This effectively placed the Genesis block outside of the realm of mining competition and out of any uncertainty caused by competitive mining.

The anchoring effect of the Genesis block was the most critical in the early days. This consideration may sound remote now, but it was critical at the time when Satoshi created the Genesis block anticipating open and hard-to-predict block creation by competitive miners.

Practically, after hundreds of blocks, the Genesis block as an anchor was already solidified. One effect of the Bitcoin protocol and consensus is that, the longer the chain is, the more secure the blocks are in the chain. The longer the chain is, the less likely the preceding blocks will be abandoned for a new chain.

Now, after hundreds of thousands of blocks, moving the bitcoins in the Genesis block may no longer affect the anchoring effect of the Genesis block and the stability of the Bitcoin blockchain. No miner is going to attempt to reorganize the entire Bitcoin blockchain starting from the Genesis block just because the coins in the Genesis block now appear in a transaction in a new block. However, these bitcoins may be technically unmovable regardless. See above.

Second, Satoshi may use the secrets in the Genesis block as unique evidence to prove his identity.

Even though Satoshi cannot spend the coins using a normal transaction, he, and only he, can provide strong evidence that he is Satoshi by showing that he has the secrets of the Genesis block. This is because, with the reverse-computed private key, Satoshi can further compute a corresponding public key and then use it to uniquely verify the self-signed signature contained in the Genesis block.

The public key as a masked secret

The use of an invalid public key created a unique feature of the Genesis block: the real public key is a secret. It can’t be used for making a normal spending transaction, but it can be used as evidence to show identity by verifying the self-signed signature.

Such evidence for identity would be stronger than simply signing a message using a private key associated with a supposed Satoshi address.

First, it is the Genesis block. There’s no ambiguity on who has created it.

Second, the possession of the secret in the Genesis block is not about ownership of the coins, but exclusively about identity. It does not make sense for Satoshi to transfer such information about his identity to another person. This is in contrast with any other blocks, where the possession of a key is primarily about coin ownership, which can be legitimately changed or transferred for many reasons, causing uncertainty or ambiguity with regard to the identity.

Third, it has an unconventional process of verification that is unknown to the public. The very knowledge of the process shown to work is uniquely Satoshi. Even those who may have correctly guessed the process cannot prove it by actually making it work. Only Satoshi can.

Fourth, there is no normal private key to be stolen. A thief may not even know what to steal in the first place. One who might have stolen the Genesis block secret must steal not only the random number k but also the knowledge of how it is to be used. Further, if Satoshi did not use the standard curve secp256k1 and generator, the thief must also steal the specific parameters of the elliptic curve used with it as well.

Therefore, one who demonstrates possession of the key, specific knowledge, and the ability to actually carry out the entire process would be credited with the strongest possible document evidence to prove Satoshi’s identity.

Satoshi’s last resort

So I believe the Genesis block contains a secret related to Satoshi’s identity. Satoshi has retained the secret should he ever need to use them to prove his identity.

But he did it in an extremely elaborate way not to give anyone, not even himself, power to unravel the Genesis block, the anchor of the Bitcoin blockchain.

The question becomes relevant given the suspense surrounding the 26.9 BTC coins recently deposited to the address in the Genesis block. As discussed above, even Satoshi cannot spend those coins normally. However, with proven identity and ownership of the coins deposited into the Genesis block, these coins can be moved using a software update according to a court order. See The mystery of 26.9 BTC paid to the Genesis block.

However, I believe Satoshi would not use the Genesis block proof unless it becomes an absolute necessity. Even if he does, the event would serve to validate the security of the Bitcoin blockchain. Satoshi will never sacrifice Bitcoin for the sake of his own reputation.

Consistent with Satoshi’s intention with the Genesis block, Dr. Wright treats even the above form of the strongest possible cryptographic evidence as a last resort. He prefers to prove it in a courtroom using normal human and social evidence – the kind of evidence that not only relies on humanity but also gives meaning to humanity in return.

However, he probably has a backup plan should the worst happen, because, if he is Satoshi, he has the secret of the Genesis block.

[Recommend my two-volume book for more reading]:

BIT & COIN:  Merging Digitality and Physicality