[dooglus]

Of your three possibilities, I don't think either of the first two make sense when you consider that Gavin was using Electrum to verify the signature:

1. electrum's signature verification dialog takes a message, address, and signature and doesn't the hashing for you; there's no option to provide a pre-hashed input so the hashing couldn't have only happened on CSW's machine

2. the electrum download includes the code used to do the hashing, so if the hashing code was corrupted, it implies the electrum download itself was compromised

So that leaves 3. The electrum developer has said that their .sig file wasn't downloaded from a UK IP address on the day the demo took place, so we know Gavin didn't verify that the electrum download was correct. I expect your 3rd possibility is the most likely one.

[jere]

>1. electrum's signature verification dialog takes a message, address, and signature and doesn't the hashing for you; there's no option to provide a pre-hashed input so the hashing couldn't have only happened on CSW's machine

>2. the electrum download includes the code used to do the hashing, so if the hashing code was corrupted, it implies the electrum download itself was compromised

The part I didn't explain thoroughly (because I thought it would be confusing) is that there are two hashes involved. The signature/verification only does one hashing internally. BUT Wright performs (or claims to perform) an additional one beforehand.

Why 2 hashes? Because it matches the transaction signing process of bitcoin, where he is copying his inputs/outputs from.

It's described in more (technical) detail here: http://blog.erratasec.com/2016/05/satoshi-how-craig-wrights-...