Before we continue, we should note that the PGP keys are just one piece of the puzzle. When asked for comment, Gizmodo editor Katie Drummond said that the keys "are just one (relatively small) data point among many others, including in-person interviews and on-the-record corroboration."But the keys are important because they're not just plain suspicious, there's evidence of active, intentional deception with respect to the keys. (Wired's Andy Greenberg pointed out that this was already in line with their article, which notes that Wright may have engaged in an elaborate, long-running deception).Here's the thing: There is only one PGP key that is truly known to be associated with Satoshi Nakamoto. We'll call this the Original Key.There is only one PGP key that is truly known to be associated with Satoshi Nakamoto. We'll call this the Original Key.
In both articles, keyserver entries are used to tie Craig Wright to Satoshi Nakamoto. A keyserver is a directory for PGP keys, with entries submitted by users. The one used here is maintained by MIT. There are other keyservers that sync to the MIT keyserver.The Wired Key is tied to satoshin@vistomail.com, an email address that was not previously linked to Satoshi but is pretty similar to satoshi@vistomail.com which has been linked to Satoshi:Two of the keys attributed to Satoshi were likely created using technology that wasn't available on the dates that they were supposedly made
The Wired Key was copy/pasted straight from the MIT keyserver into the November 2008 blogpost, rather than from a key file on someone's computer. When you paste from the keyserver, a header will be included in the key that identifies a specific version of keyserver software. The version identified in the Wired Key (SKS 1.1.4) was in use between October 2012 and May 2014—a long time after November 2008.The Gizmodo Key comes from a list of four different keys in one of the documents. (Each key is listed as a "fingerprint," which is a unique shorthand for the much-longer PGP key.) The list was contained in a draft of a contract for the "Tulip Trust," supposedly a vehicle for around $460 million dollars in Bitcoin.Gizmodo identified two of the four keys as belonging to Satoshi, one belonging to Wright, and one belonging to Wright's friend, Dave Kleiman. Keyservers do link the keys with those people. But only one is well-attested (meaning, lots of other people have verified it)—the last one, the Original Key from 2009.Given that PGP is a cryptographic method of authenticating your online identity, it's interesting that there are so many inconsistencies and even indications of intentional deception
- Only one key, the Original Key, is actually known to be associated with Satoshi.
- The Wired and Gizmodo Keys that supposedly lead back to Satoshi weren't previously known to be linked to Satoshi, and their 2008 creation date could have been faked.
- Both keys use a longer and less-common key size than the Original Key.
- Both keys use a list of cipher-suites that don't match up to the Original Key, and weren't added to GPG until 2009.
- The Wired key was retroactively added to a 2008 blogpost sometime between 2012 and 2014, as noted in its story.
- A core Bitcoin developer who's been involved from nearly the beginning looked back at 2011 chatlogs referring to "fake" Satoshi keys on keyservers, and found no reference to either the Gizmodo or Wired keys. He thinks that those keys weren't yet uploaded to the keyserver in 2011.
Gizmodo Editor in Chief Katie Drummond said:This is certainly interesting, but it just backs up something we already stated in our piece: It appears the three blog posts that most clearly connect Wright to Satoshi Nakamoto were edited to insert that evidence or possibly even created after the dates they appear to have. As we wrote, that could be part of an incredibly elaborate hoax, or it could show that Wright was conflicted about his pseudonymity and some part of him wanted to be found.
It's true that PGP keys are a single data point, but given that PGP is a cryptographic method of authenticating your online identity, it's particularly interesting that there are so many inconsistencies with these keys, and even indications of intentional deception.Listen, PGP is hard. Maybe the ingenious Craig-Satoshi-Nakamoto-Wright, like most ordinary people, can't stop losing access to his PGP keys and keeps having to upload different keys to the keyserver. But the metadata, Greg Maxwell's chatlogs, and the online trail just don't really add up. And as Kashmir Hill pointed out at Fusion, "there are obvious incentives for an entrepreneur active in the blockchain and security space"—like Craig Wright—"to be known as the talented developer behind Bitcoin."Whatever's going on here, it's pretty fishy.Jordan Pearson contributed reporting and writing.The thrust of our article is that Craig Wright, over the course of many years, was involved in Bitcoin and told many people he was its inventor, Satoshi Nakamoto. The PGP keys you mention are just one (relatively small) data point among many others, including in-person interviews and on-the-record corroboration. Our reference to the keys simply was that they corresponded to information in the public keybase.