Satoshi's PGP Keys Are Probably Backdated and Point to a Hoax
The PGP keys referenced in stories naming Craig Wright as the creator of Bitcoin were probably falsely backdated.
Uh, who? one might ask. It's a good question. Until now, Wright hasn't pinged very many people's radars as a potential Satoshi Nakamoto. On the other hand, Wright is indeed considered an expert on Bitcoin—in fact, he appeared on a panel with other possible-Satoshi Nick Szabo this year at the Bitcoin Investor Conference.
Both Wired and Gizmodo outline Wright's qualifications and accomplishments in detail, aside from pointing to emails and other documents that seem to nail Wright as once-and-future Bitcoin king Satoshi Nakamoto.
A lot of this evidence isn't authenticated, so there's that. But there's one really big problem with the case for Craig S. Wright as Satoshi: at least one of the key pieces of evidence appears to be fake. The "Satoshi" PGP keys associated with the Wired and Gizmodo stories were probably generated after 2009 and uploaded after 2011.
We say keys, because there are two entirely different keys implicated by Wired and by Gizmodo. And neither of them check out.
There is only one PGP key that is truly known to be associated with Satoshi Nakamoto. We'll call this the Original Key.
Before we continue, we should note that the PGP keys are just one piece of the puzzle. When asked for comment, Gizmodo editor Katie Drummond said that the keys "are just one (relatively small) data point among many others, including in-person interviews and on-the-record corroboration."
But the keys are important because they're not just plain suspicious, there's evidence of active, intentional deception with respect to the keys. (Wired's Andy Greenberg pointed out that this was already in line with their article, which notes that Wright may have engaged in an elaborate, long-running deception).
Here's the thing: There is only one PGP key that is truly known to be associated with Satoshi Nakamoto. We'll call this the Original Key.
The Original Key has long been attributed to Satoshi. It's currently hosted on bitcoin.org, and it was there even in 2009, when Satoshi was still associated with the site. So we do know that the Original Key belonged to Satoshi, if it is even epistemologically possible to know anything about Bitcoin at this point.
The Original Key was supposedly created in October 2008, using DSA-1024 encryption, which today is considered to be too weak for recommended use. At the time, DSA-1024 was the default in GnuPG, a free software implementation of Pretty Good Privacy that most people use to PGP-encrypt messages. The Original Key appears to have been generated on a Windows version of GnuPG that was already outdated at the time.
Both the Wired and Gizmodo keys were generated using RSA-3072, an unusual choice for 2008—something that security expert Erinn Clark first flagged for us. (DSA-1024 was default at the time; RSA-2048 is the default today. But let's not get ahead of ourselves.)
Two of the keys attributed to Satoshi were likely created using technology that wasn't available on the dates that they were supposedly made
In both articles, keyserver entries are used to tie Craig Wright to Satoshi Nakamoto. A keyserver is a directory for PGP keys, with entries submitted by users. The one used here is maintained by MIT. There are other keyservers that sync to the MIT keyserver.
According to the MIT keyserver, both of these were supposedly created in 2008, before Bitcoin even launched, suggesting they could only have been generated by the pseudonymous inventor himself. So case closed, right?
Not really, because it's trivially easy to forge the creation date on a PGP key.
The age of a PGP key is tied to the date and time on the machine it was created on. All it would take to create a PGP key in 2015 that looked like it was created in 2008, would be to change the system settings on the local machine to the desired date.
In roughly 10 minutes, Motherboard staff writer Jordan Pearson created a PGP key for himself that by all accounts appears to have been created in 2008, but really wasn't, and uploaded it to MIT's public key server.
It's also possible to create a PGP key with a fake date from an email account you don't control. Motherboard cybersecurity reporter Lorenzo Franceschi-Bicchierai was able to create a PGP key for email@example.com that appears as though it was created in 2004. It wasn't. Franceschi-Bicchierai created it on December 8, 2015, while chatting with other reporters over Slack.
Franceschi-Bicchierai immediately revoked the key to prevent confusion.
Bitcoin core developer Greg Maxwell has posted on Reddit to that effect, adding that, "This key was also not on the keyservers in 2011 according to my logs; which doesn't prove it was backdated, but there is basically no evidence that it wasn't and non-trivial evidence that it was."
We contacted him asking him to clarify what he meant by "my logs." Maxwell said that he had a 2011 chatlog where he and others discussed "fake" Satoshi keys (keys tied to Satoshi's emails that weren't the Original Key) on the keyserver. They referenced other keys, but never linked to the ones implicated by Wired or Gizmodo. Maxwell thinks this is because the keys weren't there in 2011.
We already noted that RSA-3072 is an odd form of encryption to use in 2008, but there is other metadata in these keys that seem to postdate 2008.
Maxwell found that the Wired Key and the Gizmodo Key have preferred hash algorithms "8,2,9,10,11." The Original Key has a preferred hash algorithm list "2,8,3." This refers to the cipher-suites, or encryption algorithms, used. The "8,2,9,10,11" list was added to the GnuPG code tree as a commit on July 9, 2009, and released in version 2.0.13 on September 4, 2009.
In other words, the Wired Key and the Gizmodo Key were likely created using technology that wasn't available on the dates that they were supposedly made.
Maxwell also pointed out to us that it was especially odd that the metadata for the Wired Key and the Original Key didn't match each other if they were supposedly created by the same person on the same day, October 30, 2008.
The keyserver entries for both the Wired and Gizmodo keys make it look like someone was trying very hard to deceive people. But the circumstances in which both these keys are implicated are also suspicious.
The Wired Key was posted on Craig Wright's now-deleted blog, in an post dated November 1, 2008. But Andy Greenberg and Gwern Branwen, who wrote the Wired article naming Craig Wright as a possible Satoshi Nakamoto, say it was retroactively inserted sometime after 2013. Branwen used Google Reader caches and found that in 2013, the key had not been in that blogpost. This timing matches up with what we noticed about that key.
Given that PGP is a cryptographic method of authenticating your online identity, it's interesting that there are so many inconsistencies and even indications of intentional deception
The Wired Key was copy/pasted straight from the MIT keyserver into the November 2008 blogpost, rather than from a key file on someone's computer. When you paste from the keyserver, a header will be included in the key that identifies a specific version of keyserver software. The version identified in the Wired Key (SKS 1.1.4) was in use between October 2012 and May 2014—a long time after November 2008.
The Gizmodo Key comes from a list of four different keys in one of the documents. (Each key is listed as a "fingerprint," which is a unique shorthand for the much-longer PGP key.) The list was contained in a draft of a contract for the "Tulip Trust," supposedly a vehicle for around $460 million dollars in Bitcoin.
Gizmodo identified two of the four keys as belonging to Satoshi, one belonging to Wright, and one belonging to Wright's friend, Dave Kleiman. Keyservers do link the keys with those people. But only one is well-attested (meaning, lots of other people have verified it)—the last one, the Original Key from 2009.
Not only is the Original Key the only one that's been recognized by, well, anyone, it also sticks out like a sore thumb. It uses weaker encryption than the other three. The first three keys are technological sisters, all using RSA-3072 and having the same hash algorithms. The last is an outlier.
Weirdly, it's the second key, the Gizmodo Key, that gets called out later in the document. In the document, Dave Kleiman is supposedly promising to never divulge "the identity of the Key with ID C941FE6D [the Gizmodo Key] nor of the origins of the firstname.lastname@example.org email." But while the GMX email account is well-known to be connected to Satoshi, until the Gizmodo article, the Gizmodo Key wasn't known to anyone, let alone known to be connected to Satoshi.
Also, that cute little parenthetical next to the name? "In crypto we trust, in government we verify"? We didn't add that, that's in the keyserver. There's a similar one in Craig Wright's keyserver entry too—"In algorithms we trust." Almost like the keyserver entries were created by the same person, right?
There's a similar one for Dave Kleiman as well, among the many many keys that are associated with him, though this one appears to be written by a drunk person:
That's not the strangest Kleiman key, though. There's also one that was generated for him a year after his death.
- Only one key, the Original Key, is actually known to be associated with Satoshi.
- The Wired and Gizmodo Keys that supposedly lead back to Satoshi weren't previously known to be linked to Satoshi, and their 2008 creation date could have been faked.
- Both keys use a longer and less-common key size than the Original Key.
- Both keys use a list of cipher-suites that don't match up to the Original Key, and weren't added to GPG until 2009.
- The Wired key was retroactively added to a 2008 blogpost sometime between 2012 and 2014, as noted in its story.
- A core Bitcoin developer who's been involved from nearly the beginning looked back at 2011 chatlogs referring to "fake" Satoshi keys on keyservers, and found no reference to either the Gizmodo or Wired keys. He thinks that those keys weren't yet uploaded to the keyserver in 2011.
We asked both Wired and Gizmodo for comment. Both said this information about the PGP keys does not change anything about their stories. Wired reporter Andy Greenberg responded:
This is certainly interesting, but it just backs up something we already stated in our piece: It appears the three blog posts that most clearly connect Wright to Satoshi Nakamoto were edited to insert that evidence or possibly even created after the dates they appear to have. As we wrote, that could be part of an incredibly elaborate hoax, or it could show that Wright was conflicted about his pseudonymity and some part of him wanted to be found.
Gizmodo Editor in Chief Katie Drummond said:
The thrust of our article is that Craig Wright, over the course of many years, was involved in Bitcoin and told many people he was its inventor, Satoshi Nakamoto. The PGP keys you mention are just one (relatively small) data point among many others, including in-person interviews and on-the-record corroboration. Our reference to the keys simply was that they corresponded to information in the public keybase.
It's true that PGP keys are a single data point, but given that PGP is a cryptographic method of authenticating your online identity, it's particularly interesting that there are so many inconsistencies with these keys, and even indications of intentional deception.
Listen, PGP is hard. Maybe the ingenious Craig-Satoshi-Nakamoto-Wright, like most ordinary people, can't stop losing access to his PGP keys and keeps having to upload different keys to the keyserver. But the metadata, Greg Maxwell's chatlogs, and the online trail just don't really add up. And as Kashmir Hill pointed out at Fusion, "there are obvious incentives for an entrepreneur active in the blockchain and security space"—like Craig Wright—"to be known as the talented developer behind Bitcoin."
Whatever's going on here, it's pretty fishy.
Jordan Pearson contributed reporting and writing.