Bitcoin’s creator
Craig Steven Wright claims to be Satoshi Nakamoto. Is he?

Evaluating his claim will involve a multi-step paternity test


Update:Craig Wright’s claims to be Satoshi Nakamoto come under fire

IMAGINE that the paternity of a particularly brilliant child is in doubt, and someone steps forward to claim he is the father. In the real world a DNA test would sort the matter out quickly. In the confusing world of bitcoin, a cryptocurrency, things are not that simple. From the start bitcoin has rested on a mystery: the identity of Satoshi Nakamoto, the pseudonym of the author of the academic “white paper” published in October 2008 which first outlined the technology behind the digital money. This mystery may finally be solved: Craig Steven Wright—a 45-year-old Australian computer scientist and inventor who was outed against his will and with dubious evidence as Mr Nakamoto in December last year—now claims he is the real Satoshi. On May 2nd he published a blog post offering what he says is cryptographic proof that he is indeed the creator of bitcoin.

The Economist—along with the BBC and GQ Magazine—had access to Mr Wright before the publication of his post (see footnote). We interviewed him, reviewed the documents he has provided and talked to bitcoin insiders who have communicated with Mr Nakamoto in the past and who had access to the same information. Our conclusion is that Mr Wright could well be Mr Nakamoto, but that important questions remain. Indeed, it may never be possible to establish beyond reasonable doubt who really created bitcoin.

Bitcoin has become much bigger than Mr Nakamoto; he stopped participating in the project a few years ago, and his successors have written far more code than he ever did. Whether Mr Wright’s claim is believed, especially by bitcoin cognoscenti, matters nonetheless. The bitcoin project has been riven for months by what some call a “civil war” between two competing camps of developers and bitcoin companies (although the rhetoric has recently become less strident). One side wants to keep bitcoin smallish and pure; the other is pushing for it to grow rapidly, even if this means turning it into something more like a conventional payment system. The bone of contention is the size of a “block”, the name given to the batches into which bitcoin transactions are assembled before they are validated. The intervention of a resurrected Satoshi would certainly change the dynamics of this debate. First, however, Mr Wright has to persuade people of his claim.

Mystery man
Nobody, not even his closest collaborators, ever met Mr Nakamato in person. They only communicated with him electronically. He not only wrote the white paper, but also the first version of the software that powers the system and then worked with other developers to improve it. But a couple of years into the project, he stopped participating. “I have moved on to other things,” he wrote in April 2011. Except for a few messages, most of which are believed to be hoaxes, he has not been heard from since.

That suggests a huge desire to remain private—and extraordinary willpower. Thus far, at least, the person behind the pseudonym has forgone fame and kudos. Despite its shady side (for instance as an anonymous means of payment for drug dealers) the system has proven very resilient: its exchange rate has recovered after a steep fall last year (see chart). The invention that underlies it, called the “blockchain”, is widely considered downright brilliant. Nor does Mr Nakamoto seem to be motivated by fortune: all bitcoin in circulation are now worth about $7 billion, more than the basic monetary supply (cash and deposits) of many small countries. According to some estimates, Mr Nakamoto holds 1m bitcoin, worth about $450m at current rates, but they have never been touched.

Mr Nakamoto’s silence has given rise to a cottage industry of Satoshi-hunters. Most books on bitcoin, for instance, feature a lengthy chapter on who Mr Nakamoto may be. Each has its own theory, often based on the same sources. Some locate him in Britain (because of his use of Britishisms, such as “bloody hard”). Others reckon he is somewhere in the eastern parts of the Americas (because of the timestamps on his e-mails). He has been variously identified as a Finnish sociologist, a Japanese mathematician and an Irish student. The names mentioned most often are Nick Szabo and Hal Finney, two American cryptographers, but the former denies it and the latter died in 2014. Then there is the argument that Mr Nakamoto’s bitcoin code is so good that it must have been written by more than one person.

In March 2014 Newsweek, an American magazine, identified a man living in California, and named Dorian Satoshi Nakamoto, as the real Satoshi, but this turned out to be an embarrassing canard. In December 2015 it was Mr Wright’s turn to be outed: hackers had apparently broken into his computer, stealing e-mails and documents and passing them on to two websites, Wired and Gizmodo, both of which produced lengthy articles.

But holes started to appear in that story, too. Some of the academic degrees Mr Wright had listed on a profile on LinkedIn, a social network, could not be confirmed. SGI, a maker of supercomputers, denied that it had ever done business with one of his companies, Cloudcroft. And cryptographic keys found in the leaked documents and some of his blog posts, which both could have linked him to Mr Nakamoto, were said to have been backdated or changed recently. After a raid by Australian tax officials on his house in Sydney, many came to believe that the entire story was an elaborate hoax staged by Mr Wright himself. At the time he kept silent, and soon thereafter moved to London, where one of his companies has an office.

So why would Mr Wright now try to out himself? “I’m not seeking publicity, but want to set the record straight,” he explains. “People are assuming [the misinformation against me] is true, because I’m not saying anything. This impacts not just me and my work, but my family, my staff and everything else.” He also wants to “dispel any negative myths and fears about bitcoin and the blockchain,” as he writes in his blog post. He doesn’t want to cash in on his bitcoin fortune, but plans to spend the money on research (and only slowly, as not to push down the bitcoin price), he says. Asked why his alter ego disappeared from view in the first place, he simply says that there was a media storm at the time and he wanted to remove himself from it. He says he called himself “Nakamoto” after a 17th-century Japanese philosopher and merchant, Tominaga Nakamoto, who was highly critical of the normative thought of his time and favoured free trade. (He doesn’t want to say why he picked “Satoshi”: “Some things should remain secret.”)

Having been named as Mr Nakamoto once, unconvincingly, Mr Wright has a steep hill to climb to convince the world that he is indeed bitcoin’s founder. Evaluating his claim involves the application of a multi-step paternity test. First comes the factual evidence: can Mr Wright prove that he is in possession of cryptographic keys that only Mr Nakamoto should have? Second, does he have convincing explanations for the holes in the story which came to light when he was first outed in December? Third, does he possess the technical knowledge which would have enabled him to develop a system as complex and clever as bitcoin? And fourth, to what extent does he fit the image that people have of Mr Nakamoto; in particular, what do those software developers who have collaborated online with the founder of bitcoin think of Mr Wright’s claim?

First, the keys. To understand how Mr Wright could cryptographically prove that he is Mr Nakamoto, it helps to keep in mind the basics of public-key cryptography at the heart of encryption schemes such as “PGP” (which stands for “Pretty Good Privacy”). It uses two “keys”—strings of numbers—one public and safe to share, and one to be kept private. Both are mathematically related, meaning that if the holder of the private key “signs” or encrypts a message with this key, it can be decrypted with the corresponding public one. If it can be thus decrypted, that serves to establish the identity of the sender of an encrypted message (assuming, of course, that the private key has not been stolen).

This is the reason why, whenever a message signed by someone pretending to be Mr Nakamoto appears online (the latest, in December, read: “I am not Craig Wright. We are all Satoshi.”), it is dismissed as a hoax: none has been signed by a private PGP key widely considered to belong to Mr Nakamoto. This private key is related to a public key that was linked to from, a website which was registered in 2008 by him and used to publish his white paper. But the earliest publicly verifiable date of its existence is February 28th 2011, meaning it could have been put there later than 2008 (Mr Nakamoto’s last public posting dates from December 12th 2010). And he has never signed any message with the corresponding private key, perhaps because he never actually had it. “If someone were to successfully sign with the Satoshi PGP key, it would not prove that he is Satoshi,” says Jerry Brito, the executive director of Coin Center, a bitcoin think-tank, and co-author of a recent blog post about the matter.

Mr Wright agrees: he says that he has the private PGP key, but that using it would not prove anything. The cryptographic proof he offers is of a different kind. Bitcoin also uses a different form of public-key cryptography, not least to make sure that only the real owner of bitcoin can spend the currency. The public key—or, to be precise, a digital digest of it, called the “bitcoin address”—is like the number of a bitcoin bank account. And the private key is like a secret PIN or a signature on a cheque that allows the holder to transfer money from the account. The analogy is not a perfect one, however: bitcoin holders can have many different accounts, each linked to a separate address and private key.

Bitcoin addresses can also be linked to “blocks”: those who provide the necessary computing power to create them can win an “reward”, which is sent automatically to a bitcoin address chosen by each block’s creator. Since Mr Nakamoto must, in the very early days of bitcoin, have been the only one to “mine” blocks, as the process is called, he should hold the corresponding private keys. What is more, Mr Nakamoto was also the first to send some bitcoin—using money he earned with the 9th block. The recipient, Hal Finney, confirmed this transaction when he was still alive.

If Mr Wright can prove that he is in possession of the private key corresponding to the bitcoin address of the miner of block 9, this is strong evidence that he is indeed Mr Nakamoto. His case would be stronger if he performed the same cryptographic trick with keys linked to earlier blocks, which must have been mined by the founder—or, even better, moved some of the bitcoins which were awarded when validating these blocks.

In his blog post Mr Wright says that he does indeed control the key for block 9 and gives a step-by-step explanation of how this can be proven. He claims to have signed a text (the 1964 speech in which Jean-Paul Sartre explains his refusal to accept the Nobel prize for literature) with this private key, which produces a unique identifier known as a digital signature. He has published this on his website along with a detailed explanation of how to verify that he is indeed in possession of the private key. In a nutshell, the data he has provided can be fed into software, which then says whether all the parts of this puzzle fit together.

Mr Wright has also demonstrated this verification in person to The Economist—and not just for block 9, but block 1. Such demonstrations can be stage-managed; and information that allows us to go through the verification process independently was provided too late for us to do so fully. Still, as far as we can tell he indeed seems to be in possession of the keys, at least for block 9. This assessment is shared by two bitcoin insiders who have sat through the same demonstration: Jon Matonis, a bitcoin consultant and former director of the Bitcoin Foundation, and Gavin Andresen, Mr Nakamoto’s successor as the lead developer of the cryptocurrency’s software (he has since passed on the baton, but is still contributing to the code).

Still, questions remain. Mr Wright does not want to make public the proof for block 1, arguing that block 9 contains the only bitcoin address that is clearly linked to Mr Nakamoto (because he sent money to Hal Finney). Repeating the procedure for other blocks, he says, would not add more certainty. He also says he can’t send any bitcoin because they are now owned by a trust. And he rejected the idea of having The Economist send him another text to sign as proof that he actually possesses these private keys, rather than simply being the first to publish a proof which was generated at some point in the past by somebody else. Either people believe him now—or they don’t, he says. “I’m not going to keep jumping through hoops.”

Such statements will feed doubts. This is partly because the second element in bitcoin’s paternity test—assuaging the doubts raised after Mr Wright’s outing in December—is not conclusive. He is now going to great lengths to fill the holes in his story by providing plenty of documents and explanations. In some cases this alleviates doubts about his authenticity, in others less so.

Questions about Mr Wright’s academic degrees arose because he had listed so many on a LinkedIn profile which has since been deleted, and because some could not be confirmed. He now says that the profile was a “joke”—to “take the piss out of myself” and to keep people from bothering him. “No one took me seriously, which was great.”

The current curriculum vitae and other documents released by Mr Wright’s public-relations agency list dozens of industry certifications (“GIAC Business Law and Computer Security”, for instance), former positions (he was once a vice-president of the Centre for Strategic Cyberspace and Security Science, a consultancy based in London), and a handful of degrees. They include a masters in statistics from the University of Newcastle in Australia, a masters in law from Britain’s Northumbria University and several masters in IT and management from Charles Sturt University (CSU), also in Australia. The CV also says that Mr Wright has submitted his thesis for a doctorate in computer science and lists a doctorate in theology. It finally mentions that he is currently enrolled at University of London in a programme called “Masters of Science in Finance”.

Mr Wright has provided diplomas and other backup material for nearly all of these degrees. Most could be confirmed with the respective universities. He was, for instance, awarded three masters degrees at CSU, where he also taught as an “adjunct lecturer” and where his thesis is under examination, according to Tanveer Zia, his doctoral adviser. His doctorate in theology, however, remains a mystery and Mr Wright does not want to talk about it (“That has no relevance,” he says).

As proof of existence for his supercomputer, another element of the December story that was disputed, Mr Wright offers a letter signed by a local SGI director, which states, among other things, that the firm is pleased to work with Cloudcroft, one of Mr Wright’s firms, “in assisting the development of their hyper-density machines and supercomputers.” Asked about this, SGI, which is based in Silicon Valley, has replied that its Australian director “acted as an individual and was not authorised.” The firm has no record of selling a supercomputer to Cloudcroft, but says that it “could have been purchased on the grey market.”

The reason why SGI has distanced itself from him, explains Mr Wright, is because he has combined the firm’s gear with that of a competitor, Supermicro. But he doesn’t want to say much more, mainly because of security: “It’s a big expensive machine, and we don’t want people to know where it is.” If C01N, as the machine is called, exists, it would indeed be big: with a claimed number-crunching capacity of 3.5 petaflops (a petaflop is a thousand billion floating-point operations per second), it would rank 17th on the list of the world’s fastest supercomputers. All this computing power, says Mr Wright, is used to test his ideas about how to improve bitcoin.

As for the backdated keys revealed in the December outing, Mr Wright presents a report by First Response, a computer-forensics firm, which states that these keys could have been generated with an older version of the software in question. He says that he has lost control of many of his online accounts (which could explain the changed blog posts). As for the tax raid in Australia, he says that was not about him trying to evade taxes, but about how to tax bitcoin correctly—something the Australian Taxation Office does not want to comment about, citing confidentiality provisions on the country’s tax law. Local press reports, however, say that the investigation is much broader and may even include allegations of fraud. Mr Wright denies any wrongdoing, saying that he didn’t leave Australia because of the tax investigation, but because London is a better place to operate a financial-technology company.

The third stage in the paternity test—the extent of Mr Wright’s technical knowledge—is just as tricky. When Mr Wright was outed, experts called his published writings unremarkable, suggesting that he could not be the author of the original bitcoin white paper. In January Juola & Associates, a firm that uses a technique called “stylometry” to identify authors, released the results of a study that compared texts by Mr Wright with those written by Mr Nakamoto and concluded that they are unlikely to be by the same person. In response Mr Wright says that, although he was the principal author of the white paper, he had extensive help from his friend Dave Kleiman, an American computer-forensics expert who died in 2013. Mr Wright also says that he has many different writing styles, depending on the subject matter.

Mr Wright has certainly written extensively. A list of publications provided by his public-relations agency includes nearly 100 papers, conference presentations, books and book chapters. Most are shorter pieces about computer security, but they also touch upon topics such as economics, terrorism and risk management, suggesting that Mr Wright likes to roam widely. None covers bitcoin directly, but he explains that bits of research that helped him create the cryptocurrency can be found in many of his publications. Such an interdisciplinary approach sits well with what the bitcoin system is: a clever combination of ideas developed by others. Mr Wright also says that he has written several papers on bitcoin, which are currently undergoing peer review and will be published shortly. The Economist has seen some of them and they show that he has a firm, though not an exceptional, handle on the subject.

When interviewed in person, Mr Wright was often hard to follow, but he clearly seemed to know what he was talking about. His plans for bitcoin are grandiose. In future, he explained, the blockchain could become so vast that it could keep track of every Visa transaction, every stock-exchange transaction, every bank transaction and much more. “We could even create an individual account for that tissue”, he said, pointing to a paper napkin on the table.

The fourth test is the most subjective. Since nobody has ever met Mr Nakamoto, and no picture or video of him exists, his personality is anybody’s guess. But some traits recur in any attempt to come up with a composite sketch: he is likely to be a very private person; he is probably a nerd; and politically he is likely to be a libertarian, because bitcoin is rooted in the belief that central banks cannot be trusted.

In some ways Mr Wright fits this image, but in others he doesn’t. He clearly doesn’t enjoy the limelight and the company of other people. He was visibly nervous when interviewed and did not want to talk about his family. He got most of his degrees via distance-learning programmes and in the other cases rarely went to lectures. Even loyal employees, he says, would not hesitate to call him a “difficult bugger”, who is hard to work with. He regrets that he will no longer be able to attend conferences and lectures unrecognised: “I never wanted to be out there and I don’t want to be out there now.”

But Mr Wright also seemed to crave recognition. He emphasised several times how many papers he has written, adding once that these even outnumber those by Mr Szabo, one of the other main contenders for the role of Mr Nakamoto. Instead of dwelling on libertarian ideology (although there was some of that), he stressed how much he loves learning. The reason why he has collected so many degrees, he says, is that getting them keeps him motivated: “Life is all about incentives. Doing a degree forces me to sit down in front of my computer in the evening and do my assignments.”

Those who have exchanged e-mails with Mr Nakamoto and have also spent time with Mr Wright think that the personalities of the virtual Satoshi and the real Craig overlap sufficiently. Mr Matonis first met him in mid-2015, before he was outed as Mr Nakamoto. “I remember saying to my wife that I had this weird feeling of having just met Satoshi,” he reports. But it is the opinion of Mr Andresen, who has collaborated with Mr Wright and considers himself a sceptic, that is likely to convince more than one bitcoin aficionado. “He fits the style of person I was working with,” he says. “He can also say things that sound, at first, ridiculous.” In a blog post, which was published shortly after Mr Wright’s, Mr Andresen writes: “After spending time with him I am convinced beyond a reasonable doubt: Craig Wright is Satoshi.”

We are not so sure. Although they are not completely satisfactory, Mr Wright provided credible answers to the questions which were asked of him after he was outed last year. He seems to have the expertise to develop a complex cryptographic system such as bitcoin. But doubts remain: why does he not let us send him a message to sign, for example? Perhaps he has access only to one proof: the real Mr Nakamoto could have used the Sartre text to prove his identity to one of his peers and this proof is now being used to show that Mr Wright is Mr Nakamoto. Mr Wright could have used his supercomputer to calculate the signature for this particular text in what is known as a “brute-force attack”. And then, as mentioned before, there is always the possibility that he could have obtained the keys from someone else, perhaps Hal Finney or Dave Kleiman. Since both are dead, they cannot be asked.

Mr Wright’s motivation for stepping forward now also raises flags. About six months ago, before he was publicly outed in the technology press, he approached Andrew O’Hagan, a Scottish novelist who wrote an “unauthorised autobiography” of Julian Assange, the founder of the whistle-blower site WikiLeaks. Since then the author, whose most recent novel, “The Illuminations”, was longlisted for the 2015 Man Booker Prize, has had complete access to Mr Wright and his family, as well as to his research and business colleagues. Mr O’Hagan is writing a long article for the London Review of Books on Mr Wright and “his journey towards revealing his work.” (Mr O’Hagan, too, has come to be convinced that Mr Wright is Mr Nakamoto.) This is no proof of an elaborate hoax, but does indicate that Mr Wright had begun thinking of going public long before he was outed—and may have other motivations than simply setting the record straight, though he denies this.

It pays, too, to bear in mind that Mr Wright’s outing will most likely be of benefit to those in the current bitcoin civil war who want to expand the block size quickly, whose number include Mr Matonis and Mr Andresen. Mr Wright says that if he could reinvent bitcoin, he would program in a steady increase of the block size. He also intends to publish mathematical proof that there is no trade-off between the mass adoption of the cryptocurrency and its remaining decentralised. Simulations on his supercomputer show, he says, that blocks could theoretically be as large as 340 gigabytes in a specialised bitcoin network shared by banks and large companies. And he is already trying to undermine the credibility of the faction that wants bitcoin to grow only slowly. In an article in the press kit accompanying the publication of his blog post, he takes aim at Gregory Maxwell, one of the leading bitcoin developers, who first claimed that the cryptographic keys in Mr Wright’s leaked documents were backdated. “Even experts have agendas,” he writes, “and the only means to ensure that trust is valid is to hold experts to a greater level of scrutiny.”

This heightened scrutiny will now fall on Mr Wright as well. Whether people will believe he is Mr Nakamoto will largely depend on what he does next. He does not appear to have a clear idea of what his role should be. After proving his identity, he says, he wants to disappear again—“just like Satoshi”. But he also seems to have big plans to influence the evolution of bitcoin. He is poised to release several pieces of research on how to improve the inner workings of the bitcoin system. Should these contributions be as brilliant as Mr Nakamoto’s white paper, even sceptics may come to accept that Mr Wright is indeed the inventor of bitcoin.

Mr Wright has no desire, he says, to become bitcoin’s benevolent dictator—akin to Linus Torvalds, who manages the development of Linux, the open-source operating system. He has launched a blog “with the vision to create a forum about bitcoin, which dispels myths and helps unleash its full potential,” according to the press release. Rather, he seems to style himself as something of an overlord for bitcoin—staying in the background, but intervening when he deems it necessary. If so, he is trying to do the opposite of what Sartre argued in his Nobel rejection speech: “The writer must therefore refuse to let himself be transformed into an institution, even if this occurs under the most honourable circumstances, as in the present case.”

Footnote: The Economist was given access to Mr Wright under the condition that we sign a non-disclosure agreement that prohibited us from writing about him before the publication of his blog post.

Dig deeper

Reuse this contentThe Trust Project