The most widespread theory about the identity of Satoshi Nakamoto seems to be that Satoshi was a group of persons, composed by Dave Kleiman, Craig S Wright and perhaps someone else.

I am not going to tackle the whole “who is Satoshi?” issue, and I will rather concentrate on a more specific problem: assuming the CSW+DK theory is correct, what is the fate of Satoshi’s fortune?

But first of all, let’s define what I mean by Satoshi’s fortune.

For the purposes of this article, with “Satoshi’s fortune” I refer to the about 980.000 bitcoins that were mined by Satoshi, first identified in a series of wonderful articles by Sergio Demian Lerner dating back to 2013.

Apart from the technical details identified by Sergio, these bitcoins share the following characteristics:

1) They have never been moved or spent, apart from 100 bitcoins.

2) They still reside at the addresses they were originally mined, almost 20.000 addresses, each containing 50 bitcoins.

Are these all of Satoshi’s bitcoins? Maybe not. But these are easily recognizable, definitely belong to Satoshi (they were mined since the very beginning of the blockchain) and are therefore the true symbol of Satoshi’s mining and actions.

Our sources

Of the supposed team, the only one talking today (and boy, is he talking!) is Craig S Wright.

To put it very delicately, Craig is often at odds with the factual truth. His statements and documents are somehow less than reliable, and a lot of people on the Interwebs outright call him a liar.

Nevertheless, and just for the sake of this article, I will take his words at face value.

I too am pretty convinced that what he says is often more driven by his interests than reality. But, historiographically speaking, an unreliable source can still give useful information to the historian, if he knows how to decode the source’s motives and intentions.

Mind you: I am not going to use his public statements of today, but rather the emails he sent to Ira, recently published in the case documents.

What he privately told to Ira Kleiman (Dave’s brother) is often at odds with what he is publicly saying today, because his agenda at that moment was different from his current one.

Most importantly, in those emails, he had to confront himself with factual reality, i.e. what Ira Kleiman knew of Dave, and what he had on the estate. Those emails are probably more trustworthy than his later public declarations.

And if, with a true suspension of disbelief, we take those emails at face value, everything points at the fact that Satoshi’s fortune is lost.

There might be other bitcoins at stake (locked in trusts, if we want to believe Craig), but the real Satoshi’s fortune (the almost 20.000 addresses each containing the freshly mined 50BTC) is gone forever.

Satoshi’s fortune belonged to Dave

Even if Craig claims to have some bitcoin in common with Dave, Satoshi’s fortune was Dave’s. CSW tells us:

Dave was smarter than I was in some ways. He broke his wallets into many 50BTC sized addresses. I left several large addresses that are not easy to move without making the world notice. (ex. 24 p. 7)

(he elsewhere gives a supposed list of his “large addresses”, and that list happens to be a fabrication, but that’s not the point here. We are interested in Satosh’s fortune, i.e. the “many 50BTC sized addresses”. They were Dave’s, in Craig’s own words)

Dave’s wallets are encrypted

When CSW first contacted Patrick Paige (DK’s partner in Computer Forensic LLC) he got this reply:

The issue would be that all his hard drives were encrypted including his cell phone. Do the wallets only exist on Dave’s computers or are there backups somewhere else? (ex 8 p. 5, emphasis mine)

Craig does not have that wallet

The first of Dave’s relatives to be contacted by Craig was Lou, Dave’s father:

Hello Louis,

Your son Dave and I are two of the three key people behind Bitcoin:

https://bitcoin.org/

http://www.motherjones.com/politics/2013/04/what-is-bitcoin-explained

If you have any of Dave’s computer systems, you need to save a file named “wallet.dat”. (ex. 23 p. 2)

Dave entrusted Craig with some backups, but they are encrypted, and Craig does not have the password:

I have files of Dave’s that I cannot access now. These are TrueCrypt partitions. We held backups for the other, but no passwords. I cannot access these. (ex. 24 p. 7)

He continues:

If I cannot finds (sic) a key or a password on these, I do not believe that I can on yours.

He hopes to be able to crack that encryption

Dave’s drives are a one day possible. Each year, it is possible to crack more than double the key length that was previously possible. What I know of Dave’s passwords places them at around 80 bits. We can expect them to be worth trying to crack in 10–12 years. Spending the next 5 years on this is going to cover 5–10% of the possibilities at a large cost. This is how crypto works. (ex. 24 p. 8)

But here Craig is sadly mistaken.

To begin with, I take exception to the remark: “Each year, it is possible to crack more than double the key length that was previously possible …. this is how crypto works”.

I would rather say that each year adds a fixed number of bits to the crackable key length. Not that it doubles the length. That’s a huge difference.

At the same time, it’s a detail: the worst part is that Craig is wrong on his basic assumption:

What I know of Dave’s passwords places them at around 80 bits.

Dave’s passwords

Is it plausible that Dave would use an 80-bit password for his wallet?

To give a rough idea, a password with 80 bits of entropy corresponds to a 17-character password containing just upper and lower case letters. While an 80-bit password is certainly a strong password, it is not in the level of “I need to protect this stuff as the holy grail of my life security!”, and certainly not from a guy like Dave

Let’s see Dave’s background, and his history with passwords. We surprisingly know quite a bit about this.

Dave was a security guy, with a real fixation on strong passwords.

We all know that we should use special characters in our passwords, and most of us add a “!” at the end of the password, feeling smart and secure.

Dave, on his side, was the kind of guy that (back in 2003) was discussing how to defeat password crackers by using special characters in the username. And by “special character” he meant things like Alt-251, not a puny exclamation mark.

He was acutely aware of the security problems with passwords and passwords cracking. In 2012 he gave a lecture (from his bed, BTW) about security issues and showed a few ways to extract passwords from a Microsoft machine, and (albeit in another context) he jokingly spoke about people having “64-character passwords with Unicode Characters”.

That was hyperbole, as all he was stating was that such a password is not brute-forceable, but that’s exactly the point: he knew very well that weak passwords are crackable.

As if all this was not enough, he was Technical editor of the book “Perfect passwords.”

that contains suggestions as:

Focus primarily on passwords that are 15–20 characters long … include the following elements whenever possible:

Use uppercase letters in positions beyond the the first character …

Use punctuation and other symbols as delimiters or bracketing throughout the password …

Use high-ASCII or Unicode characters where necessary for extra security

Moreover, Gizmodo reports that Dave’s partners (Patrick Paige and Carter Conrad) “recall watching him type in 40- and 50-character pass-phrases to access his devices and files”.

And that was just the login password to his everyday computer!

If he was using a 40–50 characters password (equivalent to at least 200 bits of entropy) for his PC, would he use a password with 80 bits of entropy for the encrypted backup of his wallet?

I think we can be reasonably sure that Dave’s wallet’s password has far more than 80 bits of entropy, and is therefore well beyond cracking.

It’s maybe not a coincidence that in the last years Craig has shown interest in supercomputers (even if that is not without controversy) but a paranoid-level password remains uncrackable even with the top performing machines of today and for many many many years.

The takeaway

Dave locked his bitcoins away for safekeeping and did it in a way that’s probably unbreakable. He was smart and set up excellent security for his fortune.

The only attacker, he didn’t defend them from, was his later self. He made them extra secure in his lifetime, did not care to secure them for his heirs.

As his friend and partner Patrick Paige says:

Dave was also my best friend and like a brother to me. He wasn’t in the right mindset when he decided to give up on life weeks before his death. (ex 8 p. 5)

I’m not saying that he should have left his bitcoins around, but at least he should have thought about his direct beneficiaries (when there was time), and for example, arrange so that his brother had the password after his death.

Let’s this be a warning for all of us: if we unexpectedly die or become incapacitated, what happens with our crypto? Are we leaving to our beneficiaries a (small how it may be) fortune, or a bunch of useless files, together with a good dose of regret?