PGP and Me

Hi, this is Charles Hoskinson broadcasting live from warm, sunny Colorado. Always warm, always sunny—sometimes Colorado. I'm making a quick video today to talk about something that is of vital importance for any cryptocurrency founder. There is this problem: I am a famous person who is well-known, and when I join anything—a Discord, a mailing list, or whatever—instantly a lot of people run and say, "Oh my lord, is this Charles Hoskinson or is it not Charles Hoskinson?" So, how do I verify that I am who I say I am in a way that you can verify?

Anyone with a cryptographic or mathematical background, or who uses cryptography in industry, should have this expectation. If anyone ever asserts to be me, what you should do is ask for a PGP signature. My known key, my PGP key, is charles.hoskinson@gmail.com, and I have used it since 2013.

It is my root of trust, my identity. Satoshi has a key, I have a key, and any person who does cryptography has a PGP credential. What I'm going to show you is a quick tutorial on how this works and how you can verify certain things. So, here's what we're going to do: I'm going to share my screen. Let me grab my little thingabob.

Brilliant. Now, I'm just going to pull that over there. There we go. So, basically, what we're going to learn about today is signatures. Signatures are the primary method of non-reputable identity.

I claim that I’m Charles Hoskinson, and I should be the only person in the world who can claim that. Modern cryptography works on the concept of public key cryptography. In public key cryptography, you have two keys: a public key, which everybody in the world knows or can access, and a private key, which only the person associated with it knows. When you spend Bitcoin or ADA or whatever, you are actually signing a transaction with this private key. So, let's talk a little bit about how signatures work.

In this case, I'm using PGP. You have a message M, which can be anything—like "I am Charles." You take the message and hash it, producing a hash representation, which we'll call H. You typically use an algorithm like SHA-256, which is the algorithm that Bitcoin uses and is common on the internet. You create a hash from your message, then encrypt the hash with the private key, creating ciphertext.

I’m going to show you an actual example of this. Then, you transmit the message you’ve signed with the signed hash, which is the ciphertext. Let's take a look at a payload together in a real-life example. Okay, we'll stop sharing that part and open up Cleopatra, a common application used for encrypting and decrypting messages. This right here is a message I just posted on the Midnight forum because people were understandably skeptical of my identity.

I said, "This is the real Charles Hoskinson in the Midnight Discord on November 11th, 2025." That is the hash, and the hash standard was SHA-256. Then we did the encryption part, which is the encrypted payload right here. If the public key, you can click "decrypt and verify," and it says, "Wait a minute, this is a valid signature from Charles Hoskinson." It decrypts the message to a hash, takes the hash I generated, and compares it to the message.

If those two things are the same, the only person in the world who could have done this is the one who had the private key. So, if anyone comes in and asserts to be me, you should ask, "Hang on, can you sign a message real quick?" It works well if you give them a random string of characters or a sentence to sign because they couldn’t have pre-signed it ahead of time. I’m the only person who knows that. My key is right here, the Charles.

hoskinson key, and I've been using it since 2012. If you go to my Twitter, my PGP fingerprint is right there. If you Google "Charles Hoskinson PGP key," you can find it. You can download Cleopatra and upload my public key. Let me show you an example where I have only the public key but never the private key.

I have the Charles.hoskinson@gmail key, created on October 28th, 2013, and the IOHK key, created in 2016. I also have this key right here, the Satoshi key. Look at that—Satoshi Nakamoto. Do I have both parts of it?

No, I only have the public part of Satoshi’s key. If someone asserts to be Satoshi Nakamoto and has the private part of the key, then I can enter whatever message they want into my notepad, put it there, and click "decrypt and verify." It will tell me if the person who has the Satoshi key is the real Satoshi Nakamoto. The only person in the world who has that key or should have that key is him, and that was created on October 30th, 2008, associated with the Bitcoin white paper. That’s why we know it was him.

This key right here is my primary key, and I use it for all of my official correspondences in a non-reputable sense. This is my work key; if people want to send me encrypted emails, they use that. Anyone can create a PGP key; it’s free. Cleopatra is a great application for that. It has all the machinery to create keys, sign with keys, certify keys, and more.

Typically, these are connected to key servers like MIT’s key server. The notepad is really convenient; it allows you to write any message, decide your recipients, and encrypt them—even with a password. You enter a message, click "sign," and share the message. Then you can decrypt or verify the message just by clicking a button. This is the standard of proof for everything in the cryptocurrency space.

Don’t trust me; trust the math. If anyone ever asserts to be Vitalik Buterin, Gavin Wood, or any cryptocurrency founder, the bare minimum you should ask for is a signature. This is super easy to do. When Craig Wright asserted to be Satoshi Nakamoto, I said, "Okay, great. Sign a message for me.

" Either sign it with one of the Genesis keys in the Bitcoin block because you mined those things, or sign it with the Satoshi GMX key. Then we could have a real conversation. It took me literally 30 seconds to sign this message. I’m sharing my Discord here, and I scroll up. It took me literally 30 seconds to generate this message.

That is the standard we should hold everybody accountable to. Only 30 seconds. This is the real Charles Hoskinson. That’s the encrypted payload. The standard was SHA-256, and the encryption algorithm is PGP.

If my public key, which is easy to find, you can copy-paste that message right into Cleopatra and verify that it is indeed me. It’s that simple. If Craig Wright can’t do that for Bitcoin, he has no business asserting that he is Satoshi Nakamoto because it’s easy to do this, and if you have the credentials, you can do it. That’s the standard of proof for identity. Lace continues to evolve as a product, and we will have an identity center in Lace.

We’re going to take some of these old tools that were written in the '90s and 2000s and integrate them into Lace. If we have it in Lace, it should be easy to do this with DIDs because DIDs have cryptography associated with them. Just food for thought, but I figured I’d make a video quickly to showcase the burden of proof and how we do these things. Always stay skeptical. By the way, in a world of generative AI, when you see a video of me speaking or an artifact that looks like me, we have to have verified content and verified people.

Moving forward, every stream needs to be signed. Every message, every video needs to be signed content and have an NFT associated with it. Basically, the NFT represents the hash, and you sign that. It’s the only way we’re going to know. Generative AI is going to get so good that it will be very difficult for people to tell the difference between real people and fake people.

You now need to live in a world of signatures because AI can’t forge a signature no matter how hard it tries. That’s what’s going to help you determine what’s real and what’s not real. This is becoming increasingly important. Anyway, just wanted to share something quickly with you guys. Cheers.