Bitcoin’s quantum computing problems have always had a Satoshi problem inside.
Millions of bitcoin sitting in old wallets with exposed public keys could be vulnerable to theft if powerful enough quantum computers come along. That includes the roughly 1.1 million bitcoin attributed to pseudonymous creator Satoshi Nakamoto, which is currently worth about $84 billion.
The obvious defense is a soft fork (or an upgrade to existing network rules) that eventually stops allowing spending from these older address types, forcing holders to move into quantum-secure formats before attackers can derive their private keys.
Prominent developer Jameson Lopp and five other developers proposed exactly that in mid-April through BIP-361, which would phase out quantum vulnerable addresses on a five-year timeline and freeze all coins that cannot migrate.
However, the proposal created another problem. Satoshi, and any other long-dormant holder, would have to wake up publicly or risk losing access to their assets.
Dan Robinson, a general partner at Paradigm, published a proposal on Friday for a way around that trade-off that revolves around the concept of provable address control timestamps, or PACTs.
The core idea is not to move coins, but time stamp proof of ownership on a specific date and not reveal anything to the public until the owners of these wallets actually need to use.
A holder generates a random salt, which is a piece of secret data used to make a cryptographic commitment unique and unthinkable, and uses BIP-322, a standard for signing messages from a Bitcoin address without using it, to produce a proof of ownership.
The salt and proof are bundled together into an onchain commitment and timestamped through OpenTimestamps, a free service that anchors data on the Bitcoin blockchain through a single batch transaction. The salt, proof, and timestamp files remain private.
If Bitcoin later activates a soft fork that freezes quantum-vulnerable coins, the protocol could include a rescue path that accepts a STARK proof, a type of zero-knowledge proof that remains secure against quantum computers, showing that the holder created their commitment before quantum hardware existed.
The holder submits this proof when they want to spend and the network releases the coins. The redemption reveals nothing about what address, what amount, or even when the original timestamp was created.
These PACTs also address a specific gap in BIP-361 by including a rescue path for wallets derived through BIP-32, the deterministic key generation standard introduced in 2012. Wallets from before 2012, including most of Satoshi’s known addresses, do not use BIP-32 and cannot be rescued through this path.
As such, Robinson stated that the PACTs require Bitcoin to eventually adopt a STARK verification protocol, which itself would need a separate soft fork with broad community consensus.
The verification infrastructure does not currently exist in Bitcoin and would need what Robinson calls “substantially new plumbing,” such as multisig wallets, complex scripts, and hardware wallet support, all of which would require careful standardization.
The last limitation is the one PACTs cannot work around.
The protocol only protects Satoshi if Satoshi himself, or whoever currently controls those keys, commits. If Satoshi is truly gone, no PACT can be created retroactively. The coins remain vulnerable to whichever scenario unfolds first, quantum theft or community freeze.
What PACTs offer is a way to make the BIP-361 debate less binary. The current freeze proposal forces a choice between protecting against quantum theft and respecting dormant property rights.
Whether Satoshi will use it is the question the PACTs cannot answer.
