Bitcoin’s quantum computing problems have always had a Satoshi problem.
Millions of bitcoins stored in old wallets with exposed public keys could be vulnerable to theft if sufficiently powerful quantum computers arrive. This includes approximately 1.1 million bitcoins attributed to pseudonymous creator Satoshi Nakamoto, currently worth around $84 billion.
The obvious defense is a soft fork (or upgrade to existing network rules) that eventually stops allowing spending from these legacy address types, forcing holders to move to quantum-secure formats before attackers can obtain their private keys.
Prominent developer Jameson Lopp and five other developers proposed exactly that in mid-April via BIP-361, which would phase out quantum vulnerable addresses over a five-year time frame and freeze any coins that fail to migrate.
This proposal, however, creates a different problem. Satoshi, and all other long-dormant holders, should wake up publicly or risk losing access to their assets.
Dan Robinson, general partner at Paradigm, published a proposal Friday to get around this compromise that revolves around the concept of provable address control timestamps, or PACTs.
The main idea is not to move coins, but to timestamp the proof of ownership to a specific date and not reveal anything to the public until the owners of these wallets actually need to spend.
A holder generates a random salt, which is secret data used to make a cryptographic commitment unique and unguessable, and uses BIP-322, a standard for signing messages from a Bitcoin address without spending money, to produce proof of ownership.
The salt and proof are bundled into an on-chain pledge and are timestamped via OpenTimestamps, a free service that anchors data to the Bitcoin blockchain via a single batch transaction. The salt, proof and timestamp files remain private.
If Bitcoin later activates a soft fork that freezes vulnerable quantum coins, the protocol could include a rescue path that accepts a STARK proof, a type of zero-knowledge proof that remains secure against quantum computers, showing that the holder created their pledge before quantum hardware existed.
The holder submits this proof when they want to spend and the network releases the coins. The redemption reveals nothing about the address, amount, or even the creation date of the original timestamp.
These PACTs also address a specific gap in BIP-361 by including a rescue path for wallets derived from BIP-32, the deterministic key generation standard introduced in 2012. Wallets prior to 2012, including most known Satoshi addresses, do not use BIP-32 and cannot be rescued via this path.
As such, Robinson said PACTs require Bitcoin to eventually adopt a STARK verification protocol, which itself would require a separate soft fork with broad community consensus.
Verification infrastructure does not currently exist in Bitcoin and would require what Robinson calls “substantial new plumbing,” such as multisig wallets, complex scripts, and hardware wallet support that would all require careful standardization.
This last constraint is one that PACT cannot circumvent.
The protocol only protects Satoshi if Satoshi himself, or whoever currently controls these keys, makes the commitment. If Satoshi is truly gone, no PACT can be created retroactively. Coins remain exposed to whichever scenario happens first, quantum theft or community freeze.
What PACT offers is a way to make the debate on BIP-361 less binary. The current freeze proposal forces a choice between protecting against quantum theft and respecting dormant property rights.
Whether Satoshi will use it is the question PACT cannot answer.
