Bitcoin’s quantum computing concerns have always had a Satoshi problem within them.
Millions of bitcoins stored in old wallets with exposed public keys could be vulnerable to theft if sufficiently powerful quantum computers arrive. That includes the roughly 1.1 million bitcoins attributed to pseudonymous creator Satoshi Nakamoto, which are currently worth about $84 billion.
The obvious defense is a soft fork (or an update to existing network rules) that eventually stops allowing spends from those legacy address types, forcing holders to move to quantum-safe formats before attackers can obtain their private keys.
Prominent developer Jameson Lopp and five other developers proposed exactly that in mid-April via BIP-361, which would phase out vulnerable quantum addresses over a five-year timeline and freeze any coins that couldn’t migrate.
However, that proposal created a different problem. Satoshi, and all other long-dormant holders, would have to publicly wake up or risk losing access to their assets.
Dan Robinson, general partner at Paradigm, on Friday published a proposal to address that compromise that revolves around the concept of verifiable address control timestamps, or PACT.
The core idea is not to move coins, but to mark proof of ownership on a specific date and not reveal anything to the public until the owners of those wallets actually need to spend.
A holder generates a random salt, which is a secret piece of data used to make a cryptographic commitment unique and unbreakable, and uses BIP-322, a standard for signing messages from a Bitcoin address without spending on it, to produce proof of ownership.
The salt and proof are bundled into an on-chain commit and time-stamped via OpenTimestamps, a free service that anchors data to the Bitcoin blockchain through a single batch transaction. The salt, test, and timestamp files remain private.
If Bitcoin then triggers a soft fork that freezes vulnerable quantum coins, the protocol could include a ransom path that accepts a STARK proof, a type of zero-knowledge proof that remains secure against quantum computers, showing that the holder created their pledge before quantum hardware existed.
The holder presents that proof when he wants to spend and the network releases the coins. The swap reveals nothing about what address, what amount, or even when the original timestamp was created.
These PACTs also address a specific gap in BIP-361 by including a rescue path for wallets derived through BIP-32, the deterministic key generation standard introduced in 2012. Wallets prior to 2012, including most known Satoshi addresses, do not use BIP-32 and cannot be rescued through that path.
As such, Robinson stated that PACTs require Bitcoin to eventually adopt a STARK verification protocol, which would in turn need a separate soft fork with broad community consensus.
Verification infrastructure does not currently exist in Bitcoin and would need what Robinson calls “substantial new facilities,” such as multi-signature wallets, complex scripts, and hardware wallet support, all of which would need careful standardization.
That last limitation is what PACT cannot overcome.
The protocol only protects Satoshi if Satoshi himself, or whoever currently controls those keys, is compromised. If Satoshi is truly gone, no PACT can be created retroactively. The coins remain exposed to whichever scenario comes first: quantum theft or community freeze.
What PACTs do offer is a way to make the BIP-361 debate less binary. The current freeze proposal forces a choice between protecting against quantum theft and respecting latent property rights.
Whether Satoshi will use it is the question the PACTs cannot answer.
