There has always been a Satoshi Nakamoto problem with Bitcoin’s quantum computing problem.
If sufficiently powerful quantum computers arrive, millions of Bitcoins stored in old wallets with exposed public keys could be easily stolen. This includes approximately 1.1 million Bitcoins owned by anonymous creator Satoshi Nakamoto, currently worth approximately $84 billion.
The obvious defense would be a soft fork (or upgrade to existing network rules) that would eventually stop allowing spending from these legacy address types, forcing holders to move to a quantum-safe format before an attacker can obtain their private keys.
Prominent developer Jameson Lopp and five other developers proposed the proposal in mid-April via BIP-361, which would phase out quantum-fragile addresses over five years and freeze any tokens that cannot be migrated.
However, this proposal creates a different problem. Satoshi Nakamoto and all other long-dormant holders must wake up publicly or risk losing access to their assets.
Paradigm general partner Dan Robinson on Friday released a proposal surrounding this trade-off around the concept of Provable Address Control Timestamps (PACT).
The core idea is not to transfer coins, but to timestamp proof of ownership on a specific date and not reveal anything to the public until the owners of those wallets actually need to spend.
The holder generates a random salt, a secret piece of data used to make the cryptographic commitment unique and unguessable, and uses BIP-322, a standard for signing messages from a Bitcoin address without spending from it, to generate proof of ownership.
Salts and proofs are bundled together to form on-chain commitments and timestamped via OpenTimestamps, a free service that anchors data to the Bitcoin blockchain through a single batch transaction. Salt, proof, and timestamp files remain private.
If Bitcoin subsequently activates a soft fork that freezes quantum-fragile coins, the protocol may include a rescue path that accepts STARK proofs, a zero-knowledge proof that quantum computers are still secure, showing that holders made a commitment before the quantum hardware existed.
Holders submit this proof when they want to spend it, and the network releases the tokens. The exchange process does not reveal any addresses, amounts, or even when the original timestamp was created.
These PACTs also address specific gaps in BIP-361 by including a rescue path for wallets derived through BIP-32, the deterministic key generation standard introduced in 2012. Wallets prior to 2012, including most known addresses of Satoshi Nakamoto, do not use BIP-32 and cannot be rescued via this path.
Therefore, Robinson said that PACT requires Bitcoin to eventually adopt the STARK verification protocol, which itself requires a separate soft fork with broad community consensus.
Validation infrastructure currently does not exist in Bitcoin, requiring what Robinson calls “substantial new plumbing,” such as multi-signature wallets, complex scripts, and hardware wallet support, all of which require careful standardization.
The last limitation is something that PACT cannot solve.
The protocol will only protect Satoshi if there is a commitment from Satoshi himself or the person currently in control of those keys. If Satoshi Nakamoto does disappear, PACT cannot be retroactively created. Whichever happens first, these tokens will be at risk of quantum theft or community freeze.
PACT does offer a way to de-binary the BIP-361 debate. The current freeze proposal forces a choice between preventing quantum theft and respecting dormant property rights.
Whether Satoshi Nakamoto would use it is a question that PACT cannot answer.