Bitcoin faces a potential threat from quantum computers. If a sufficiently powerful quantum device emerges, old wallets with exposed public keys could become vulnerable to hacking. At risk are approximately 1.1 million bitcoins, which are believed to belong to the anonymous creator Satoshi Nakamoto, with a current value of about $84 billion.
The Core Problem with the Previous BIP-361 Solution
In mid-April, experienced developer Jameson Lopp, along with five colleagues, officially proposed a five-year protection plan through BIP-361. According to this plan, the network would gradually phase out addresses vulnerable to quantum attacks, and coins that are not successfully moved to secure addresses would be frozen.
However, this proposal created a dilemma for Satoshi Nakamoto and all other long-dormant holders. They would have to publicly "reveal themselves" and disclose their identity in order to move their coins; otherwise, they would risk permanently losing access to their assets.
The Paradigm Proposal
Dan Robinson, General Partner at the investment fund Paradigm, published an alternative proposal called PACTs (Provable Address-Control Timestamps).
The core idea of PACTs is not to move coins, but to add a timestamp to proof of ownership as of a specific date, without revealing any information to the outside world until the wallet owner actually needs to spend the coins.
How It Works in Practice
The PACTs mechanism works in three steps:
- First, the owner generates a random nonce and uses the BIP-322 standard to create a cryptographic proof of ownership of the address without moving funds. The proof and nonce are then combined into a commitment and timestamped through the OpenTimestamps service, which anchors the data into Bitcoin's blockchain with a single batch transaction. All files remain confidential.
- If Bitcoin eventually implements a soft fork to freeze coins vulnerable to quantum attacks, the protocol could include a recovery path using STARK proofs, a type of zero-knowledge proof that remains secure even under quantum computation.
- When the holder wants to spend the coins, they send this proof to the network, and the network unlocks the corresponding coins. The redemption process reveals no information about the address, amount, or even the creation time of the original timestamp.
Key Advantages of PACTs
Unlike the migration window approach of BIP-361, PACTs allows owners to establish proof of ownership without broadcasting any on-chain activity. This protects privacy for long-dormant addresses, allowing Satoshi Nakamoto to maintain complete anonymity.
PACTs also addresses a specific gap in BIP-361. The PACTs standard includes a recovery path for wallets created with BIP-32, which appeared in 2012. Wallets created before 2012, including most of Satoshi's known addresses, do not use BIP-32 and cannot be recovered through the previous proposal.
Remaining Limitations
The system would require Bitcoin to adopt new STARK verification infrastructure through a soft fork with broad community consensus. Such verification infrastructure does not currently exist in Bitcoin and would require substantial new engineering. Multisignature wallets, complex scripts, and hardware wallet support would all need careful standardization.
The most important limitation is that PACTs only protects Satoshi if Satoshi himself, or the current owner of the corresponding keys, takes action now. If Satoshi is truly gone, no PACT can be created retroactively. The coins remain vulnerable to whichever threat materializes first, whether quantum theft or community freeze.
What PACTs genuinely offers is a way to make the debate around BIP-361 less binary, allowing to avoid the harsh choice between protection from quantum theft and respect for inactive property rights.