The Quantum Computing Dilemma in Bitcoin
Concerns about quantum computing have long been linked to the Satoshi problem in Bitcoin.
As quantum computers advance, there’s a risk that millions of Bitcoins held in older wallets with exposed public keys could be at risk of theft. Among these, approximately 1.1 million Bitcoins, attributed to the pseudonymous creator Satoshi Nakamoto, are currently valued around $84 billion.
A possible solution has been proposed: a soft fork, or an upgrade to the existing network rules, which would eventually prevent spending from older address formats and require owners to transition to a quantum-secure design before anyone could access their private keys.
In mid-April, prominent developer Jameson Lopp and five others put forward such a plan through BIP-361. The idea was to phase out the old, vulnerable addresses over five years while freezing any coins that don’t migrate.
This proposal, however, raised a new issue. Those long-dormant holders, including Satoshi, would need to become active or risk losing access to their assets.
On Friday, Dan Robinson, a partner at Paradigm, shared a proposal aimed at sidestepping this dilemma, focusing on what he calls Provable Address-Control Timestamps (PACT).
The core idea is pretty interesting: instead of moving coins around, it would timestamp proof of ownership without revealing details until the wallet owners decide to spend.
The owner creates a random salt—secret data that makes cryptographic commitments unique—and generates proof of ownership using BIP-322, which is a standard for signing messages from Bitcoin addresses at no cost.
These salts and proofs become part of on-chain commitments and are timestamped with OpenTimestamps, a free service that anchors the data to Bitcoin’s blockchain through a single batch transaction. While this home-based timestamping module functions, the salt and proof files stay private.
If Bitcoin goes ahead with a soft fork that freezes coins vulnerable to quantum threats, there could be a rescue mechanism that accepts STARK proofs. These are zero-knowledge proofs that are secure against quantum computers, verifying that owners made commitments before the advent of quantum hardware.
When the owner decides to use the funds, they submit their proof to the network, which then releases the coin. The process doesn’t expose any information regarding the specific address, the amount, or the original timestamp.
PACT could also fill certain gaps in BIP-361 by providing a wallet rescue path that originates from BIP-32, a key generation standard developed in 2012. Many older wallets, including most of Satoshi’s known addresses, don’t utilize BIP-32, making them ineligible for this rescue route.
Robinson mentions that adopting PACT would require Bitcoin to eventually embrace the STARK verification protocol, which, in turn, would need a separate soft fork and community consensus to implement.
He notes that the current infrastructure for validation doesn’t exist in Bitcoin. It would require what he describes as “substantial new plumbing,” encompassing multisig wallets, complex scripts, and hardware wallet support—all needing careful standardization.
The protocol does have a crucial limitation. It can only protect Satoshi if a commitment is made by Satoshi or the present key holder. If Satoshi is indeed no longer active, then, unfortunately, PACT can’t be initiated retroactively. The coins will remain exposed to either quantum theft or the community freeze, whichever happens first.
Pact aims to streamline the BIP-361 discussion. The current proposal creates a hard choice: either protect against quantum theft or uphold the rights of dormant property. Whether or not Satoshi will take action remains unanswered by PACT.
