Paradigm general partner Dan Robinson has introduced a cryptographic mechanism called Provable Address-Control Timestamps (PACTs), a proposal aimed at shielding long-dormant Bitcoin holdings from future quantum-computing attacks without forcing those coins to move on-chain. The design seeks to defuse a growing debate sparked by a separate soft-fork idea, known as BIP-361, that would phase out addresses vulnerable to quantum attacks and ultimately freeze any unmigrated funds—including coins attributed to Satoshi Nakamoto—on a fixed timeline.

Technology Overview

Bitcoin’s quantum-computing risk has a specific twist: millions of coins rest in old wallets where the public key has been exposed. If powerful quantum computers arrive, attackers could potentially derive corresponding private keys and spend those coins. That threat encompasses an estimated 1.1 million bitcoin attributed to Satoshi Nakamoto, a trove currently valued at around $84 billion. One straightforward network-level response has been to restrict spends from legacy address types through a soft fork, giving holders time to move their coins into quantum-resistant formats before any attacker can act.

In mid-April, prominent developer Jameson Lopp and five other contributors proposed exactly that approach via BIP-361. The plan lays out a five-year phase-out of quantum-vulnerable addresses and would freeze coins that do not migrate by the deadline. While such a measure prioritizes defense against potential quantum theft, it also creates a parallel concern: long-silent owners would have to publicly reappear and move their coins—or risk losing the ability to spend them later.

How It Works

Robinson’s PACTs proposal is designed to avoid that trade-off by separating proof of control from on-chain movement. Rather than relocating coins to a new address, a holder would privately create a timestamped proof that they control a given wallet, and then wait to disclose that proof only if and when spending becomes necessary.

The process begins with the holder generating a random “salt,” a secret piece of data that makes a cryptographic commitment unique and resistant to guessing. The holder then uses BIP-322—a standard for signing messages that demonstrate control over a Bitcoin address without spending from it—to produce a proof of ownership tied to that address.

Next, the salt and the BIP-322 proof are bundled into a commitment recorded on-chain and timestamped via OpenTimestamps, a free service that anchors data into the Bitcoin blockchain through a single batched transaction. Crucially, the underlying salt, the ownership proof, and the associated timestamp files remain private to the holder. No public movement of coins is required, and observers do not learn which address is being protected or even the exact timing of the commitment.

PACTs envision a future contingency in which the Bitcoin network adopts a soft fork that freezes spends from quantum-vulnerable addresses. Under that scenario, the protocol could include a rescue path that accepts a STARK proof—a form of zero-knowledge proof designed to remain secure against quantum attacks—showing that the holder created their commitment before practical quantum hardware existed. When the holder eventually wants to spend, they submit the relevant STARK proof, and the network authorizes the redemption. The mechanism is intended to preserve privacy: the redemption would not reveal which specific address, the amount involved, or even the original timestamp date.

Industry Impact

In its current form, BIP-361’s freezing mechanism pits two priorities against one another: take proactive steps to reduce quantum risk, or avoid imposing a de facto requirement that dormant owners reveal themselves and move funds. PACTs attempt to soften that binary choice by allowing owners to pre-establish control—quietly and privately—while still giving the network a verifiable path to release funds in a post-freeze world.

The proposal also touches an implementation gap related to BIP-361 and BIP-32, the deterministic key derivation standard introduced in 2012. PACTs include a rescue path that covers wallets derived through BIP-32, addressing a specific shortcoming in BIP-361’s handling of these wallets. However, pre-2012 wallets—including most of Satoshi Nakamoto’s publicly known addresses—do not use BIP-32 and therefore cannot take advantage of that particular rescue path. Those older wallets could still benefit from PACTs, but only if their controllers create the necessary commitments in advance.

That constraint highlights a broader limitation: PACTs only work if the controller of a given wallet proactively generates the private timestamped proof. If the person or entity behind a dormant address is no longer available to act, a PACT cannot be created retroactively. In that case, the coins associated with that address would remain exposed to whichever event arrives first—successful quantum theft or an eventual community-led freeze of vulnerable address types.

Implementation Requirements

Robinson emphasizes that PACTs would require Bitcoin to adopt a STARK verification capability, which does not exist on the network today. Adding support for verifying these zero-knowledge proofs would necessitate a separate soft fork and broad consensus across the ecosystem. Beyond consensus, the operational requirements are substantial: the network would need what Robinson characterizes as “substantial new plumbing,” including standardized support across multisig wallets, more complex scripting pathways, and hardware wallets. Each of these layers would require careful specification and wide-ranging interoperability work before PACTs could function at scale.

OpenTimestamps plays a specific role in the PACTs model by anchoring commitments to Bitcoin in a compact, privacy-preserving manner. Because timestamping is performed in batched form, the on-chain footprint remains small and does not expose the details of individual commitments. Combined with BIP-322’s message-signing capability, the approach keeps verification possible while limiting what the public can infer from blockchain data alone.

Future Implications

By proposing a private, verifiable alternative to on-chain migration, PACTs reframe the quantum defense conversation. Instead of a one-way mandate to move legacy coins, the concept introduces a cryptographic attestation layer that can be activated later to prove longstanding control—ideally before quantum attackers or rigid freeze rules can jeopardize funds. The mechanism is designed to protect privacy, maintain optionality for dormant holders, and still provide the network with a trustworthy redemption check when needed.

Even so, PACTs are not a turnkey fix. Their viability hinges on future protocol changes that enable STARK verification and on ecosystem-wide tooling that can securely generate, store, and present the necessary proofs. Most significantly, PACTs rely on action by the current controllers of vulnerable wallets. If Satoshi Nakamoto—or any other long-dormant holder—does not create a commitment, PACTs cannot resurrect access after the fact. The approach narrows the policy dilemma set off by BIP-361, but it cannot resolve the uncertainty around who will act in time.

For now, PACTs offer a technically grounded path to make Bitcoin’s quantum defenses less of a zero-sum choice between theft prevention and dormant property rights. Whether the network ultimately adopts the required proof-verification infrastructure, and whether silent holders opt in by creating commitments, will determine how effectively Bitcoin can confront the quantum era without forcing the most famous dormant wallets to move. On that final question—whether Satoshi will use the tool—PACTs are silent by design.