Concerns surrounding Bitcoin and its vulnerability to quantum computing have intensified, spotlighting a significant issue involving Satoshi Nakamoto, the pseudonymous creator of the cryptocurrency. Estimates suggest around 1.1 million Bitcoin, approximately valued at $84 billion, are linked to Nakamoto’s addresses, many of which utilize outdated wallet technology with exposed public keys, making them susceptible to potential theft if sufficiently advanced quantum computers are developed.
To address this threat, prominent figures in the Bitcoin development community, including Jameson Lopp and five other developers, proposed a solution in mid-April. The proposal, outlined in BIP-361, aims to implement a soft fork—an upgrade to the existing network rules that would phase out transactions from legacy address types susceptible to quantum attacks over a five-year period. In doing so, it would compel users to transition their holdings into more secure, quantum-resistant formats. However, this approach presents a dilemma; dormant holders like Satoshi would need to activate their wallets publicly, or else face losing access to their assets altogether.
In response to these challenges, Dan Robinson, a partner at Paradigm, unveiled an alternative strategy centered on Provable Address-Control Timestamps (PACTs). Instead of necessitating the movement of coins, PACTs focus on establishing a timestamp that verifies ownership without disclosing any details until the wallet owner decides to make a transaction.
The proposed mechanism involves creating a random salt, which serves as secret data to ensure each cryptographic commitment remains unique. By employing BIP-322, a standard that allows users to sign messages without spending from their Bitcoin addresses, a proof of ownership can be generated. This proof, along with the salt, is then combined into an on-chain commitment and timestamped using OpenTimestamps, a free service that anchors data onto the Bitcoin blockchain.
Should a soft fork be enacted that freezes quantum-vulnerable coins, the protocol could include a recovery pathway where holders would submit a STARK proof—a secure form of zero-knowledge proof resilient against quantum threats. This proof would demonstrate that the commitment was created before the advent of quantum computing technology. Crucially, this redemption process would maintain privacy by revealing no details about the address or amount involved.
Moreover, the PACTs address a notable limitation of BIP-361 by creating a recovery option for wallets generated through BIP-32, the deterministic key generation standard adopted in 2012. Many older wallets, including those associated with Satoshi, do not conform to this standard, leaving them without a recovery method under the initial proposal.
However, implementing PACTs would still require Bitcoin to adopt a STARK verification protocol, necessitating an additional soft fork and considerable consensus within the community. The current infrastructure lacks the necessary verification capabilities, calling for extensive new developments, including multisig wallets and sophisticated scripts that need rigorous standardization.
Despite the promise of PACTs, they ultimately hinge on the commitment of the wallet owner. If Satoshi, or whoever possesses control over those keys, does not generate the commitment, the coins would remain vulnerable to the impending risks—either theft by a quantum adversary or the community’s enforcement of a freeze.
Robinson’s proposal thus provides a nuanced alternative to the BIP-361 dilemma, offering a way to navigate the balance between safeguarding against quantum threats and honoring dormant ownership rights. Yet, the lingering uncertainty remains about whether Satoshi or the current keyholders will engage with this emerging solution.
