Bitcoin’s looming quantum threat just got a new twist — one that could let long-dormant holders prove control over their coins without publicly moving them.
Why this matters
A sufficiently powerful quantum computer could, in theory, derive private keys from exposed Bitcoin public keys and steal funds. That risk is concentrated in older address types that reveal public keys on-chain. Among those at risk are roughly 1.1 million BTC tied to Bitcoin’s pseudonymous creator, Satoshi Nakamoto — about $84 billion at today’s prices.
The conventional fix — and its downside
Prominent developer Jameson Lopp and five others proposed BIP-361 in mid-April: a soft-fork upgrade that would phase out quantum-vulnerable address types over a five-year schedule and ultimately freeze coins that haven’t migrated to quantum-safe formats. That would strongly reduce the window for quantum theft — but it creates a painful trade-off: dormant holders would have to “wake up” and reveal control of their addresses publicly (by moving coins) or risk losing access when the rules freeze those outputs.
A new option: PACTs (Provable Address-Control Timestamps)
Dan Robinson of Paradigm published an alternative designed to avoid that binary choice. His proposal, called Provable Address-Control Timestamps (PACTs), lets an owner prove prior control of an address without publishing anything publicly until they actually want to spend.
How PACTs work (high level)
- The owner generates a secret random salt and uses BIP-322 (a standard for signing messages from a Bitcoin address without spending) to create a proof of ownership.
- The salt + signature proof are combined into an on-chain commitment and anchored with a timestamp via OpenTimestamps — a service that batches and anchors data on Bitcoin.
- The salt, signature, and timestamp files remain private and are not revealed on-chain.
If the network later activates a freeze on vulnerable coins, a “rescue path” could allow those committed-but-hidden balances to be spent by presenting a STARK proof — a type of zero-knowledge proof believed to be secure even against quantum adversaries — showing the commitment existed before practical quantum computers arrived. The spender submits that STARK when they want to redeem the coins; the network releases the funds without revealing which address, how much, or the original timestamp.
What PACTs add (and what they don’t)
- PACTs would fill a gap in BIP-361 by providing a rescue mechanism for wallets derived via BIP-32 (the deterministic key derivation standard rolled out in 2012).
- However, many of Satoshi’s known addresses predate BIP-32. PACTs only protect coins if the keyholder actually creates and privately stores the commitment in advance. If Satoshi (or any long-gone private-key holder) is truly unreachable, no retroactive commitment can be made — and the coins remain exposed to either quantum theft or a community-enforced freeze.
Practical and protocol hurdles
PACTs are not a drop-in solution. They rely on future STARK verification being added to Bitcoin — something that would require its own soft fork, substantial consensus, and new verification “plumbing.” That includes standardized support across multisig setups, complex scripts, and hardware wallets. Robinson notes the verification infrastructure doesn’t exist today and would need careful design and ecosystem buy-in.
The bottom line
PACTs offer a clever middle path: reduce the chance of quantum theft without immediately forcing dormant keyholders into public action. But they’re not a silver bullet. They demand forward action from keyholders, major protocol upgrades, and broad community coordination. In short, they can make the BIP-361 debate less binary — but they can’t answer the single most public question: will Satoshi, or whoever controls those keys, take the step needed to save those coins?
Read more AI-generated news on: undefined/news
