Bitcoin’s quantum computing concerns have always had a Satoshi problem inside it.

Millions of bitcoin sitting in old wallets with exposed public keys could be vulnerable to theft if powerful enough quantum computers arrive. That includes the roughly 1.1 million bitcoin attributed to pseudonymous creator Satoshi Nakamoto, currently worth around $84 billion.

The obvious defense is a soft fork (or an upgrade to existing network rules) that eventually stops allowing spends from those legacy address types, forcing holders to move into quantum-safe formats before attackers can derive their private keys.

Prominent developer Jameson Lopp and five other developers proposed exactly that in mid-April through BIP-361, which would phase out quantum-vulnerable addresses on a five-year timeline and freeze any coins that fail to migrate.

That proposal created a different problem, however. Satoshi, and every other long-dormant holder, would have to wake up publicly or risk losing access to their assets.

Dan Robinson, a general partner at Paradigm, published a proposal Friday for a way around that trade-off that revolves around the concept of Provable Address-Control Timestamps, or PACTs.

The core idea is not to move coins but timestamp proof of ownership at a specific date and reveal nothing to the public until the owners of those wallets actually need to spend.

A holder generates a random salt, which is a piece of secret data used to make a cryptographic commitment unique and unguessable, and uses BIP-322, a standard for signing messages from a Bitcoin address without spending from it, to produce a proof of ownership.

The salt and proof are bundled together into an onchain commitment and timestamp it through OpenTimestamps, a free service that anchors data onto the Bitcoin blockchain through a single batched transaction. The salt, proof, and timestamp files stay private.

If Bitcoin later activates a soft fork that freezes quantum-vulnerable coins, the protocol could include a rescue path that accepts a STARK proof, a type of zero-knowledge proof that remains secure against quantum computers, showing the holder created their commitment before quantum hardware existed.

The holder submits that proof when they want to spend, and the network releases the coins. The redemption reveals nothing about which address, which amount, or even when the original timestamp was created.

These PACTs also address a specific gap in BIP-361 by including a rescue path for wallets derived through BIP-32, the deterministic key generation standard introduced in 2012. Pre-2012 wallets, including most of Satoshi’s known addresses, do not use BIP-32 and cannot be rescued through that path.

As such, Robinson stated that the PACTs require Bitcoin to eventually adopt a STARK verification protocol, which would itself need a separate soft fork with broad community consensus.

The verification infrastructure does not exist in Bitcoin currently and would need what Robinson calls “substantial new plumbing,” such as multisig wallets, complex scripts, and hardware wallet support that would all need careful standardization.

That last constraint is the one PACTs cannot work around.

The protocol only protects Satoshi if Satoshi himself, or whoever currently controls those keys, makes the commitment. If Satoshi is genuinely gone, no PACT can be retroactively created. The coins remain exposed to whichever scenario plays out first, quantum theft or community freeze.

What PACTs do offer is a way to make the BIP-361 debate less binary. The current freeze proposal forces a choice between protecting against quantum theft and respecting dormant property rights.

Whether Satoshi will use it is the question PACTs cannot answer.