Bitcoin Quantum Attack Could Steal Satoshi Nakamoto Coins And Paradigm Has a Fix

Paradigm general partner Dan Robinson has published a proposal for a system called Provable Address-Control Timestamps, or PACTs, that would let Bitcoin holders privately prove ownership of their wallets today and use that proof to reclaim funds later if the network ever freezes quantum-vulnerable addresses. The proposal is designed to protect dormant wallets, including those believed to belong to Satoshi Nakamoto, without requiring any public onchain action now.

The system works in two steps: a private commitment made today using existing Bitcoin tools, and a quantum-resistant proof submitted later if a soft fork ever freezes legacy address types. No Bitcoin transaction is needed to create the commitment, and the process reveals nothing publicly about the holder, their address, or their balance.

What Is The Quantum Threat To Bitcoin?

Bitcoin addresses that have exposed public keys are vulnerable to a future class of computers known as cryptographically relevant quantum computers, or CRQCs. A CRQC powerful enough could derive a private key from a known public key, allowing an attacker to steal funds from any address where the public key has been revealed onchain.

Paradigm estimates that hundreds of billions of dollars worth of Bitcoin sits in addresses with exposed public keys. Wallets believed to belong to Satoshi Nakamoto alone hold approximately 1.1 million BTC, worth more than $75 billion at current prices. Those wallets predate the BIP-32 key generation standard introduced in 2012 and have no existing rescue path under current proposals.

What Did BIP-361 Propose And Why Is It Controversial?

Developer Jameson Lopp and five co-authors published BIP-361 in mid-April, proposing a five-year timeline to phase out quantum-vulnerable addresses. Any coins not migrated to quantum-safe formats by the deadline would be frozen permanently.

The proposal creates a serious problem for long-dormant holders. Moving coins is a public onchain action. It reveals that a wallet is still active, exposes timing patterns, links between wallets, and potentially IP addresses. For Satoshi Nakamoto specifically, moving coins would confirm the pseudonymous creator is alive and still in possession of their keys. That is a disclosure many in the Bitcoin community consider unacceptable to force.

BIP-361 does include a rescue path for wallets derived through BIP-32, using zero-knowledge proofs of parent key knowledge. But pre-2012 wallets, including most of Satoshi's known addresses, do not use BIP-32 and cannot be rescued through that route.

How Do PACTs Work?

PACTs offer a third path. The protocol has two distinct phases.

Step One: The Commitment

The holder generates a 256-bit secret salt, a random piece of private data that makes the commitment unique and unguessable. They then use BIP-322, a standard for signing messages from a Bitcoin address without broadcasting a transaction, to produce a proof of control over the vulnerable address.

The salt and the BIP-322 proof are combined into a single commitment hash. That hash is then timestamped using OpenTimestamps, a free open-source service that batches data into a Merkle tree and embeds the root in a Bitcoin OP_RETURN output. The holder stores the salt, the proof, and the timestamp file privately. Nothing is broadcast. Nothing is revealed. The process costs nothing.

Robinson noted that this is possible because Satoshi designed Bitcoin as a distributed timestamp server in the 2008 white paper, and OpenTimestamps has used that design to offer free, trustless timestamping for years.

Step Two: The Rescue

If Bitcoin later activates a soft fork that freezes quantum-vulnerable addresses, that upgrade could also define a rescue path for PACT holders. To spend a frozen coin, the holder submits a STARK proof, a type of zero-knowledge proof that is secure against quantum computers, demonstrating three things:

• They knew a valid salt and BIP-322 control proof
• That combination hashes to a commitment timestamped before the PACT cutoff date
• The rescue proof is bound to the specific transaction, preventing it from being copied or reused

The salt and BIP-322 proof are never revealed during redemption. The network confirms only that the holder had control before the cutoff. The amount, address, and timestamp remain private.

What Is A STARK And Why Does It Matter Here?

STARK stands for Scalable Transparent Argument of Knowledge. It is a type of zero-knowledge proof that allows one party to prove they know something without revealing what that something is. Unlike older proof systems, STARKs do not rely on elliptic curve cryptography, which means they remain secure even if quantum computers can break the encryption Bitcoin currently uses. 

Adding STARK verification to Bitcoin would require a soft fork, and Robinson acknowledged this represents substantial new infrastructure for the protocol.

What Are The Risks Of PACTs?

Robinson was direct about the limitations of the proposal.

• Bitcoin may never implement a quantum sunset at all, making PACTs unnecessary
• Even if a sunset happens, this specific rescue path may not be included in that upgrade
• Holders should not rely solely on PACTs for protection until a rescue protocol is formally adopted into the protocol
• The design does not extend cleanly to multisig wallets, complex scripts, or custodial accounts, all of which require additional standardization work
• Holders must protect their salt, BIP-322 proof, and OpenTimestamps file as recovery artifacts, since losing any of them removes the rescue option

Robinson argued the low cost of creating a commitment justifies acting once a standard format is agreed upon, even given those uncertainties.

How Does The Proposal Fit Into The Broader Quantum Debate?

The PACTs proposal builds on BIP-361 rather than replacing it. It closes a specific gap that BIP-361 leaves open: pre-BIP-32 wallets with no existing rescue route. Robinson cited Jeremy Rubin's earlier discussions on similar concepts in the Delving Bitcoin forum as prior work in the same direction.

Bitcoin developers and quantum researchers responded quickly on X after publication. Discussion focused on:

• STARK integration timelines and what a soft fork adding zero-knowledge proof verification would require
• Whether the privacy protections would hold in practice under adversarial conditions
• The feasibility of setting a PACT cutoff date that predates any realistic CRQC capability

Robinson acknowledged the design is illustrative and requires input from cryptographers, Bitcoin developers, and the broader community before it could be considered a formal proposal.

Conclusion: 

Paradigm's PACTs proposal gives Bitcoin holders a free, private way to timestamp proof of wallet control today using BIP-322 signing and OpenTimestamps. If Bitcoin ever adopts a quantum sunset via soft fork, holders could submit STARK proofs to reclaim frozen funds without revealing their address, balance, or identity. The system requires STARK verification infrastructure to be added to Bitcoin and depends on a future rescue path being included in any sunset upgrade. It does not apply cleanly to multisig or custodial wallets and carries no guarantee of adoption. For pre-BIP-32 wallets, including those linked to Satoshi Nakamoto's estimated 1.1 million BTC, it is the only rescue option currently proposed.

Resources

1. Proposal by Paradigm general partner Dan Robinson: PACTs: Protecting Your Bitcoin From a Quantum Sunset

2. BIP-361

3. Report by CoinDesk: New Bitcoin quantum proposal offers Satoshi Nakamoto a way to prove control without moving BTC