The Satoshi Dilemma: Bitcoin’s Quantum Computing Challenge and a Potential Solution
The Looming Quantum Threat to Bitcoin’s Earliest Fortunes
Bitcoin has long faced whispered concerns about quantum computing, but these worries come with a particularly thorny problem at their core: what happens to Satoshi Nakamoto’s massive fortune? The issue isn’t theoretical anymore. Millions of bitcoin stored in older wallet formats with exposed public keys could become sitting ducks once quantum computers become powerful enough to crack their encryption. Among these vulnerable assets are approximately 1.1 million bitcoin believed to belong to Bitcoin’s mysterious creator, Satoshi Nakamoto—a stash currently valued at roughly $84 billion. These coins, along with countless others held in similar legacy addresses, represent not just wealth but a fundamental challenge to Bitcoin’s security model. The public keys associated with these older wallets are visible on the blockchain, and while today’s computers would take longer than the age of the universe to derive the corresponding private keys, sufficiently advanced quantum computers could theoretically accomplish this task in a matter of hours or even minutes. This creates an existential question for the Bitcoin community: how do you protect the network from a future threat without trampling on the property rights of people who’ve simply chosen not to move their coins for years or even decades?
The Developer Response: BIP-361 and Its Uncomfortable Trade-offs
Faced with this quantum threat, prominent Bitcoin developer Jameson Lopp and five colleagues proposed a solution in mid-April 2024 through Bitcoin Improvement Proposal 361, or BIP-361. Their approach is straightforward but controversial: implement a soft fork—essentially an upgrade to Bitcoin’s existing rules—that would gradually phase out these quantum-vulnerable address formats over a five-year period. Under this proposal, holders would be required to move their bitcoin from old, exposed addresses into newer, quantum-resistant formats. Any coins that remained unmoved after the deadline would simply be frozen, rendered unspendable to prevent quantum-equipped thieves from stealing them. From a network security perspective, the logic is sound: better to lock potentially vulnerable coins than allow them to be stolen by whoever first develops adequate quantum computing power. However, this solution creates an uncomfortable secondary problem that strikes at the heart of what makes Bitcoin valuable to many of its supporters. The proposal would force Satoshi Nakamoto—and every other long-dormant holder—to make a choice: either wake up, reveal yourself publicly by moving your coins, or lose access to your assets forever. For privacy-conscious holders and particularly for Satoshi, whose identity remains one of cryptocurrency’s greatest mysteries, this represents an impossible dilemma. Coming forward would compromise anonymity; staying silent would mean financial loss.
Enter PACTs: A Clever Cryptographic Workaround
Dan Robinson, a general partner at cryptocurrency investment firm Paradigm, recognized this dilemma and on Friday published an innovative proposal that could thread the needle between security and privacy. His solution revolves around a concept he calls Provable Address-Control Timestamps, or PACTs for short. The elegance of Robinson’s approach lies in its fundamental insight: you don’t necessarily need to move coins to prove you own them—you just need to prove you owned them before quantum computers became a threat. Here’s how it works in practice: A bitcoin holder generates what’s called a “random salt,” which is essentially a piece of secret data that makes a cryptographic commitment unique and impossible to guess. They then use an existing standard called BIP-322, which allows someone to sign messages from a Bitcoin address without actually spending from it, to create proof of ownership. These two pieces—the salt and the proof—are bundled together into an onchain commitment and timestamped using OpenTimestamps, a free service that anchors data onto the Bitcoin blockchain through batched transactions. The crucial detail is that the salt, proof, and timestamp files all remain completely private, known only to the holder. Nothing is revealed to the public, preserving both privacy and anonymity while creating a verifiable record that could be used later if needed.
The Quantum-Resistant Redemption Process
The real genius of PACTs becomes apparent when considering how they would work if Bitcoin eventually activates a soft fork to freeze quantum-vulnerable coins. Robinson’s proposal includes what he calls a “rescue path” that would allow legitimate owners to reclaim their frozen assets without compromising their privacy. If such a freeze were implemented, the protocol could be designed to accept a STARK proof—a specific type of zero-knowledge proof that remains secure even against quantum computers—demonstrating that the holder created their commitment before quantum hardware became a realistic threat. When a holder wants to spend their frozen coins, they would submit this STARK proof to the network. The proof would verify ownership without revealing which specific address they control, how much bitcoin they hold, or even precisely when they created the original timestamp. The network would then release the coins for spending. This approach beautifully addresses a specific weakness in the original BIP-361 proposal: it includes a rescue mechanism for wallets derived through BIP-32, the deterministic key generation standard introduced in 2012, but also extends protection to even older pre-2012 wallets—including most of Satoshi’s known addresses—which cannot be rescued through BIP-361’s limited path. This broader coverage is essential because the oldest and most vulnerable coins are precisely those that predate modern Bitcoin standards.
The Technical Challenges and Infrastructure Requirements
As elegant as the PACTs concept may be, Robinson is upfront about its significant technical requirements. The solution would demand that Bitcoin eventually adopt a STARK verification protocol, which would itself require a separate soft fork with broad consensus from the Bitcoin community—never an easy achievement given the network’s deliberately conservative governance model. Currently, Bitcoin lacks the verification infrastructure that PACTs would need to function. Robinson acknowledges this would require what he terms “substantial new plumbing” within the Bitcoin protocol. This includes support for multisig wallets (those requiring multiple signatures to spend), complex scripts that enable sophisticated transaction conditions, and compatibility with hardware wallets, which store private keys offline for security. All of these components would need careful standardization and extensive testing before deployment. The technical lift is considerable, and implementing such changes to Bitcoin’s core protocol would require years of development work, security auditing, and community debate. However, there’s one constraint that even the cleverest cryptographic engineering cannot overcome, and it represents the ultimate limitation of the PACTs approach: the protocol can only protect Satoshi’s coins if Satoshi himself—or whoever currently controls those private keys—actually creates the commitment in the first place.
The Unanswerable Question at the Heart of Bitcoin’s Quantum Future
This brings us to the fundamental limitation that no technical solution can address: if Satoshi Nakamoto is genuinely gone, whether through death, lost keys, or simply a decision to permanently abandon those coins, no PACT can be retroactively created. The protocol requires active participation from whoever holds the private keys right now, before quantum computers arrive. If those keys are lost, destroyed, or held by someone who is no longer alive, those coins will remain exposed to whichever scenario arrives first—theft by quantum-equipped attackers or a community-imposed freeze. What PACTs do offer, however, is something perhaps equally valuable: they make the BIP-361 debate less of an all-or-nothing proposition. The current freeze proposal forces Bitcoin’s community into a stark binary choice between protecting the network against quantum theft on one hand and respecting the property rights of dormant holders on the other. PACTs provide a middle path that could satisfy both security concerns and privacy values, at least for holders who are still present and able to act. Whether Satoshi Nakamoto will take advantage of this option—whether by creating a PACT if the infrastructure is built or by moving coins before any freeze takes effect—remains the multi-billion-dollar question that no cryptographic protocol can answer. The mystery that has surrounded Bitcoin’s creator from the beginning continues to shape the network’s future in profound and unexpected ways, now extending even to how Bitcoin might defend itself against threats that didn’t exist when Satoshi first disappeared more than a decade ago.
