Paradigm researcher Dan Robinson has proposed a new mechanism that could let long-dormant Bitcoin holders, including Satoshi Nakamoto, preserve a future claim to their coins if Bitcoin ever has to restrict spending from quantum-vulnerable addresses. The proposal, called Provable Address-Control Timestamps, or PACTs, is designed to let holders prove they controlled an address before cryptographically relevant quantum computers emerged, without moving their BTC today. The idea addresses one of the most sensitive questions in Bitcoin’s post-quantum debate: what happens to early coins sitting in addresses with exposed public keys. In a May 1 research post titled “PACTs: Protecting Your Bitcoin From a Quantum Sunset,” Robinson warned that “an attacker with a powerful enough quantum computer could steal hundreds of billions of dollars of Bitcoin.” He argued that the community may one day choose to “sunset” the ability to spend from addresses whose public keys have already been revealed onchain. PACTs Offer Satoshi A Quiet Bitcoin Rescue Option That path would be controversial. Bitcoin’s culture strongly protects the right of holders to remain inactive for years, even decades. But Robinson frames the issue as a dilemma with no clean default if cryptographically relevant quantum computers, or CRQCs, become unavoidable. “If an upgrade sunsets support for those addresses, these dormant holders will be forced to publicly move their coins or let them be frozen. But if quantum computers are coming and we don’t sunset those addresses, those holders will be forced to move those coins or let them be stolen. Either path seems to force long-time holders to give up some of their privacy by publicly moving their funds.” The problem is especially acute for Satoshi-era Bitcoin. Robinson notes that wallets believed to belong to Satoshi Nakamoto hold around 1.1 million BTC, worth more than $75 billion based on the figures used in the post. Many of those coins predate modern deterministic wallet standards such as BIP-32, making them harder to rescue through some of the zero-knowledge proof paths already discussed in relation to BIP-361 . BIP-361, in draft form, has proposed a soft fork that would eventually sunset spending from addresses with exposed public keys. Rescue paths have also been discussed for certain wallet types, particularly where a holder can prove knowledge of a parent key that a quantum attacker would not have. Robinson’s point is that this does not solve the earliest address problem. PACTs attempt to create that missing escape hatch. The proposal would let holders make a private, off-chain commitment today showing that they controlled a vulnerable UTXO before any quantum attacker could derive the relevant private key. They would do so by generating a secret salt, producing a BIP-322 full message signing proof for the vulnerable scriptPubKey, hashing that proof into a commitment, and timestamping the commitment through OpenTimestamps. The holder would not broadcast a Bitcoin transaction. They would store the salt, the BIP-322 proof, and the OpenTimestamps proof file as a recovery artifact. The timestamp itself would reveal nothing about the address, public key, control proof, salt, or coins involved. “This does not require Bitcoin to decide today whether a sunset is necessary,” Robinson wrote. “It only gives holders a silent, no-onchain-cost way to preserve evidence that may become useful if such a sunset is ever adopted.” If a future Bitcoin fork did freeze or sunset ECDSA spending from exposed public keys, a holder could later provide a post-quantum-secure proof, such as a STARK, showing that the timestamped commitment existed before a cutoff date and that it corresponds to a valid control proof for the frozen UTXO. Crucially, the salt and control proof would remain hidden, and the rescue proof would be tied to a specific transaction to prevent replay or redirection. Robinson is careful to present PACTs as an illustrative design rather than a formal Bitcoin proposal. The commitment phase relies on existing primitives, but the rescue phase would require “substantial new plumbing” inside Bitcoin’s protocol. There is also no guarantee that Bitcoin would ever adopt such a rescue path, or even choose to sunset quantum-unsafe keys at all. Still, the proposal is notable because it separates two decisions that are often bundled together: whether Bitcoin should ever impose a quantum sunset, and whether holders can begin preserving evidence of legitimate ownership before that debate is resolved. For early holders, that distinction matters. PACTs would not eliminate the quantum problem, but they could give dormant wallets a way to prepare without revealing themselves first. “Bitcoin is about preparing for the long term, hedging for tail risks, and self-reliance,” Robinson concluded. “If there is a way to plant a seed now that will give us an advantage over cryptographic attackers in a possible future, then long-term holders should take it.” At press time, BTC traded at $79,690.
