The third antidote to quantum panic: Satoshi Nakamoto's secret lifeboat

In mid-April, the Blockchain wrote a popular science article discussing the BIP-361 proposal and two remedies for the quantum threat. At that time, the conclusion was: ordinary users with BIP-39 mnemonic phrases need not worry; there is an escape route. The ones truly stuck are the ancient whales before 2013—those without mnemonics, holding bare private keys, including Satoshi Nakamoto.

The Blockchain stated then that this is a triple dilemma: either watch your coins be frozen by quantum, be stolen by quantum hackers, or come forward and move your coins in advance.

Unexpectedly, less than a month later, on May 2nd, Paradigm partner Dan Robinson released a new proposal called PACTs. Full name: Provable Address-Control Timestamps, verifiable address control timestamps.

This is the third remedy for quantum panic. It offers a new choice to holders of bare private keys, including Satoshi.

Review to Gain New Insights

Regarding the quantum threat, ordinary users don’t need to be overly anxious. The reasons were already clearly explained in the Blockchain article from mid-April.

The current BTC system has two critical vulnerabilities against quantum computers. The first is that public keys are exposed during transactions. The second is that some old addresses’ public keys have long been written openly on the chain. For the first, QSB solutions provide a fallback; for the second, the community proposed BIP-361, planning to freeze all quantum-vulnerable old addresses in five years, and to provide a zero-knowledge proof-based migration channel (an escape route).

But the escape route has a hard prerequisite: you must have a BIP-39 mnemonic phrase.

BIP-39 was introduced in 2013. Twelve or twenty-four English words can restore the entire wallet. Moreover, the derivation from mnemonic to private key involves 2048 hash iterations, making it very difficult for quantum computers to reverse-engineer.

Early whales used a completely different method. Private keys are just private keys; backups are wallet.dat files (or even handwritten private keys). No mnemonics, no standardized recovery mechanism.

Satoshi Nakamoto mined from 2009 to 2010. He used P2PK addresses, where the public key was directly exposed; his private keys did not have corresponding BIP-39 mnemonics.

This is the core insight of the Blockchain article: people after 2013 have mnemonics and can use ZK proofs for self-rescue; those before 2013 with bare private keys have no mnemonics, can only prove ownership via traditional signatures, and in the quantum era, signatures become a self-exposure.

Satoshi Nakamoto is caught in this triple dilemma.

What Are PACTs

Dan Robinson’s proposal attempts to provide a new way for Satoshi-like addresses to build their own lifeboats and escape.

The core idea of PACTs is simple: do not move coins, only prove ownership, and do so quietly before the quantum threat arrives.

How exactly?

First step: generate proof ahead of time, before the quantum era. Holders of old address private keys sign a random message using the BIP-322 standard, creating a unique proof of ownership. Then, add a random salt—think of it as seasoning the proof so others can’t brute-force guess the original message. Next, bundle the signature and salt, anchor it to the Bitcoin blockchain via OpenTimestamps, and stamp a permanent timestamp. All these files are kept privately, not publicly disclosed.

Second step: when coins need to be moved, present the proof. Suppose Bitcoin adopts BIP-361 and freezes all old addresses vulnerable to quantum attacks. At this point, if you want to unfreeze those coins, you can use a STARK proof to demonstrate to the entire network that you created that time capsule before the quantum threat.

STARK is a quantum-resistant zero-knowledge proof. Verifiers don’t need to know who you are, how much you own, or when you made the proof—only that you made the commitment in advance.

Third step: network verification approves, coins are released.

The most critical aspect is that the entire process does not expose addresses, amounts, or original timestamps.

This is the power of zero-knowledge proofs: you prove you know a secret without revealing what the secret is, nor any metadata related to it.

Can PACTs Save Satoshi?

The Blockchain has seen some say that PACTs are not suitable for Satoshi’s addresses. This is actually a confusion between two different issues.

Technically, PACTs can fully support Satoshi’s use of P2PK addresses. Signing, making commitments, stamping timestamps, and redeeming with STARKs—all are theoretically feasible.

So why do some say it’s not applicable? Because PACTs have a hard prerequisite: the private key holder must proactively create the commitment before the quantum freeze takes effect. If the control of the private key has vanished or the owner will never appear, then no matter how perfect the technology, no one can do it for him.

Thus, it’s not a matter of technical incompatibility, but of the premise of execution.

And whether Satoshi is still around, nobody knows.

This leads to the most subtle point of PACTs.

Schrödinger’s Satoshi

Suppose Satoshi is still alive and has seen the discussions about BIP-361 and PACTs. He has two choices: do nothing, or secretly create a PACTs commitment.

If he does nothing, then years later, if the community enforces freezing, his coins will be permanently locked. The world will infer: Satoshi is no longer around.

If he secretly creates a commitment but never uses it, then when freezing is implemented, his coins are also locked. The world makes the same inference: Satoshi is no longer around.

See the pattern? Two completely different truths lead to the same observable outcome.

And if he someday decides to use that commitment to redeem, the world will only then realize: that person is still alive and has been paying attention to Bitcoin all along.

But—and this is crucial—the act of redemption itself could trigger a storm more intense than the quantum theft. Media, hackers, governments, conspiracy theorists—everyone would go into a frenzy trying to find out who submitted the STARK proof. No matter how well cryptography hides identity, the act of submitting itself is a signal—Satoshi is still alive.

Therefore, PACTs are more like a secret backdoor known only to oneself. Behind that door is a room that can remain forever unopened, but inside lies the pre-hidden evidence.

Whether there is anything inside that room, the outside world can never know.

This time capsule exists in a quantum superposition: it both exists and does not exist simultaneously. Only when Satoshi chooses to collapse the wave function—i.e., actually redeem the coins—does the state become definite.

Until then, all guesses are futile.

The Blockchain finds the most fascinating aspect is the poetic beauty of using a digitally simulated quantum state to counter the quantum state of quantum computers—an elegant form of poisoning the poison.

Silent Maze

First, PACTs are not a replacement for BIP-361 but a complement. BIP-361 addresses how the community can coordinate actions; PACTs address how individuals can self-rescue without revealing their identity. Both can coexist.

Second, the implementation of PACTs still has a long way to go. Bitcoin currently does not support STARK verification. Dan Robinson admits that this requires a whole new infrastructure, including multi-signature wallets, complex scripts, hardware wallet support, all needing careful standardization. It’s not something that can be done in a month or two.

Third, practically speaking, for ordinary users, BIP-39 mnemonics remain the most reliable escape route in the quantum era. As the April article emphasized, ensure your wallet is generated from BIP-39 mnemonics. Write down the 12 or 24 words on paper, lock them in a safe.

Fourth, about Satoshi. The Blockchain believes that the greatest value of PACTs is not that it actually saves his coins, but that it gives him a reason to remain silent. He doesn’t need to do anything that might expose himself, preserving the possibility of quietly reappearing someday. Whether this possibility exists is unknowable, and cannot be falsified.

Perhaps this is exactly what Satoshi would like: the creator of Bitcoin, weaving a perfect silent maze with cryptography: Either disappear forever, with coins permanently frozen; or leave a secret backdoor, but never use it.

In either case, the outside world can only see the same outcome.

And the truth may forever be hidden in that unobserved quantum state.