Paradigm's Quantum Proof Design Could Save Satoshi's Million Bitcoin

Somewhere between 1.1 and 1.7 million Bitcoin sit in addresses with exposed public keys, vulnerable to a threat that doesn't exist yet but almost certainly will: cryptographically relevant quantum computers. That includes the estimated million-plus coins linked to Satoshi Nakamoto, dormant since 2011 and worth roughly $80 billion at current prices.

On May 1, 2026, Paradigm partner Dan Robinson published a proposal that offers these holders something they've never had before: a way to prove they control their keys without doing anything public at all.

What PACTs Actually Do

PACTs, or Provable Address-Control Timestamps, let Bitcoin holders create a private, timestamped proof of key ownership using three components: a secret salt, a BIP-322 signature proof, and a free OpenTimestamps anchor that gets recorded on-chain.

The clever part is that none of this requires broadcasting a transaction or revealing anything publicly. The proof stays entirely private, stored by the holder. It only becomes useful later, during a potential "quantum sunset" soft fork when Bitcoin might freeze coins in vulnerable addresses.

At that point, holders could submit a STARK zero-knowledge proof demonstrating they controlled their keys before the freeze. The timestamp proves the proof existed before quantum computers became a threat, the zero-knowledge aspect preserves privacy.

The Satoshi Problem

This proposal arrives during an intensifying debate about what to do with quantum-exposed coins. BIP-361, drafted by Jameson Lopp earlier in 2026, outlines a phased sunset of legacy signature types that would eventually freeze unmigrated coins.

The problem is obvious: forcing public migrations means Satoshi (or Satoshi's heirs, or whoever controls those keys) would have to move coins on-chain, ending a decade of silence and potentially creating market chaos. It also means lost coins become permanently unrecoverable, which has philosophical implications for Bitcoin's supply.

PACTs offer a middle path. If Satoshi wanted to hedge against quantum risk without revealing anything, creating a PACT would cost nothing, leave no public trace, and preserve the option to reclaim coins later.

Blockstream CEO Adam Back has advocated for opt-in quantum-resistant upgrades rather than forced freezes. PACTs complement this approach by giving holders a self-sovereign hedging tool that doesn't require any protocol changes today.

The Timeline Pressure

Google estimates suggest cryptographically relevant quantum computers could arrive as early as 2029. That's not a deadline for Bitcoin breaking, exactly, but it's a plausible window when the threat becomes real rather than theoretical.

The addresses most at risk are pre-2012 coins where public keys were exposed through early transaction formats. About 1.7 million BTC fall into this category. That's roughly 8% of the total supply that could theoretically be stolen by someone with a sufficiently powerful quantum computer.

For holders of these coins, the calculation has changed. The question isn't whether to worry about quantum computing; it's what to do about it today.

Real Limitations

Robinson's proposal is explicit about what PACTs can't guarantee. Bitcoin might never adopt a quantum sunset soft fork. Even if it does, the rescue mechanism might not accept PACTs. The technical path from "private proof" to "on-chain recovery" requires future protocol development that hasn't happened yet.

There are also practical challenges. Holders need to securely store their salt and proof files for potentially years or decades. Multisig wallets and hardware wallet support would need standardization. Pre-BIP-32 addresses (most of Satoshi's coins fall into this category) lack deterministic backup paths, making the storage problem harder.

PACTs are a hedge, not a guarantee. Robinson frames this as "self-reliance for tail risks," which is honest but also limited.

What This Means for Regular Holders

Most Bitcoin holders don't have coins in quantum-exposed addresses. Modern wallets use formats that don't reveal public keys until coins are spent, which buys significant time.

But the broader conversation matters. How Bitcoin handles the quantum transition will affect everyone, from consensus rules to wallet standards to the economic implications of potentially frozen coins.

For those concerned about future-proofing their holdings today, hardware wallets like the Trezor Safe 7 are beginning to incorporate post-quantum cryptography considerations into their security architecture. The dual secure element design reflects the kind of defense-in-depth thinking that quantum threats are forcing across the industry.

Looking Forward

PACTs represent something notable in Bitcoin's technical culture: proactive preparation for a threat that hasn't materialized yet, without requiring contentious protocol changes or forcing anyone's hand.

Whether Satoshi's coins ever move, whether those keys are even accessible to anyone anymore, remains unknown. But for the first time, there's a mechanism that would let whoever controls them prepare privately, without breaking fifteen years of silence.

The quantum clock is ticking. At least now there's an option for those who want to hedge without going public.