PACTs uses OpenTimestamps to seal proof of key control in BTC without revealing its contents.
Robinson proposes that Bitcoin accept a type of cryptographic proof called a STARK proof.
Developer Dan Robinson published today, May 1, a proposal called PACTs (Verifiable Address Control Time Stamps) that seeks to protect bitcoin (BTC) holders with addresses vulnerable to quantum computing, without them having to do anything visible on the network today.
Robinson calls his initiative “silent,” given that users They should not carry out any chain transactionsno movement of funds, nor a disclosure of identity or balance. The owner acts privately, outside the network, and no one (neither other users nor potential attackers) I could know that you took some actionas the developer explains.
In the context of the quantum debate in Bitcoin, where alternatives force holders to move publicly or risk losing their funds to the theoretical quantum attack, That private feature is the core of the proposal.
The problem that PACTs is trying to solve arises from a specific vulnerability. Some Bitcoin addresses have their public keys exposed on-chain, such as the old Public Key Payment format (P2PK), meaning that a sufficiently powerful quantum computer could derive the private keys and steal the funds.
One of the most discussed responses in the community and that Robinson mentions is to freeze these addresses through a protocol update (BIP-361), forcing their holders to move the funds before a certain deadline or leave them in addresses that would be vulnerable. This solution has a high privacy cost, since moving bitcoin is a public and traceable action.
The most emblematic case is that of addresses estimated to be associated with Satoshi Nakamotowhich accumulate approximately 1.1 million BTC (more than USD 85 billion currently) in old formats with exposed keys. If the protocol freezes those addresses without a rescue mechanism, those funds become inaccessible forever. If you don’t freeze them, they are exposed to quantum theft.
How does PACTs work?
PACTs introduce a mechanism divided into two separate moments in time: one today, at no cost or on-chain action, and one in the future, if Bitcoin decides to freeze vulnerable addresses.
In the first moment, the holder generates a digital signature that proves that he controls his address, combines it with a secret random number called ‘sal’ (which would act as an additional key that only he knows) and produces an encrypted commitment that does not reveal any of those elements. That commitment is stamped on the Bitcoin chain using OpenTimestampsa free and open source service that records any data on the network without revealing its contents.
The result would be a verifiable timestamp proving that the owner knew your private key before a certain datewithout saying what that key is or what address it corresponds to.
In the second moment, if vulnerable addresses were frozen in Bitcoin, the holder would need to demonstrate to the protocol that he already owned that key before the quantum danger existed. Thus, PACTs raises a possible rescue method for potential frozen BTC.
To achieve this, Robinson proposes that Bitcoin accept a type of cryptographic proof called a proof STARK: a cryptographic mechanism based on the zero-knowledge scheme (ZK) and that allows you to prove that something is true without revealing the information that supports it.
In this case, the holder would prove that they knew their private key before the deadline set by the protocol, using the timestamp created in the first step as an anchor. Bitcoin would verify that proof mathematically and enable spendingeven if the address was frozen for any other claimant, including a possible quantum attacker who had derived the same key, Robinson maintains.
The limits of PACTs, according to Robinson
Robinson is explicit about the limits of PACTs:
- The first is political: The proposal does not resolve whether or not Bitcoin should freeze vulnerable addresses. That decision remains the domain of the community and there is no consensus on it.
- The second limit is implementation. For the bailout proposed in the second step above to work, Bitcoin would have to build the ability to verify STARK proofs directly into the protocol, a substantial technical change that the community has not begun to formally discuss. Without this update, the timestamp created today would have no practical effect. A licensee who creates a test with PACTs today would have no guarantee that this rescue will ever be implemented: “A licensee should not rely exclusively on PACTs to protect itself until the rescue protocol is adopted,” warns Robinson.
- The third is scope. PACTs work for single-key wallets, but multi-signature wallets, complex contracts, and custodial wallets require additional standardization that does not yet exist.
Still, Robinson argues that the cost of creating a test with PACTs is so low that it is worth doing it anyway: “If there is a way to plant a seed today that will give us an advantage over crypto attackers in a possible future, long-term holders should take it.” The precondition is that the community agrees on a standard format for the protocol as soon as possible, to give holders as much time as possible before any decision on address freezing.