
October 12, 2012, 10:36:58 PM 

(If this has been discussed already or similar idea is implemented, please point me there.)
The chances are very small that ECDSA will be broken suddenly (perhaps not very soon, but unexpectedly). However that is possible, we never know. There are mathematical problems that were unsolvable for decades, to be finally resolved, to everybody's surprise. As I understand, for bitcoin this would mean death: no owner of any address will be able to prove that he really was the owner of the address.
Again, this is a very hypothetical scenario, but if Bitcoin is to become really widely adopted, this probably should be addressed. No single mathematical problem should be responsible for total world chaos.
So I propose a simple solution: make a widely accepted mechanism for publishing a signature based on another algorithm in the blockchain, that would prove the ownership of a certain address. That way, in the future, if the bitcoin crypto would be broken, it will be easy to prove that somebody had the private key for a certain address before the breakage.
This could for example be done like this: A user that wishes to ensure the proof of ownership of a private key, generates a new public key pair using a different algorithm than what is used in bitcoin (RSA is the logical choice). Since ECDSA and RSA are based on different mathematical concepts, chances that they both will be broken at the same time are MUCH smaller than that any one of them will be broken at all.
Using this new public key, the user encrypts a strong hash of his ECDSA private key with his RSA public key, and makes the encrypted result public in the blockchain, along with the RSA public key (or it's hash perhaps).
This way, in the future, if the ECDSA will be broken, there will still be no ready mechanism for everything to just work as it did, but the users will at least have the ability to prove that they did have their ECDSA private key at the time of making this signature public in the block chain.
If the RSA will be broken first, we'll just revise this method using some other public key algo instead, republicising signatures made with it instead.
Implementing this would not require any change in the protocol, just a general consensus on the format of these signatures. They could be made public in some way in the scripts of transactions with nominal transfer amounts. At this point no other node needs to understand these transactions, they just have to be in the public block chain history for the idea to work.
In the future, if the shit would hit the fan, a new bitcoin version would be made anyway (incompatible with the old ones), and then that version could be made to understand these transactions, but that may never happen, so for now it would be enough to just make this information stick in the block chain.
Thoughts?
