It is well known that Achilles' heel of bitcoin is the hash function: sooner or later it will be successful attacked and someone will got decisive advantage on mining because of (partially) feasible inverse mapping: hash -> block header.
I know, it is much more critical the scenario where elliptic curve (EC) fails, but EC is somehow safe. The insecurity of EC does not depend on smart cryptanalysis, but in advances on mathematics and/or quantum computing.
Indeed,
Satoshi recognize this fact and proposed transition to eventual SHA3 in the future. In the linked post, Satoshi mentions the possibility that the breakdown comes suddenly.
So I propose an ordered transition to a new hash scheme for block validation in about 4~5 years. I have a concrete proposal about this new scheme, that relays its strength on the elliptic curve mathematics. Let's see it.
First, we must have a traditional non trivial hash function, that yields 256 bit output. Let's take SHA256. So, the process is:
1)
h0 = SHA256(block header)
2)
h1 = SHA256(h0); actually,
h1 is the output to be compared with the target in order to validate the block.
3)
m = h1 mod n, where
n is the prime order of the curve.
4) Now an EC product is performed:
R = m·Q, where
Q is the fixed point in the curve.
5)
r = Rx*p + Ry, where
(Rx,Ry) are the coordinates of point
R and
p is the prime generator of the field
6)
h2 = SHA256(r)7)
h3 = h2 XOR h0. The process outputs
h3 as the 256-bit hash to be compared with the difficulty-tuned 256-bit target.
The strength of the process lies on the impossibility of back-mapping
R -> m, in the same manner the strength of an EC-signed transaction does. It really does not matter whether SHA256 is broken or not, because the security is trusted to EC.
The counterpart is the computation overhead: an EC-product could cost roughly 1000 times more than a hash computation. But... in the context of mining, does it really matter? The system should take care of this hashing change, thus the difficulty level should be decreased accordingly. The miners will work as hardly as before.
Comments are welcome.