On the
wiki, there are various contingency plans.
The 2 big ones are ECDSA break and SHA-256 break.
SHA256 break Attacker may be able to defeat OP_CHECKSIG, which hashes transactions before signing
If the hash_type in signatures to select an alternative hashing function. If SHA was broken, nodes could switch to RIPEMD instead.
I think this has to be a hard fork though. You have to run at least one of the SHA-256 signatures.
Maybe certain hash types could consume 2 signatures. If the MSB is set in a signature, it means the two signatures are provided.
It still only pops one of them though. That means that it is a soft fork.
[ <sig-RIPEMD:0x01> <sig-Sha256:0x91> <public-key ] [ OP_DUP OP_HASH160 <hash160(public-key)> OP_EQUAL_VERIFY OP_CHECKSIG ]
For multi-sig, it would have to be 2 sets of signatures, to maintain backward compatibility.
This would work for standard transactions, but transactions which take advantage of non-standard scripts might be unprotected.
This is worth it, even if it only protects some of them.
Attacker may be able to split the network by creating identical transactions or blocks with the same hashes.
Attacker may be able to create blocks very quickly.
Ideally, two separate hashing functions would be used. This is a hard-fork though.
It also breaks ASICS.
If the function is
- Hash1(Hash2(header))
and Hash1 is broken, then an attacker can create lots of blocks with the same hash.
Maybe, create something like
H1 = Hash1(message)
H2 = Hash2(message)
H_combined = bit_interleave(H1, H2)
If 1 Hash function is secure and the other just "scrambles", I think you still get the full POW protection.
When a hash function is broken, you have to be able to tweak the message. There would be no way to allow that, since it would cause the other hash function to effectively generate random bits.
The alert system may be compromised.
Alerts could be updated to be signed twice with 2 different hashing functions.
[Code for all of this should be prepared.]
Has that been prepared?
ECDSA Break Attacker can spend money that is not his in a large number of cases. Transactions to addresses that have never been used before may be protected if SHA-256 and RIPEMD-160 are still strong.
For addresses that have never been used, a formal process could be created.
- sign the transaction with ECDSA
- txid:index and hash(signature) as OP_RETURNs
- Wait 100+ blocks
- submit transaction that spends the output
This has potential DOS problems though.
Alert system may be compromised.
Alert could be updated to use 2 different signing algorithms.
The reserved field in the alert message could be used.
Assuming the RSA algorithm was used as the 2nd algorithm, the reserved field would need to include
- ECDSA + RIPEMD160 signature
- RSA + SHA256 signature
- RSA + RIPEMD160 signature
The altert would be protected unless either both signing algorithms were broken or both hashing algorithms were broken.
For quantum protection, the 2nd signing system could be Lambert signatures. An alert could be sent to update the Lambert merkle root, if the number of public keys is exhausted. This updated alert could be added to the blockchain as an OP_RETURN.