Hardfork Wishlist
The Hardfork Wishlist is to record changes to Bitcoin that might be desirable, but that will require a "hard" block-chain split (everybody must upgrade, old software will not accept blocks/transactions created with the new rules, considering them to be invalid blocks).
This page is not for changes that can be accomplished in way that is compatible with old software (for example, by making transactions nonstandard or by discouraging blocks).
Changes to hard-coded limits
- Replace hard-coded maximum block size (1,000,000 bytes) and maximum number of signature operations per block (20,000) with ???.
Major structural changes
- "Flip the chain", instead of committing to new transactions, commit to the summaries of open transactions: [1] [2] [3] [4]
- Increased efficiency for merged mining: restructure the primary header to make the bitcoin specific data non-mandatory. (e.g. the block chain specific stuff would go into second header connected by a header tree), making the primary headers pure timestamps and nonces.
- Switch to block hashing algorithm secure against block withholding attacks.
- Require a UTXO tree in every block
Transaction behavior changes
- Improved signature types to allow for partial malleability of outputs. (e.g. make it easier to add a fee onto someone else's transaction, or to take fees from a transaction without outputs set aside for that purpose)
- Elimination of output scripts: all transactions pay-to-scripthash, probably with a single byte indicating the scripthash type. Other than reducing effective output script secrecy (which is not possible without OP_EVAL anyways) this is believed to be costless, and the secrecy can be recovered with recursive OP_EVAL. The motivation here is that data in outputs is far more expensive than inputs because some outputs may be never prunable, and pay-to-scripthash minimizes output size without harming total size.
- Allow soft-spending of generation outputs without confirmations (outputs of these transactions might also appear as generation themselves)
- Allow additional inputs to generation transactions
- Add new signature hashtype to include value of TxOut being spent, in the hash to be signed. Doing this would remove the requirement that offline signing devices be sent all supporting transactions with the transaction-to-be-signed, just to confirm the transaction fee.
- Pay-to-SNARK (aka CoinWitness). This allows payment to a user who can produce cryptographic evidence that they ran a certain (time-bounded) program on a certain input argument. The size of the cryptographic evidence is linear in the input argument but constant with respect to the size and running time of the program, so bounding the size of the input argument bounds the size of the data that needs to be put into the blockchain. Unfortunately the time+space constant factors are, with current algorithms, rather large.
Cryptographic changes
- Pervasive ECC public key-recovery to reduce transaction sizes (can be done partially without breaking compatibility completely)
- Ed25519 (variant*) for much faster validation operations. (variant because the normal way Ed25519 is specified is not key recovery compatible)
- Support for more than one public-key cryptosystem (ECDSA-k1) and key size (256bits) as a hedge against future cryptanalysis or designed-in flaws in any one algorithm. Every node must support validation of signatures with every cryptosystem, but a small number of very-cryptograpically-diverse options is still better than just one. Additional signature types could be kludged into the existing system with script extensions but would be better supported natively.
- Support for a post-quantum signature scheme. Lamport signatures have nice intuitive security properties, but it has extreme space requirements that would require structural changes to the blockchain to accommodate, (e.g. flip-chain+paytoscripthash+extensive pruning). However other post-quantum schemes like IEEE1363.1 (patent expires in 2016) do not. See the introductory chapter of DJB's book and the PQCrypto conference webpage for full details.
Privacy
Currency changes
Please don't list anything here which would significantly change the committed overall economics of the system, it's safe to assume anything with significant economic impact will _never_ be changed in Bitcoin[1], because such changes would undermine the trust people have in the system, though they may form the basis of an interesting alternative chain.
- Increase currency divisibility.
- Byte order consistency (big endian)
- Eliminate redundancies in the variable length integer encodings, possibly switch to a standard.
- Avoiding hashes covering malleable fields
Bug fixes
- CHECKMULTISIG popping one-too-many items off the stack
- Difficulty adjustment periods should overlap (prevent potential 'timejacking') Note: An ideal adjustment algorithm would ensure there is no easy dispute on "next target" for any block. Eg, it should not be possible for MinerX to set his block time 2 hours in the future to achieve a slightly higher difficulty and win any same-block-height race by default.
- Difficulty adjustment should adapt to sudden hashrate loss. Note: many altchains which have attempted this have created significant security vulnerabilities in the process, but experimentation continues.
- Scripts should be fully enabled after a careful audit.
- Miners/relays should not be able to inject extra arbitrary data into transactions?
- Use the previous block hash as an explicit or implicit prev_in in coinbases when hashing them to make it ~impossible to get a duplicate coinbase, thus removing the need for a pruning node to remember coinbase hashes to prevent duplicates consistently with the rest of the network. Note that this problem has already been solved with a softfork in BIP34.
- coinbases must be parseable.
This changes would involve converting old blocks:
- uint64_t for timestamp field in blocks.