This page is to record changes to Bitcoin that might be desirable, but that will require a "hard" block-chain split (everybody must upgrade, old software will not accept blocks/transactions created with the new rules, considering them to be invalid blocks).
Changes to hard-coded limits
- Replace hard-coded maximum block size (1,000,000 bytes) and maximum number of signature operations per block (20,000) with ???.
Major structural changes
- "Flip the chain", instead of committing to new transactions, commit to the summaries of open transactions:    
- Increased efficiency for merged mining: restructure the primary header to make the bitcoin specific data non-mandatory. (e.g. the block chain specific stuff would go into second header connected by a header tree), making the primary headers pure timestamps and nonces.
- Switch to block hashing algorithm secure against block withholding attacks.
Transaction behavior changes
- Improved signature types to allow for partial malleability of outputs. (e.g. make it easier to add a fee onto someone elses transaction, or to take fees from a transaction without outputs set aside for that putpose)
- Elimination of output scripts: all transactions pay-to-scripthash, probably with a single byte indicating the scripthash type. Other than reducing effective output script secrecy (which is not possible without OP_EVAL anyways) this is believed to be costless, and the secrecy can be recovered with recursive OP_EVAL. The motivation here is that data in outputs is far more expensive than inputs because some outputs may be never prunable, and pay-to-scripthash minimizes output size without harming total size.
- Allow soft-spending of generation outputs without confirmations (outputs of these transactions might also appear as generation themselves)
- Allow additional inputs to generation transactions
- Add new signature hashtype to include value of TxOut being spent, in the hash to be signed. Doing this would remove the requirement that offline signing devices be sent all supporting transactions with the transaction-to-be-signed, just to confirm the transaction fee.
• Allow insertion of "permanent forwarding directive" transaction, so that a well-known public address with a (suspected or soon-to-be) compromised private key can be replaced for all signing/paying purposes with a new address. (This directive might only be insertable if approved by N-of-M prior declared guardian keys. The directive might involve a one-time fee, after which the old address is null and the new address replaces it in perpetuity, or might include a declared service fee that can be deducted to miners on each future use of the new-key to draw on dead-key outputs.)
- Pervasive ECC public key-recovery to reduce transaction sizes (can be done partially without breaking compatibility completely)
- Ed25519 (variant*) for much faster validation operations. (variant because the normal way Ed25519 is specified is not key recovery compatible)
- Support for a post-quantum signature scheme. Lamport signatures have nice intuitive security properties, but it and all other similar schemes have extreme space requirements that would require structural changes to the blockchain to accommodate, (e.g. flip-chain+paytoscripthash+extensive pruning). Additional signature types could be kludged into the existing system with script extensions but would be better supported natively.
Please don't list anything here which would significantly change the committed overall economics of the system, it's safe to assume anything with significant economic impact will _never_ be changed in Bitcoin, because such changes would undermine the trust people have in the system, though they may form the basis of an interesting alternative chain.
- Increase currency divisibility.
- Byte order consistency (big endian)
- Eliminate redundancies in the variable length integer encodings, possibly switch to a standard.
- Avoiding hashes covering malleable fields
- CHECKMULTISIG popping one-too-many items off the stack
- Difficulty adjustment periods should overlap (prevent potential 'timejacking') Note: An ideal adjustment algorithm would ensure there is no easy dispute on "next target" for any block. Eg, it should not be possible for MinerX to set his block time 2 hours in the future to achieve a slightly higher difficulty and win any same-block-height race by default.
- Difficulty adjustment should adapt to sudden hashrate loss. Note: all altchains which have attempted this have created significant security vulnerabilities in the process. Also interested parties could encourage mining by including high fee transactions in every block so avoiding need for this change.
- Scripts should be fully enabled after a careful audit.
- Miners/relays should not be able to inject extra arbitrary data into transactions?
- Use the previous block hash as an explicit or implicit prev_in in coinbases when hashing them to make it ~impossible to get a duplicate coinbase, thus removing the need for a pruning node to remember coinbase hashes to prevent duplicates consistently with the rest of the network
- coinbases must be parseable.
This changes would involve converting old blocks:
- uint64_t for timestamp field in blocks.