We'll have a discussion here and on IRC. Whoever controls bitcoin.org makes the final decision about what is listed there, and if other people disagree, they will advocate different versions on their sites.
So how long do you expect this discussion to take? Who is permitted to participate? How do we get the word out that there even is a discussion happening? We need this to happen within hours of a break.
We'll come to some agreement about it at the time. I'd advocate removing all blocks where it is likely that most transactions are illegitimate. Most legitimate transactions can be reversed without doing too much damage, since honest senders will make new transactions.
So we will roll back the entire network for possibly a week? Reversing legitimate transactions sounds terrible. I would guess that the number of honest people who would re-send payment for something that they got a week ago is half at best. If someone bought something with bitcoins, and then later their money arrived back in their account, I have a hard time believing that they would research why this happened and correct the error.
I don't know how we'd have a heuristic for separating bad from good transactions, though. But that can shake out of more discussion of what threats exist.
At least all block contents should be hashed. Maybe later a hash of a "balance sheet" of only unspent transactions could be created for the sake of efficiency. These would be version 1 blocks, and later blocks would be version 2 (likewise for transactions). Perhaps the first version 2 block would refer to this hash instead of the previous block hash.
This is one of the ways I was thinking we could handle it. So we have a block attached to the end of the v1 blockchain, a "version upgrade genesis block", that essentially re-confirms the previous blockchain in our new secure hash algo and defines the hash parameters of the new chain? A record of the entire chain that came before, saying "block 1's SHA3 hash is X, block 2...".
If SHA-256 or RIPEMD-160 is broken, the key isn't necessary. Miners memorize the contents of unspent transactions, indexed by the new secure hash. People who want to spend a transaction refer to the new secure hash instead of the insecure hash.
If signing becomes totally broken, Bitcoin would probably have to restart. If the attack does not allow recovery of the private keys, maybe the same keypairs could be used with a more secure algorithm.
It depends, right? In some cases we might just know that it is broken but not how to do it ourselves. In others it's a public exploit. It might still require a lot of power to break, just a fraction of what it was, or it could be trivial, or it could just be a tiny crack in the dam. We should probably work out all the possible failure scenarios and classify them, and determine how to defend against each.
What happens on the client side when we do this? Do people have to download a new client?
Yes.
If so, when they are using the old client, is there any indication that they need to download a new client?
An alert will be issued.
If they don't download the new client, are they still making transactions that won't be ported to the new chain?
Most likely.
This is what I mean. We "know" how we'd do it, but no one's actually bothered to come up with an actual plan, let alone tested the scenario.
Creating a complete plan and testing would be good.
The reason I asked that sequence of questions is, it is theoretically possible for us to develop recovery plans now, and implement support for such in the client, so that if the client encounters an upgrade block, it can just reconfigure itself and go on. If we did this, we could switch bitcoin onto new crypto preventatively - if SHA2 continues to degrade and SHA3 eventually proves itself worthy, we can upgrade before the disaster.
If we do this early enough, code can make it into 51%+ of the clients on the network, and when the network decides to switch over, most clients can come with it without an update - or at least disable themselves. But preloading would be preferred.
I don't have a plan in my head right now. I don't even know all the scenarios. But I want to start talking about it now; bitcoin is growing exponentially right now, and the longer we wait, the larger the risk is.