However, changing the block header format and how proof-of-work is computed from it is difficult without a hardfork. One potential solution is to have the block header contain both SHA-256 and SHA-3 hashes in the same place, with the SHA-3 truncated only to cover zero bits in the SHA-256 hashes. This would allow old nodes to see zero hashes in the previous block hash and merkle tree hash if SHA-256 is broken, while new nodes would see correct SHA-3 hashes in those places. To switch to SHA-3, miners could embed a commitment to the SHA3-Merkle-Tree on the coinbase of the "original" block format and build empty SHA2-Merkle-Trees containing only the coinbase. Softforks can be delayed due to controversy, as seen with SegWit, but Taproot had no significant controversy and was widely accepted. Any hardfork would require twice the average amount of engineering manpower involved in SegWit and Taproot and must pass through the much higher hurdle of being a hardfork. It is important to work with what we have and figure out how to get around issues with no real capability to fix them at the base layer or work on future solutions today, such as post-quantum signature schemes.