It doesn't matter if it's built into the system.  I can still borrow the coins outside the system from anybody willing to lend them to me, and then immediately sell them.  That's all a short sale is.

This also provides a profitable avenue for attack: short sell a bunch of insolvent OldCoins, and use a portion of the proceeds from this sale to issue your own solvent NewCoins at a discount.  Wait until OldCoin's escrow fund is overrun and OldCoins become worthless, and your short sale is automatically covered for free.

I'll elaborate:  Your response was that your system prevents fully solvent competitors from stepping in and wiping out a currency that has just become insolvent, by the mechanism I described.  Namely, where the simple existence of the better positioned competition forces the market price of the currency below its target, and thus forces perpetual buying by the escrow fund until it's emptied.  My point is that there will always be competition from outside your constrained system that you must take into account, and as soon as the backing of a currency in your system drops below 100%, then it's automatically at a competitive disadvantage with any freshly created one in an outside system.

These constraints are artificial.  The market is much bigger than your system.

If the total value of the backing drops below the total nominal value of the issued currency, then why anyone would ever bother to buy this one over a freshly created copy?  The latter always begins its life with full backing, and thus has a relative advantage over the former.  It seems to me that once this threshold is breached, the old currency will have to sell at a discount to compete with the new one, thus depleting the escrow fund until it's wiped out completely.  Notice that the old currency remains technically insolvent no matter how much buying the escrow fund does, and it can never eliminate the advantage that the new currency has over it.  Its demise is a certainty at this point.

It's trivial to create a currency with a perfectly stable peg: just maintain 100% reserves in the same asset you're pegging to.  Decrease this reserve ratio, or swap out the reserves for ones whose price has less than a guaranteed perfect correlation with the pegged-to asset going forward, and you increase the risk of being overrun and the peg breaking.

The scheme presented here proposes 0% of the reserves be held in the pegged-to asset, and all of them to be held in a new and unnecessary asset with no established liquidity, whose price has no reason to be anything other than completely uncorrelated with that of the pegged-to asset.  It strikes me as maximally risky.

Did you have to use that example?    Disclaimer: Bitcoin leaks a lot of information, don't do these.

I'll reemphasize this point:
It doesn't follow that because you have frictionless transfer between two assets, the two assets do an equally good job of transferring purchasing power across time.  All else being equal, you use the more liquid one for that.  That's why the equilibrium is to converge on a single standard.

I think this will be the third time I've dropped a quote from this insightful post:

And this one:

No particular use case in mind at the moment; being able to easily prove a given tx was included in a block just feels generally useful to me, and a more targeted call than one that returns the full block is more efficient for both parties.

Are there plans for a call that returns a tx's merkle branch?

In the case where an attacker is purchasing his hashing power on-demand, wouldn't halving the block period also halve the cost of any n-block chain reversal, since on average the attacker would need to rent the same fraction q of total hashing power, but for only half the time?

We've got a rabid one here.

Well text is a lot easier than streaming video, for example, and I did assume there was enough bandwidth available for SPV to work.  There's also word of mouth, telephone, etc.  Just a matter of not being lazy about it.  Of course this is less than ideal, though.

To the extent that a pooled miner is actively checking forums etc. to listen for claims that their pool is misbehaving, and switching pools in such an event, then I think they are contributing somewhat.  Re: redirecting hashpower, of course a state level actor can always come in guns blazing and take your mining rig if it knows you have it.  Certainly no way around that

Oh for sure.  Just arguing that a country here or there isolated from full validation mode isn't the end of the world.  Of course Bitcoin needs enough "free" countries acting as the backbone.  I mentioned the improved SPV mode as it would reduce the trust required of the backbone.

People in these dire circumstances have found ways to maintain some connectivity to the outside world, just at low bandwidth.

Running in SPV mode (block headers only) is pretty low bandwidth, so keeping this service up might be possible.  There are also improvements that can be made to the SPV trust model that would allow an SPV node to reject invalid blocks upon receiving a short fraud proof, so the loss of access in a few countries to most of the transaction data wouldn't pose much of a risk to the people there, or the network as a whole.

Pooled mining is also low bandwidth, so miners might still be able to contribute by connecting to a pool in another country.

A p2p prediction market would be a pretty cool use case.  This could also be used to hedge FX risk of holding bitcoins.  I guess it might work something like this:

An oracle publishes the hash of a secret, and the secret as well if a given event occurs before some expiry date.

With this setup, we want anyone (a writer) to be able to construct a tx with a txout (the contract) whose script allows only the buyer of the contract to spend it before the expiry date, and only if he can provide the secret.  Furthermore, we want only the writer to be able to spend the txout after the expiry date.  I think this only additionally requires the PUSH_BLOCK_DATE opcode that Sergio proposed above.  The writer would include a second txout that spends to him the price in bitcoins he's asking for the contract.  He would sign inputs that add up to the contract txout plus any tx fee, and the buyer would provide the rest of the inputs required.

It would be nice if trust could be spread across multiple oracles by requring m of n secrets for the buyer to spend the txout.  We don't have OP_AND or OP_OR, so I guess we'd need these or maybe a special opcode just for this purpose?

A really nice feature would be if the person buying this contract were able to spend it on the blockchain without requiring a signature from the person writing it.  Then we could have trust free (ignoring underlying trust in oracles) secondary markets for these contracts.  Could this be done using the transaction persistence you mentioned, Sergio?  I guess the condition for the buyer to be able to spend it before the expiry date, but without the secret(s), would be that the tx which spends it has a txout (the replacement contract) of greater or equal value, and with the same script, except with the original buyer's address replaced by the new buyer's.

The whole idea here was to present a way for Bitcoin to benefit from new innovations that are too controversial to integrate directly into its block chain, and to neutralize their destabilizing effect.

Ah yes, that's right.  I actually deleted that post shortly after posting it because I noticed this for a second, but the brain fart won out in the end and I reposted it without fixing it   I should've just written it down explicitly like you did.

This formula is a first approximation, where it is assumed that miners rarely end up working on competing chains.  As we lower T while keeping x fixed, we can intuitively see that the likelihood of races between miners increases, i.e. higher order terms in the orphan rate become important.  As you mentioned, this is due to network delays.  It's during these races that hashing power is wasted, so T should be set high enough to keep their frequency low.

I'll try and come up with the next order term for the orphan rate.  This will be from the cases where another miner finds a block at roughly the same time as our miner, and gets it to some portion of the miners before our miner gets his block to them.

Sure it would be "beneficial" to lower it to the "optimal" value, but practically speaking it's probably just cosmetic.  If the problem is people misunderstanding the issue, then perhaps educating people is the better solution.

No, that's pretty much correct, I think.  It's also not hard to show that a miner's orphan rate can be written approximately as

1 - e^(-t/T)

where T is the block period, and t is time required for the other miners to download and verify the block*.  t scales with block size, as you noted, so clearly you can scale block size at the same rate as the block period, and the orphan rate is left invariant.

Thus, a system with a low transaction rate can safely get away with a smaller block period, but keep in mind it will at some point have to raise the block period to accommodate a larger transaction rate, in order to avoid wasting too much hashing power on orphans, or screwing up consensus forming.

Much better IMHO to just focus on ways of making 0-conf transactions less risky and work on building a network of payment channels* than to try to decrease the block period.  It's not like any block period tweaking is going to improve brick and mortar transactions anyway, which need to be done in seconds, not minutes.  Although there definitely does appear to be a dumb marketing gimmick aspect to it, which is unfortunate.


* More precisely, t is the fractional hashing power-weighted sum of the times required for the other miners to download and verify the block.

* https://bitcointalk.org/index.php?topic=244656.0