Securing contingent claims

[TierNolan]

One problem with using the existing block chain is that it ties up BTC in escrow. Suppose we want to wager 1 BTC on bitcoin difficulty 1 year in the future. To do this, we would need to hold 1 BTC in escrow for the next year. If on the other hand we loaned out the BTC at a hypothetical risk-free interest rate of 1%, we could earn around 0.01 BTC in interest during this year. Thus, there is something like a 1% annual tax on speculative transactions that use regular bitcoin.

On the other hand, if we a mine a bond that matures in one year, we don't need to forgo any interest to place bets on difficulty when it matures.

One possibility would be to have miners able to generate lots of coin fractions as long as all future states are only counted once and then allow those "coins" to be traded.

With a secondary chain, transaction fees could be added as part of the system to create an incentive for miners to mine the chain.

There could be a field in the header that matches a block in the main chain.  This would allow the 2 chains to be kept in sync.

The script could be used to do some kind of verification, but I am not sure how well it could be hardened.

You could make it so that to unlock the coin (in the main chain), you need a sequence of hashes.

Hash(.....Hash(Hash(<some-value>,Hash(<some-value,HASH(<my-address> | bond hash))) is less than <difficulty target>

The script could be setup so that it pays out if that condition is met.

The more hashes, the longer before claims are paid out after maturity, but the harder it is to brute force the system.  Also, if you require all sub-hashes to meet difficulty then it gets even harder to crack (which is what the main chain does).  This hardens the p2p security and can again be done with script.

Hash(<some-value,HASH(<my-address | bond hash>) < difficulty
Hash(<some-value>,Hash(<some-value,HASH(<my-address | bond hash>)) < difficulty
...
...

However, this should not be done for the first few hashes in the unlock code.  This would allow Merkle chains to be formed.

You would submit <my-address | bond hash> to the alternative chain (assuming you were the winner) and it would calculate the unlock code (after a while), while also calculating everyone else's code at the same time.  The <some-values> would be other people's claims.

The miners on the alternative chain should refuse to incorporate invalid <my-address | bond hash> pairs.  At with the main chain, everyone is sharing the processing power of the network.

One disadvantage is that <difficulty target> would need to be selected in advance, when creating the contract, since it has to be hard coded into the unlock script in for the linked transaction in the main chain.  This means that care needs to be taken before adjusting difficulty downwards, since that will mean that chain fails to unlock some of the transactions.

However, if the main chain is anything to go by, a rule that prohibits downward difficulty adjustments shouldn't be an issue.

[cunicula]

One problem with using the existing block chain is that it ties up BTC in escrow. Suppose we want to wager 1 BTC on bitcoin difficulty 1 year in the future. To do this, we would need to hold 1 BTC in escrow for the next year. If on the other hand we loaned out the BTC at a hypothetical risk-free interest rate of 1%, we could earn around 0.01 BTC in interest during this year. Thus, there is something like a 1% annual tax on speculative transactions that use regular bitcoin.

On the other hand, if we a mine a bond that matures in one year, we don't need to forgo any interest to place bets on difficulty when it matures.

One possibility would be to have miners able to generate lots of coin fractions as long as all future states are only counted once and then allow those "coins" to be traded.

With a secondary chain, transaction fees could be added as part of the system to create an incentive for miners to mine the chain.

There could be a field in the header that matches a block in the main chain.  This would allow the 2 chains to be kept in sync.

The script could be used to do some kind of verification, but I am not sure how well it could be hardened.

You could make it so that to unlock the coin (in the main chain), you need a sequence of hashes.

Hash(.....Hash(Hash(<some-value>,Hash(<some-value,HASH(<my-address> | bond hash))) is less than <difficulty target>

The script could be setup so that it pays out if that condition is met.

The more hashes, the longer before claims are paid out after maturity, but the harder it is to brute force the system.  Also, if you require all sub-hashes to meet difficulty then it gets even harder to crack (which is what the main chain does).  This hardens the p2p security and can again be done with script.

Hash(<some-value,HASH(<my-address | bond hash>) < difficulty
Hash(<some-value>,Hash(<some-value,HASH(<my-address | bond hash>)) < difficulty
...
...

However, this should not be done for the first few hashes in the unlock code.  This would allow Merkle chains to be formed.

You would submit <my-address | bond hash> to the alternative chain (assuming you were the winner) and it would calculate the unlock code (after a while), while also calculating everyone else's code at the same time.  The <some-values> would be other people's claims.

The miners on the alternative chain should refuse to incorporate invalid <my-address | bond hash> pairs.  At with the main chain, everyone is sharing the processing power of the network.

One disadvantage is that <difficulty target> would need to be selected in advance, when creating the contract, since it has to be hard coded into the unlock script in for the linked transaction in the main chain.  This means that care needs to be taken before adjusting difficulty downwards, since that will mean that chain fails to unlock some of the transactions.

However, if the main chain is anything to go by, a rule that prohibits downward difficulty adjustments shouldn't be an issue.

This sounds great to me. However, I am not a programmer, so it would be great if people with the relevant expertise could weigh in. I can't do much to lead the creation of an alternative blockchain, though I am happy to provide input on the system's design. I am hoping that more people with an interest in this project will come forward.

Interestingly, my poll suggests that the market would demand annual interest rates in excess of 5% for bitcoin bonds with one year maturity.
http://forum.bitcoin.org/index.php?topic=25705.0

The inefficiency associated with the lack of bonds is directly related to the supply curve for credit. If people are willing to supply credit at an interest rate of near 0%, there will be no inefficiency. The higher the interest rate, the larger the inefficiency. The poll suggests that introducing bond (or contingent claim) mining would make bitcoin much more efficient as a financial system.

[sacarlson]

I didn't read all the post in your article so I might have missed something but my present MultiCoin does support P2P multisign escrow.  but at this time I can't get the Bitcoin group to be a part of it.  I am already testing it in the weeds proto test chain and will fully implement escrow in beertokens when we have decided on a security model of the new block chain.  I think that is what would be needed to start using your dirivitive escrow contract as I might now call it.  You can see more details about my escrow features in my article at: http://forum.bitcoin.org/index.php?topic=24209.0  and as I see you are also looking at models of new possible currency control method what better way than to control your own in a smaller group of more trusted friends or group you have more faith in than a government.  I see the future of a fractionating currency flood that will have to be controled by a group of people not by algorithms in a program that we can't predict the outcome of.  contracts with asset backing will also help to stablelize as long as the assets are in place to support the outcome.

[cunicula]

I didn't read all the post in your article so I might have missed something but my present MultiCoin does support P2P multisign escrow.  but at this time I can't get the Bitcoin group to be a part of it.  I am already testing it in the weeds proto test chain and will fully implement escrow in beertokens when we have decided on a security model of the new block chain.  I think that is what would be needed to start using your dirivitive escrow contract as I might now call it.  You can see more details about my escrow features in my article at: http://forum.bitcoin.org/index.php?topic=24209.0  and as I see you are also looking at models of new possible currency control method what better way than to control your own in a smaller group of more trusted friends or group you have more faith in than a government.  I see the future of a fractionating currency flood that will have to be controled by a group of people not by algorithms in a program that we can't predict the outcome of.  contracts with asset backing will also help to stablelize as long as the assets are in place to support the outcome.

I don't share your views on attempting to manage the coin-beer exchange rate or the use of mining lisences. I would prefer a free float and free entry. Nevertheless, I applaud your initiative in experimenting with alternatives. Experimentation eventually leads to interesting things. I also thing that p2p multisign escrow is a great feature.

I'll summarize an important point that you may have missed.

For long-term p2p escrow to be efficient, tradeable bondcoins are necessary. These are mined securities that are accounted for separately until they reach a specified maturity date. Once the bondcoins mature, they become indistinguishable from regular coins. Bondcoins can be used to back long-term p2p contracts. When long-term p2p contracts are backed with regular coins, contracting parties incur an implicit tax because regular coins do not pay interest while in escrow. Bondcoins, on the other hand continue to pay interest while in escrow. The survey I posted here suggests that the market discounts future payments in bitcoin heavily, and accordingly that the implicit tax associated with forgone interest is substantial (see http://forum.bitcoin.org/index.php?topic=25705.0).

In short, if you introduce p2p escrow it would be extremely useful to introduce tradeable bondcoins as well. The two features complement each other.

[bji]

Hello, my initial comments in this thread went unresponded to.  So here I am again weeks later to bring the point up again.

I tried to read all of the comments in this thread but I am not an economist and so it would take considerable effort for me to understand all of it, and I don't have the time or inclination for that at the moment.

But I am a programmer and I do understand the technical makeup of the bitcoin protocol reasonably well.

What I want to understand is, what do bitcoin peers (either miners or end-users, they both will need to do this) need to do to validate the transactions that result from your proposal?

Bitcoin transactions reference the outputs of prior transactions and then provide evidence (in the form of script) to prove that the transaction author is allowed to redirect the value of the referenced transaction output to new transaction outputs.  Those new transaction outputs can then be claimed by the next transaction author with the ability to provide evidence (script) to redirect them, and so on.

This means that a peer that wants to validate a transaction simply has to find the referenced prior transaction output in a validated block in the block chain, and check that the value being claimed does not exceed that of the prior transaction's output, and also check that the script of the claiming transaction does prove authorization for redirecting the prior transaction's outputs to new outputs.

Now in your system, what would a transaction that wants to spend bitcoins produced by a contingent claim reference?  What would the rules be for deciding whether the contingent claim produced bitcoins?  Would it be as simple as checking the current time and then checking to see if the difficulty of the current block satisfies the criterion set forth in the contingent claim transaction, and the rejecting the transaction if it's trying to claim bitcoins from a contingent claim transaction that cannot be established as being one that pays out (either due to the contingent claim not having matured yet (i.e. the claiming transaction was written too soon), or due to the contingency not having been satisified (i.e. the contingent claim matured but the difficulty didn't match what was required)?

Also - does your proposal hinge upon the block difficulty being a proxy for bitcoin's value?  If so, what effect does the fact that block difficulty stays artificially fixed for 2 weeks at a time have on your proposal, if any?   And, isn't it likely that block difficulty will eventually track the size of the bitcoin economy rather than the value of individual bitcoins, once bitcoins are no longer generated and miners will mine for transaction fees rather than generated bitcoins?  In that eventuality, miners will make more if there are more transactions (and thus more transaction fees), and so miners will be incented to mine more or less depending upon the total number of transactions occurring, thus the difficulty, which is a function of how much effort is being put into mining, will track the total transaction volume in conjunction with the value of bitcoins.  Will your contingent claims system work when the difficulty is a function of transaction volume combined with bitcoin value?

[TierNolan]

  What would the rules be for deciding whether the contingent claim produced bitcoins?  Would it be as simple as checking the current time and then checking to see if the difficulty of the current block satisfies the criterion set forth in the contingent claim transaction, and the rejecting the transaction if it's trying to claim bitcoins from a contingent claim transaction that cannot be established as being one that pays out (either due to the contingent claim not having matured yet (i.e. the claiming transaction was written too soon), or due to the contingency not having been satisified (i.e. the contingent claim matured but the difficulty didn't match what was required)?

I think you would always want the transaction to expire to some kind of payment.  The question would be which of the potential owners would get the money.

Also - does your proposal hinge upon the block difficulty being a proxy for bitcoin's value?  If so, what effect does the fact that block difficulty stays artificially fixed for 2 weeks at a time have on your proposal, if any? 

I think the plan would be for the prediction to be months into the future rather than on a week to week basis.

 And, isn't it likely that block difficulty will eventually track the size of the bitcoin economy rather than the value of individual bitcoins, once bitcoins are no longer generated and miners will mine for transaction fees rather than generated bitcoins?  In that eventuality, miners will make more if there are more transactions (and thus more transaction fees), and so miners will be incented to mine more or less depending upon the total number of transactions occurring, thus the difficulty, which is a function of how much effort is being put into mining, will track the total transaction volume in conjunction with the value of bitcoins.  Will your contingent claims system work when the difficulty is a function of transaction volume combined with bitcoin value?

That won't be true for a while at least, but is a potential issue long term.  It isn't clear how best to generate a reference to real effort.