Usually, people think about Merged Mining in the context of Proof of Work. But it seems to be possible to create a merge-mined chain that will be based on Proof of Stake. For example, it could start with zero initial coins and be pushed forward by providing a valid Bitcoin transaction. Then, people would earn that altcoin during moving their bitcoins. So, instead of getting Bitcoin headers and pushing that chain forward by providing 80-byte block headers, people could do that by pushing their signed transactions.

Also, there is no need to create additional commitments on-chain by making things like "OP_RETURN <commitment>", as described on that mailing list. People could just tweak their public keys and reveal their commitments on the merge-mined chain. In this way, it is possible to make some Taproot address with some "OP_RETURN <commitment>" TapBranch, that will never be used on Bitcoin, but that could be used as a proof that such commitment is connected with this address (so also this amount, that is signed in the Bitcoin spending transaction, that means this altcoin can have consensus rules that will distribute coins based on such commitments).

People criticize Proof of Stake, but they cannot even make a test network without staking. For example, signet is very centralized. Developers did nothing to decentralize testnet3 in Proof of Work way as you described, they simply made a centralized network and added even easier Proof of Work than Satoshi did! Still harder than 20 leading zero bits in prenet, but definitely easier than difficulty one on mainnet. So, even Bitcoin developers are testing Proof of Stake and making new signets for new features (check https://ctvsignet.com/ if you don't believe me), guess what will be next. Just look at the mailing list in this month, there are more and more proposals involving signatures and staking. That means, Proof of Stake could win even on Bitcoin!

Of course I don't have all the answers yet. But I know the basic layer is technically possible to build, and that can be improved later, because a single on-chain transaction could move coins from one sidechain to another, so making improvements will be quite easy.

I think it should be demonstrated in practice. Imagine talking about Lightning Network without having a working system. It is hard to convince anyone it could work. So, now I am trying to write some code, and build a basic layer of what I already described. Then, I could run that as a some kind of test network, where you can easily get some test coins, just by signing some mainnet coins (that could be also done as a commitment, to make it during sending some regular transaction, so nothing more than tweaking a signature will be needed, and it would cost zero additional on-chain bytes, and one tweaked signature could commit to the hash of the block, to cover the whole test chain at one shot). Another thing is that if it will ever reach some popularity, then it could be possible to add commitments inside the coinbase transaction, just by tweaking some miner's Taproot address, that would also require zero additional bytes, and would allow reaching sidechain finality every 10 minutes, without increasing mainchain size at all. Imagine Bitcoin as a huge clock that would confirm all sidechains every 10 minutes, without any additional bytes, the whole burden of commitments will be taken by each sidechain separately.

1) Merged Mining done wrong: they should always follow the highest source of the Proof of Work, and grant coins, accordingly to that. Having 10% of Bitcoin's hashrate should allow reaching 10% of NameCoin's hashrate, there is no need to create a separate difficulty, each chain should follow the heaviest Proof of Work.
2) No coins should be created out of thin air, they should be based on Bitcoin, may be pegged in 1:1, may be signed and cloned in this way, there were many possible solutions to that.
3) "The spent fee goes to the miners in the next block fee" - burning 0.01 NMC to register a domain is pointless, it can be done safely without it, and handled in the form of fees. Also, by throwing coins out of circulation, there is a hard limit of available domains, which is not needed.
4) Names can be attached to Bitcoin signatures or addresses, and revealed later, when needed. There is no need to explicitly include hashes.
5) No "modernised arrangement with the Merkle Tree on top" was created, no commitment-like style of revealing names was added. It should be based on sorted commitments, that should be timelocked, and then revealed in a given timeframe, to get it recorded, and committed into NameCoin, which should commit into any Bitcoin transaction every sometimes (preferably once per 10 minutes, if sidechains would get some traction, and if they would be supported by miners, and not only by users, as it is possible today).
6) "it's cryptographically possible to make a risk free trade", and we have 2022, and it is still on some TODO lists, but not yet implemented. Also, NameCoin developers didn't even try to reach that goal.
7) "A longer interval than 10 minutes would be appropriate for BitDNS" - and they picked of course 10 minutes for no reason. I thought about increasing block time on some networks, into two weeks, maybe even into one halving period. There are some nice properties, when the block time is increased (for example, Proof of Work reduction is then possible, without breaking any consensus rules, that are adjusted to faster block times, so the difficulty is then forced to drop). On some networks, it can be also decreased, like P2Pool did with their 30 second blocks, this method can be also used to do some Proof of Work fragmentation and decentralize mining, or give some people a choice between staking and mining, so they can find a balance between that, for example they could go into 90% mining and 10% staking, it is a good start, and could go further later, when people will be more convinced, that it works.
8­) "In that case, domain objects (domaincoins?) could represent the right to own a domain for a year" - guess what, of course it is not "one year".
9) "You might consider a certain amount of work to generate a domain, instead of a fixed total circulation" - was it considered to utilize something like "vanity address" to have a "vanity name", where people will mine a name that will be unique, will have some matching characters, and will be cryptographically secure at the same time? Do people have a choice between paying for some characters and mining other parts? Of course not. It is not possible to mine "bitcoin" as a vanity string, and pay for "eater, don't send" to own that name. No, you have to claim the whole "bitcoin eater, don't send" part, you cannot mine names, no matter that vanity addresses are better, and they even not require a blockchain! What about mining vanity names and supporting Bitcoin Proof of Work at the same time? They didn't even start thinking about that!
10) This list is longer, but I think it will be too much offtopic. Maybe this reply should be moved to some NameCoin-related topic, feel free to do that if needed, but also note that in all of those points, you can put "Proof of Stake" instead of "Proof of Work", and it will still make sense, so you can also discuss it here.

Yes, but it was created by joining transactions that were below 1 sat/vB fee rate, see sighashes.

People don't want to go below 1000 sats/kvB on-chain, so if you want to make any transaction with lower fee rates, you can get it accepted only in separate networks, where transactions are batched in a trustless way, to form something that will appear as 1000 sats/kvB on-chain, but for users it is cheaper during making off-chain transactions.

More sidechain demonstration: the normal 1 sat/vB fee means 110 bytes per each P2WPKH-P2WPKH pair. Here, each user can pay 105 satoshis per entry, and the validator pays only 85 satoshis for validating all of that, and for enforcing that on-chain. It is trustless, it is based on SIGHASH_SINGLE|SIGHASH_ANYONECANPAY, and it allows reaching lower fees. Those low-fee transactions are broadcasted only on a sidechain, where they are collected, grabbed by some validator, and then that validator can be paid by getting a discount on its own transaction, it is a reward for the whole batching effort. In practice, that validator could earn even more by batching A->B and B->C sidechain transactions into A->C mainchain transaction. But this example shows, what is possible here and now, with no protocol changes, more sidechain features are ongoing.

It depends on sighashes. If you can join 500 transactions with one satoshi fee, to reach a single transaction with 500 satoshi fee, then you don't have to be a miner, you can just be a validator. It is ongoing, and there are practical examples, where you can reach fee rates below 1 sat/vB, or where you can even earn something, see testnet3 transaction: 99459ff5ce058067ed87b99f326305768444068a5659dce5ea5f126bfd4b0bda.

Keep calm, today 1 sat/vB means "no priority", and anything below that means "joke priority", so all users should be aware that their transaction can be rejected. But so far so good, in the past, it was normal to pay 0.01 BTC as a fee. But it is sad that the community removed free transactions entirely from the "reasonable defaults". However, regular fees can now reach values like 100 satoshis. In the future, I think we could reach even single satoshis on mainnet, if the whole traffic will jump into sidechains or Lightning Network. It is a matter of time, historically, fees were decreasing, when it comes to the number of satoshis.

Po pierwsze: sidechainy Bitcoina istnieją (patrz: Liquid, RSK). Problem w ich przypadku jest taki, że to są "federacje", a co za tym idzie, nie każdy może je wykopywać. Jeśli jednak mówimy o stakingu, albo o sytuacji, w której istnieją "walidatorzy", to taki model może działać na Bitcoinie dzisiaj, tu i teraz, bez pisania żadnego nowego softu.

Czyli: nic nie stoi na przeszkodzie, aby zrobić tak, że masz kogoś, kto ma BTC na swoim adresie i kto zrobiłby adres 2-of-2 multisig. Wtedy jeden klucz należy do twórcy sidechaina, a drugi do użytkownika. Ogólnie jest tak, że jeśli zrobisz "OP_CODESEPARATOR <kluczPublicznyAutoraSidechaina> OP_CHECKSIGVERIFY", a następnie dołożysz do tego dowolny Script, który będzie wstawiony przed "OP_CODESEPARATOR", to jesteś w stanie zrobić taki sidechain, gdzie nikt nikomu nie musi ufać. Wystarczy mieć jednego walidatora, który obsłuży cały ruch. A jeśli będzie ich wielu, to też jest w porządku, po prostu każdy walidator może obsługiwać ruch na tych monetach, które dostarcza, w celu zapewnienia płynności.

Innymi słowy: jeśli chcesz założyć własną federację, to robisz "OP_CODESEPARATOR <kluczPubliczny> OP_CHECKSIGVERIFY" i ogłaszasz użytkownikom, że podpiszesz każdy Script (ale nie TapScript!) który ludzie dostarczą. Wtedy każdy klient może zapewnić wejście do sidechaina, jeśli zrobi transakcję, która używa dowolnych wejść, natomiast na każdych wyjściach, zakończonych wspomnianym Scriptem, będzie to znaczyło, że monety są w sidechainie. Wtedy można ustalić hash transakcji oraz numer wyjścia, podać walidatorowi (który nie musi znać treści Scriptu) i wtedy wystarczy, że taki walidator to podpisze.

Kolejnym krokiem jest ruch wewnątrz sidechaina. Jeśli walidator będzie wiedział wystarczająco dużo, żeby podpisać transfer z jednego adresu na drugi, to może się to sprowadzać tylko do zmiany adresu docelowego. Tak długo, jak długo walidatorzy są uczciwi, to system działa. Wszelkie zagrożenia są wtedy identyczne, jak w Lightning Network, mianowicie: można ogłosić starą transakcję, która przyzna więcej monet którejś ze stron. Jeśli jednak transakcje będą składane, to w takim modelu kradzież będzie niemożliwa, po prostu to wtedy będzie kwestia wyższych opłat transakcyjnych.

Dokładnie. I teraz pomyśl o tym, że jeśli więcej osób się o tym dowie, to może przy kolejnych monetach wreszcie ktoś oddolnie wymusi zmiany. To znaczy: jeśli kolejna osoba zacznie tworzyć kolejną wspaniałą monetę od zera, zamiast rozbudowywać istniejące, to może będzie można wreszcie odpowiedzieć takiej osobie coś w stylu "po co tworzysz nowe monety?". Bo moim zdaniem nie ma takiej potrzeby, kiedyś miało być 21 milionów monet, ludzie to niepotrzebnie rozdmuchali. Jeśli jakiś altcoin tworzy swoją własną bazę monetarną, to niepotrzebnie dzieli użytkowników. Mamy monetę A z funkcjonalnością A oraz monetę B z funkcjonalnością B. Musisz sprzedać jedną, aby kupić drugą. Po co? Moim zdaniem to bez sensu, skoro technicznie można byłoby sprawić, aby twórca altcoina dorzucił funkcjonalność B na monecie A.

Technically, they can. Also, the Lightning Network is based on Proof of Stake. There is no mining inside LN. That means, it is technically possible to transform Bitcoin into Proof of Stake coin, and give users some choice. So, a "coin in a coin" scenario is possible here and now, it is just a matter of pushing things higher, and turning the on-chain consensus into that.

Yes, it's the same kind of Proof of Stake, but it has a chain. And that difference allows direct payments between participants, and that's the key difference between my proposal and Lightning Network: it is like if you could watch all channels and their state. Also, in this case, no watchtower is ever needed, and mining is also possible, because if you can watch all channels and transactions, then you can collect all of them, make a sidechain block out of it, and sign it, then you take all fees from all users as your reward (by default your reward is zero, and can be increased by validating transactions). So, the situation is clear: people can wait a long time for mainchain confirmation and pay on-chain fees, but they can instead use minimal on-chain fees, and pay much less, to have it signed by stakers. In this way, the stakechain can fill the gap between zero and the first confirmation, for a few satoshis you can get it validated, instead of accepting zero-confirmation. No coins will be created out of thin air, users will agree voluntarily to move their coins into stakers' hands, just by signing transactions.

You can, I guess that will be the case during bootstrapping, then people will find a good balance between that, and will see that staking can give them more profits, while having less power requirements, because then no mining equipment is needed. It will be a gradual way from 100% mining and 0% staking into 1% mining (the minimal difficulty is one) and 99% staking.

It has to be gradual, because instant change will be rejected by Proof of Work enthusiasts. They don't want to switch immediately, they have to be convinced over time, that a different system is better, and can reward them with more coins.

That's the mistake of many Proof of Work altcoins: they use their own hash functions, or mine their own chain of the heaviest work, instead of being connected to Bitcoin by Merged Mining. The same with Proof of Stake: by creating new altcoins, the situation is not better, it is actually worse. Users don't need new coins, they need new features on existing coins.

There is Merged Mining, there is Merged Signing, there are ways to make new features, without creating coins out of thin air. I still don't get it, why altcoins do that, when there is no need, and when trading and speculation can destroy them, even if their idea will be genius, just because developers force users to choose between coin A with feature A, and coin B with feature B, they enforce choosing for no reason, why they can't just get feature B on coin A?

Why? The coin supply is finite, sooner or later we will reach the case, where the basic block reward will be zero. And then, users could fully decide, if they want to move their coins in a Proof of Work network, or if they want to get their transactions confirmed by Proof of Stake validators. Then, it may be pointless to mine zero satoshis on-chain by using Proof of Work. On-chain fees may be lower than off-chain Proof of Stake fees. What then?

Lightning is similar to staking, but it lacks some features, like direct transfers between all Lightning participants. You still need to touch on-chain, you cannot send coins directly in Lightning, and finalize it later on-chain, you have to finalize that on-chain immediately, no matter what, because each channel should be in the right state to move any coins anywhere.

Well, sidechains at least have some independence, and only finalize things on-chain. But Lightning is fully pegged to the main chain, and that's why all problems from the main chain are always moved downwards to LN (for example, if on-chain fees are high, then there are problems with creating and closing channels).

If the basic block reward is zero, and on-chain fees are very low, then this low difficulty is justified. It just reflects on-chain rewards. And they will be lower if the whole system will move into LN, staking, or other layers.

If you increase the block time from 10 minutes to 40 minutes, then without any fork, the difficulty will drop to the minimal value, and will stay there.

No agreement is needed, if there is no hard-fork, and no soft-fork needed. It is just about users willing to move coins as they want, and sign transactions as they want. They don't even need to move on-chain coins, they can create coins by signing something, then they will get their coins deposited on a separate chain. Later, they can move coins on-chain, then they will be destroyed on the sidechain. In this way, it is possible to create two-way-peg, where nobody can stop it. Then, it is possible to turn chains on and off, it depends only on users, they will have freedom they never had before. And the whole work is about making the right scripts, so that on-chain coins will move if (and only if) all participants will agree on that, and that will be needed only if someone will want to leave the sidechain.

The basic idea is already shared, the original author thinks about utilizing it in the Proof of Work context, but I think it could be used as a Proof of Stake too. Many things are ongoing, because, as you can easily guess, Bitcoin community is mainly against staking, so to make it real, there is a need to allow the minority to use their coins as they want, and to gain and lose them, by testing their ideas in practice. If I would share my ideas in the current stage, they would be destroyed by the Proof of Work community. They should be hardened, and more work is needed to make some unstoppable proposal, but the main idea of unstoppable sidechains (without any fork) is very promising.

Of course, because millisatoshis not divisible by 1000 are enforced on-chain, right?

I can say the same about my idea, just cut this "it’s not even a chain" part, and you can copy-paste it 1:1 into my proposal.

I don't need any new coins. Each validator can take fees, in the same way as LN nodes take fees.

They always can. There is no way to stop them, they can put their coins in and out as they will, it is just a matter of signing some transaction.

The problem of creating new features without any forks, of course. People have a lot of ideas, and create a lot of altcoins to reach them. There is no reason to create any new coins out of thin air, if they could sign their bitcoins instead.

And people accept that by signing their own coins. They accept to gain and lose coins, by signing messages, and there is no way to stop anyone from signing any message they want. That's the best part of this "unstoppability", that there are some ideas, where even Proof of Work enthusiasts cannot destroy easily. That's why if you try to stop my proposal, you may hurt Lightning Network at the same time. Then, you have to choose wisely, to not kill too many networks with one shot.

I still cannot see any difference. Each Lightning participant decide, how to make a closing transaction. The same with sidechains, the act of moving coins on-chain simply means, that everyone agreed to destroy sidechain coins, and take them on the mainchain.

Simple, in LN you cannot transact with all participants directly, in sidechains you can. If you are completely new, with fresh keys, you cannot be introduced into LN, without touching on-chain coins. In sidechains, it is possible.

Note that people can be rewarded in this Proof of Stake network directly, so miners could find it more profitable to mine less on Proof of Work, and validate more on Proof of Stake. It is a matter of incentive, dropping the difficulty from the current level to the bare minimum 2^32 hashes is technically possible.

Why not? Using the difficulty equal to one will be "good enough". Going even lower is also possible, because it is possible to increase block time, for example from 10 minutes to 1 hour or longer.

I do. And I have plans with staking, be ready for them.

Just by producing blocks every 40 minutes. If any difficulty reduction will be needed, then soft-fork is more than enough to cover it. But I think moving coins off-chain will be enough to decrease on-chain fees, and to decrease on-chain rewards, which will encourage miners to turn off their machines.

By making signatures. Instead of signing a regular transaction, you sign something else. For example, in signet, if you want to sign a block header, you make two transactions, there is "to_spend" and "to_sign" transaction, you sign this "to_sign" part, and place your signature in the coinbase transaction.

I thought about 1:1 peg (of course 1:1000 or other values are possible, but then it would mean just moving the comma, so for example using millisatoshis, instead of satoshis, as in LN).

As every sidechain, it has to reach "a peg", not "the peg". As long as all coins are covered by the chain they are pegged into, it works.

It is in progress, I just decided to mention that it is ongoing, but I could patiently and silently work on it without informing anyone, and then suddenly reveal everything at once. So far, I shared parts, where there is very little chance that someone will destroy that easily (also, Core developers already discussed some parts of it, for example "temporary forks", so they are aware of what is possible, they may not be aware only about that "no fork required" part, but I think they should be, because this was also posted (not by me) to the mailing list). But there are other parts, that needs to be hardened, they are too fragile to be shared with Proof of Work enthusiasts, because then they will abuse the system by making chains, and pretending that "this idea was tested, and it failed", which is not the case. In the same way NameCoin was presented as a BitDNS implementation, while it is clearly not the case, as it lacks some features (described by Satoshi).

I can share unstoppable ideas, that are hard to destroy, and I already shared that, the only thing left is answering some questions, and clarifying, what is possible. But still, I don't want to share more fragile parts, because I don't want to repeat NameCoin's mistakes.

That's the plan: to have a network, where you can receive coins, only if you sign your bitcoins. Of course someone else could sign its own coins on your behalf, there is no way to stop that.

Yes, but the current difficulty means that a lot of energy has to be used. It is possible to convince people to turn off their miners gradually (by convincing them that they can earn more by making signatures and staking their bitcoins), so the difficulty would gradually reach the minimal value. Then, it is possible to protect the whole network mainly by Proof of Stake, and leave a little protection of the Proof of Work, just to make it backward compatible.

Well, I was not here for 2016-2017. I started buying Bitcoin in 2018, maybe 2019.

What happened, should stay in the past. Now we know that new features can be introduced with no forks at all, even no soft-fork is needed, you can read more about it here: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020532.html. Of course, sidechains can also solve "coin merging" problem, but I think not many altcoiners want to for example merge BTC and BCH into a single coin again, so there is no need for that yet. But it is just a matter of proportions, any altcoin can reach a peg again, if they don't want to do that, they are free to stay unpegged, just they should not be surprised that their coins will be left behind the heaviest chain, if they designed it to be a competition, instead of reusing the strongest source of SHA-256d hashes, no matter where it will be produced. They could do a soft-fork or no-fork back then, big blocks are different from small blocks only by the time when each tranaction is included. They could get it protected by Merged Mining (and commitments could protect them from chain reorganizations), and have their transactions included later, it was that simple. I guess people were just unaware of possible technical solutions that always existed, from the first released version. And they still are, including me, it is a continuous process of learning, what is possible.

Now they could issue their own sidechains. No permission is needed, coins can be created by signing on-chain coins, and destroyed by moving them. Nothing else is really needed, the rest is about making it convenient, and protecting mainchain coins with the right output scripts, to allow moving them if (and only if) each and every owner of that coin agreed to move back to the mainchain.

Pure speculation with no usage will lead us nowhere. If people want to speculate, or if they want to never use their coins, they should have that choice. Holding coins forever is like owning something on OP_RETURN. You can do that, but it won't be useful. You need money to pay for goods and services, the whole value can be created from real usage and real features. Of course it can be created artificially, but then it will vanish over time. And I don't want to make things that will be worthless after few years, I want to make a system I would want to also use, from the perspective of some non-miner and non-developer, who will have no power, and will just want to write some applications for existing coins. It should be still useful in that case, because it is all about control, and to make it decentralized, the creator should have no control over the network, even if it will be based on Proof of Stake.

But you know that the popular way of implementing Merged Mining is not what Satoshi intended? NameCoin made the same mistake: there should be one chain of block headers with the heaviest Proof of Work, Proof of Stake, or Proof of Something, and each Merge-Mined chain should receive a fraction of coins proportional to the whole power of all chains. In this way, attacking any altcoin by reaching 51% power, 51% coins, or 51% something is possible if (and only if) you have a majority on all chains together. And of course people didn't implement Merged Mining in that way. Also, when it comes to Proof of Stake, there is an alternative called Merged Signing. And guess what: people are still unaware of that, and they still think that creating new coins will make the whole situation better, but nobody gave any reason, why it is needed to create new coins at all, instead of signing existing coins from other chains, and build new protocols on top of that.

This. And miners should also receive a proportional amount of test coins, related to the mainnet difficulty, or the whole difficulty of all chains, if testnet will track that. So, if the mainnet block reward is 7 BTC, and you mined a block that is 100 times easier, then you should receive 0.07 test coins, not 50 test coins (ideally, you should also receive 0.07 real coins in decentralized way at the same time, but that is another story). And if you mined it with difficulty equal to one, you could receive zero satoshis on the test chain, because rounding down integers during division is the default in many languages, and because you can test all scripts on zero amounts, it would also work.

Another nice to have feature would be to get test coins by signing the mainnet coins. Then, you could sign for example some coins from transaction 9173744691ac25f3cd94f35d4fc0e0a2b9d1ab17b4fe562acc07660552f95518, and get some test coins by doing that (here: zero coins, but there are many dust amounts flying around that you can safely sign). Then, it could work as a test sidechain: you sign some coins, and then you can do your testing, and you can test your peg with the mainchain. Then, you move coins on the mainchain, and then test coins are destroyed, so they can be skipped by other nodes during the initial sidechain download.

Nice idea! I think we could have a timespan of one difficulty adjustment. For example, that could mean, when the difficulty is adjusted on the main network, then all test coins are cleared. Or we could use a moving window of 2016 blocks or something like that, then the test network will follow all mainchain events like halvings and difficulty adjustments, so all amounts of test coins will be quite similar to those used in practice on the mainnet.

I don't know. It depends. It is true for now, but I am not sure it will be true in the future. For example, there are proposals like CoinPool. In general, there are proposals to put more people into a channel. Also, there are some ideas flying around, how to solve the problem with on-chain interaction. You know what does it mean? It means Bitcoin could end up in a scenario, where there would be no need to open or close channels, because it will be resolved by more deep layers. So, it could be possible to have some opened LN channel, and then create some coins on L3, without touching L1, everything inside L2. Then, it could be possible to extend "a coin in a coin" or "a layer based on a layer" to that extent, that it could require no interaction with on-chain coins.

More advanced does not mean "better". Also, the current consensus has its limitations, and the whole chain will stop, unless there will be some hard fork. But as far as I know the Bitcoin community, they will use hard forks only if they will be forced to do so. And by "forced" I really mean "forced". Maybe 2038 year problem will be resolved by increasing timestamps in a soft-fork way? Maybe when the chain will stop, the last block will be endlessly replaced? Maybe people would start making the blockchain smaller, by completing "D" in the "CRUD" model, so that "Delete" operation will be executed by overwriting the chain, and adding the hash of the previous chain in the first block after the Genesis Block? Why not? We could start mining on top of the Genesis Block, and produce 2016 blocks so strong, that they will be stronger than ever (so that will trigger the biggest chain reorganization ever), and then we can pretend that the Genesis Block is not from 2009, but from "2009+offset"? And what then? Because there are a lot of ways, how soft-forks or no-forks can save the day, and be used to avoid hard-forks always and forever.

I can see a different trend. People think that no block size increase is needed, so also no increase in the use of the mainchain is needed. I think it could be reduced, because a lot of soft-forks and no-forks can be used to make things happen, no matter what developers want, and without their permission.

I think that will be true in the future. Exactly that last sentence about "getting tyrannical". And I mean "really tyrannical", so not increasing the max block size is one thing, but I can also imagine making the whole chain smaller than it currently is, so for example going from the current ~450 GB to ~1 GB in the future. All that is needed is reaching consensus, and creating some Proof of Work that would overwrite the chain. I think it is possible, if miners could be rewarded directly in the Lightning Network. Another thing is that doing it once is more than enough. Some soft-fork or no-fork could make it permanent, and alter all rules.

There are many reasons, feel free to pick anything, or even extend that list:
1) they don't have good and working solutions for some problems
2) they don't care, they hope that things will be fixed automatically, when we will get there
3) they don't want to implement it now, when something is too crazy to reach consensus right here and right now

I don't care about "legal reasons", because in many countries, the law is outdated, and it cannot catch the crypto world correctly. For example, imagine that Satoshi invented the simplest tax system that is possible: transaction fee. If you govern a country and use crypto, you can keep being just some user, even if you are a government, and it will work fine, it will just be a different scale. If you want to mint new coins, you don't have to reinvent the wheel, and create CBDC for your local currency, when you could just use existing crypto, right? Also, you don't have to force your citizens to fill some papers, to go through the whole system of "spaghetti law", you can just collect transaction fees, and not require any additional fees than that. If you want, you can require an explicit payment, you can show each user the explicit amount they have to pay, and you can make things very simple. So why governments don't want to go that way? I have no idea, maybe they are missing the bigger picture of what is possible, and the whole reason that such ideas can also be beneficial for them.

It is already solved by Merged Mining invented by Satoshi. Another way is Merged Signing for Proof of Stake. I think, technically it is not a problem at all, it is just a matter of making things happen. So it requires some coding skills, some time, and patience, to get there. And I hope we will.

Some users told me that, and I agree, that quoting should not point to users. And I am not the only member of "quotes without nicknames" club. It makes life easier, when it comes to writing posts, but it is only opinion (and there are exceptions, like quoting posts that are far away, for example written by Satoshi). So, I prefer "userless quotes", but feel free to "fix" them if you want.

It depends on what do you want. Because if you want Proof of Work, then you should use that in lower layers. But if you want Proof of Stake, then it can simply take over, if no Proof of Work will be added to some lower layers. Then, if Proof of Stake is superior, coins will gravitate towards staking. But if Proof of Work is so good, then why it is not present in the lower layers? Why Lightning Network transactions are not Merge Mined with Proof of Work, but only signed?

Maybe. But still, it has to be confirmed or rejected by other people. It is always a matter of consensus, for either Proof of Work or Proof of Stake, or Proof of Whatever. So, ideas are flying, but they are only ideas, unless implemented and enforced. And there is still a lot of work to reach that.

As far as I know, no BIP yet, but I think some people are generally interested in the concept of Merged Mining. For example, I guess this guy wants to do that in a Proof of Work way: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020532.html

I think the basic idea of creating a separate chain with zero supply, that could accept deposits and withdrawals from other chain, is mature enough to be implemented. It can be implemented in a very general and open way, then it can be later limited by soft-forks in the future. Another thing is that if this additional chain has no coins, then it can be easily created (by making signatures), and easily destroyed (by moving coins on mainnet), so recreating the whole additional chain will be quite easy, just all users will move from the additional chain v1 into the additional chain v2 by making a single on-chain transaction.

It depends what do you mean by "centralized" and "decentralized". I can imagine a scenario, where all coins would flow inside the Lightning Network, then all on-chain transaction fees could be gone, and then guess, what will happen next: you will have a system that will run out of coins. Miners will mine all 21 million coins in circulation, and what then? No new coins, so the basic block reward would be zero. And then imagine that all coins could be locked in some LN channels, and stay there. If so, then miners will stop mining (because of no incentive), and then the whole chain will stop, because the whole life will be present entirely in some lower layers.

So far, the Bitcoin community has no solution for the scenario, when the basic block reward would be zero. Then, doing chain reorganization would be profitable, just to get some coins from the fees of the previous block. That means, this could be the way to disincentivize miners to extend the Proof of Work chain. And then, if no solution will appear, everything will be handled by the Proof of Stake.

It is just an idea. If Merged Mining is possible, then something that I described, could be named "Merged Signing", so it is exactly "a scenario in which miners would vote out their own business model", because then it is possible to vote for anything, just by signing some transaction, and it is possible to prefer that, instead of using Proof of Work to mine blocks. You can always sign a transaction, and then it goes into staking. If you will look inside the Lightning Network, you will see, that there is no mining. So, how to name that consensus, that is inside that network? I would call that staking, because everyone can open a channel, and put all coins at stake, and then take profits from keeping some node online, and signing messages. There is only one difference: it is running on top of the regular Proof of Work chain. But I think it could change, I described the reasons above.

When it comes to the resources about Merged Mining, then see how the NameCoin works. And imagine that instead of reusing some Proof of Work from another chain, you could reuse a signature. Then you will get, how Merged Mining could work in a Proof of Stake consensus.