PPS fees are higher to account for the operator's variance when all miners are honest. It can't hope to handle sabotage attacks.

I agree with this. martok bit more than he can chew with the PPS. Which is very unfortunate, had he consulted with me I'd have explained the risks. The fact that he conditioned PPS payouts on its eventual finding of blocks means he doesn't get PPS at all.

Wrong, trying to sabotage a share/score-based pool is shooting oneself in the foot. If the attacker is 50% of the pool, then by withholding blocks he denies himself 50% of the reward. Thus sabotaging such pools is much more expensive. In PPS withholding blocks does not decrease the reward (beyond the normal PPS fee).

Not easy at all, the operator needs to keep hundreds or thousands of BTC in reserve to ensure stable PPS payouts. Which is what I don't think martok realized.

The word "proportional" is usually reserved to the defective system of using the same score for all shares. What we have here is called score-based.

Maybe you can try being more aggressive with promoting the pool? All the other pools are more or less the same and this is the only one that offers a distinctive advantage, there's no shame in spreading the word.

Ok, I think now we're allowed to ask... martok, are you absolutely sure there's no problem with the pool that would cause it to miss winning shares?

Care to explain?

Only up to the timescale required to order more supplies, which to me seems like a technicality.

I was wrong, but it only strengthens my case. The correct statement is: The customers don't lose, and the operator doesn't gain.

Consider two scenarios:

Scenario A: A million customers each buy a single ticket.
The operator collects a 10K BTC fee.
Each customer paid 1 BTC and has 1/1M chance to win 0.99M, so his expected gain from the bet is -0.01 BTC.

Scenario B: A million customers each buy a single ticket, and the operator buys 1M tickets for himself.
The operator paid 1M. He has 50% chance of winning the entire 2M, and a 50% chance of getting only a 20K fee. Expected gain is 10K BTC, same as before.
Each customer paid 1 BTC and has 1/2M chance to win 1.98M, so his expected gain from the bet is -0.01 BTC.

Because as jerfelix pointed out this lottery is not progressive, there is never an expected gain out of it. Customers pay in expectation to get the rush of high variance. So all the operator can do is get this high variance without paying for it, he cannot gain in expectation.

The X in "1/X chance" and in "0.99X reward" is the same, making the expectation per ticket a constant -0.01 BTC.

In bitlotto's system two different users can't get the same raffle number. And any single user would be silly to buy two tickets with the same number since this gives him no advantage (and he can make sure each ticket is different). So a million ticket bought by users will have a million numbers, just like a million tickets bought by the operator.

In bitlotto's system, he needs to actually have 100M BTC and freeze them until the draw to do this. And anyone else with a spare 100M BTC can do it as well, not just the operator.

I think here the particulars of bitlotto may differ from other lotteries. To generate a ticket for himself he actually has to spend in advance a BTC he currently owns. So whatever he has to gain only scales with his own capital, not with the number of participants.

- And this sounds a lot less impressive if the fee is only 1%, and he can get the good bet for £13.86M.
- You're once again making arguments that make sense for a traditional lottery where there are a limited number of options, and not so much for a lottery where there's virtually infinitely many options and exactly one winner (thus there's always a risk to go along with any expected gain).
- This is exactly like the grocer who can get his own good produce for a discount relative to his customers, and can offer a discount to his acquaintances.
- You're still only showing the operator can gain, not that the participants can lose. Every customer who buys a ticket knows he has a 1/X chance to win 0.99X BTC, where the value of X is not yet known. All of your suggested manipulations don't change that.

@realnowhereman - I can see how this logic applies when there is a very small number of lottery outcomes, but does it really hold up when there are 2^256? There's no way for the operator to have 0 risk then.

And in either case it doesn't seem relevant. It's great for the operator that he can profit out of it, but what we care about is the participant. And he can know exactly what his expected payout per lottery ticket is, no matter how the operator chooses to enter his own lottery.

Saying that an operator shouldn't have an edge when playing his own lottery is like saying a grocery store owner shouldn't buy groceries at his own store.

bitlotto can cheat him statistically. That is, he can have a plan to make sure the participant doesn't win even when he should. But this is different from material cheating (not sure if this is the right word), which means that the contingency that the participant should win actually happened and he still didn't get the reward. The latter cannot be done undetected.

And I guess there's no real way to be convinced whether the original bet was about material cheating or also limited-scope statistical cheating.

Nobody can prove that*, he could have, and it doesn't prove you won. The bet was about stealing the money without being detected. He might have an intention to steal at some point and plan with this intention, but the moment he steals he'll be detected.

* Unless buyers of the majority of tickets come and supply proofs of their identities.

I guess there was some scope to clarify the exact terms of the bet in advance. But to me this doesn't seem to qualify because 1) He can materially steal only once, which was clearly known to be true and 2) While he can statistically steal several times, the scope of this cheat is bounded by his capital and thus he can't do a large-scale scam.

jereflix did not offer a way bitlotto can cheat and thus can't claim the bet.

However, he did implicitly offer a way bitlotto can inflate his apparent trust regarding stealing. Consider again this scenario:

Disregarding fees, bitlotto puts 130 of his own BTC for a chance of 130/131 to get back 131 BTC and 1/131 chance to lose it all (just like anyone else could). However, it could be that his strategy was really as follows: If he wins, pay out to the winning address normally; if he loses, take the money and run. This way he can make himself appear worthy to be trusted with 131 BTC when he actually is not.

No, as long as an unbroken hashing function is used, mining rate is proportional to plain old hash calculation rate. And I don't see any indication that QC will have more hash/s per $/W than classical computers.

And I expect that there will be companies offering special-purpose mining cards to consumers.

These are some fairly serious accusations. Of course we embrace new businesses, even if they haven't built up a reputation in this community, if they seem legitimate, and with all due respect Bitcoin7 doesn't appear very legitimate. Operating a large-scale exchange is a serious undertaking and Bitcoin7 don't seem they have what it takes, so even if they have the best of intentions they might crumble leaving their customers with a loss.

Note also that I at least didn't advise to stay away from them, only to be careful. Perhaps with time they'll be able to make up for their past mistakes and establish their reputation as a legitimate exchange.

No, that's not what it means.

And I don't know enough about hashing to be sure what it does mean, but in a very broad way, cracking difficulty is exponential in the number of bits. So cracking a 128-bit-security code is 2^128 times easier than cracking a 256-bit-security code.

That said indeed it doesn't look like QC are a serious problem since you could just double the hash length.

You should be very careful with them. FYI they copied most of their text from TradeHill.com, a legitimate recently opened exchange (Bitcoin7 claims the dog ate their copywrite, or that outsourced copywriters copied that text without their knowledge, or something like that). Maybe you should try Tradehill, especially if you liked the text about vision and such you saw on bitcoin7.

The branch representing the highest total difficulty (barring changes in difficulty, this is simply the one with the longest chain of blocks) is chosen to be built upon. In case of a tie, the one the client saw first is chosen.

Note that the client doesn't now try to calculate hashes, but it does provide getwork to miner software.

There's no problem with POS. Double-spending is difficult even without any confirmations, and transactions propagate in seconds. Unless we're talking about a large purchase (equivalent to hundreds of dollars maybe?) there's very little risk in accepting the payment immediately. This was of course discussed before.

Mining will not stop when no more BTC are generated. It will be paid for with transaction fees.

Bitcoin is not that bad... It's the carrots you really need to stay away from.

As long as you don't become a dealer selling mining contracts you'll be fine.

After some Googling it seemed to me that mere mortals cannot use it. But soon most (all?) of the functionality should be available from the website.

You look at the number of shares as a fraction of the difficulty. But you don't do the whole calculation in block granularity.

Because all this information is irrelevant. Your expected payout from a proportional pool for a share you submit now depends only on the number of shares in its current round (as a fraction of the difficulty).

Specifically, if there currently are K shares in the round, the expected payout (in units of block reward) is $\sum_{i=K+1}^{\infty}p(1-p)^{i-K-1}/i$.

It has no effect on the payout from this pool. But once the payout from this pool, due to the length of its current round, is too low, you hop to a pool where it's higher.

Whatever happens outside the pool has no effect (unless it affects the decisions of miners). It doesn't matter at all if in a given minute 0 blocks were found outside the pool or 8. It does of course matter whether in this minute the pool found a block or not.

It looks like you're thinking a block is found like clockwork every 10 minutes. That's false, finding blocks (for Bitcoin at large, for a pool, for a miner) follows a Poisson process, so the time to find the next block is distributed exponentially.

We're not hiding anything. We've specified exactly how to pool-hop (well, at least as long as the pool doesn't try to implement counter-hopping measures, there's some room for discussion there) and why it works. Some people have done it.

It should be emphasized that pools using a correct payout method (geometric, PPS, inter-round window) are completely immune to the effect.