A Bitcoin lecture, "The Hitchhiker's Guide to Bitcoin", has been scheduled for September 16, 19:00, in Google's Tel Aviv offices, Electra Tower, 98 Yigal Alon, Tel Aviv.

Details at http://www.meetup.com/bitcoin-il/events/137810212/.

Slides: https://docs.google.com/presentation/d/1lFkvJIq0Fwc9BUD6QahWUQELYF510SNhdzo5uC5NZT4/
Video: http://www.youtube.com/watch?v=gkYLLDtgkCk

Right, according to https://en.bitcoin.it/wiki/History Mtgox started on July 2010, half a year later.

A few days ago, a story was picked up by the media that Tradehill has partnered with the IAFCU. However, there seems to be no mention of this in Tradehill's official channels, the only evidence seems to be an email message that was supposedly sent by Tradehill to its customers.

And now we're hearing the relationship, along with any Bitcoin activity, has ended, again with nothing more than an email.

The whole thing sounds very fishy. Is this for real or a hoax?

I've had contact with him but I don't have faith in his plans. Unfortunately I cannot say more at the moment.

Well, for 6 block intervals you can use http://blockexplorer.com/q/nethash/6. 2nd field is Unix timestamp.

For reference, the time until 6 blocks are founds follows the Erlang distribution, with shape parameter 6.

Yeah, probably Satoshi was the only miner and he turned off his computer... Indeed, something very wrong with the network.

Better yet, where can we found tabular data of blocks and their vital data (e.g., timestamp and difficulty) from which this can easily be deduced? The closest to this I found was blockexplorer nethash, but the minimum allowed is steps of 5 blocks.

"Shortest interval" would be somewhat undefined since published timestamps don't have to be synchronized, you can have negative intervals.

As for longest, if 254508 blocks are distributed exponentially with mean 10 minutes, you'd expect the max to be 130 minutes.

That's virtually impossible unless there was something very wrong with the network. If it's distributed as usual the chance of that is one in a trillion trillions.

Bitcoin mining follows the Poisson process. Number of blocks in an interval follows the Poisson distribution.

10 minute average (slightly less when hashrate is increasing), actual time between blocks varies and follows the exponential distribution.

I've realized a potential vulnerability, not with multi-PPS specifically, but in general with smart miners in the variable block reward era.

Without having the entire block data, the pool cannot verify what is the total amount of transaction fees due for this block. The miner can create a generation transaction which does not correspond to any valid block, with a bogus quantity of transaction fees, to pump up the payout he gets from the pools.

To solve this, the node should digitally sign a message per block containing a complement branch, incomplete block header and total tx fees. (The same incomplete block can be used for all miners, which could simplify things.) The miner will deliver this signature to the pools together with shares, and the pool will trust the reputation of the node. The pool can also quiz the node to see that the underlying block exists.

The simplest method to quiz is to request the entire block. This however has a big communication and verification overhead. There are also some relatively simple statistical techniques that queries pieces of the block and has a good chance to detect significant cheating.

There may be more advanced statistical and cryptographic techniques to do the verification; for example, a technique called "Succinct computational integrity and privacy" allows proving that data with certain features exist by providing a short, easily verifiable authentication message. This way the node can prove the block it constructed exists, without much resource costs for the miner and pools.

You can gain a larger share of the reward, with the "lie in wait" withholding attack described in AoBPMRS and elsewhere.

Yes. The generation transaction can have as many outputs as it wants, as longs as their total value is at most new coins + tx fees. Some pools already make use of this fact, such as p2pool and eligius.

This doesn't sound right. I don't think the relay server exists. The miner's client software independently contacts the bitcoind node, and the various pools. A relay server that sits between the miner and pools (assuming that's what you meant) would just add latency and centralization.

You can use shares of difficulty other than 1 (which will be needed to reduce the load of both miners and pools). If need be, the pools can also track payouts in more precision and pay in batches.

The pools pay the miners. The way it could work is that on initial contact, the miner sends the pool his own payment address and his desired share difficulty, and the pool sends him an address which is matched in its database with these particular settings. As the pool gets shares which credit its address, it increases the balance of the miner's address, and when it is large enough it settles by sending a Bitcoin transaction to the miner's address.

It doesn't offer more protection, it offers just as much. But unlike block variance, which affects smaller pools more profoundly, block withholding affects pools in the same way so it is not a barrier of entry. If statistics show that 1% of blocks are withheld, pools can just add a fee of 1% of the expected value to compensate.

Actually, it does offer more protection in a few ways:
1. A pool can expect a wider range of miners (since all miners mine in all pools), so there will be less variability in withholding.
2. Pools will be smaller and more numerous, so there will be less incentive to do sabotage. Targeted sabotage will not work because the pool will demand a huge fee for a concentrated reward, and sabotaging all pools simultaneously isn't effective.
3. PPS is immune to lie in wait, so there is no direct profit from withholding.

tl; dr: Like Mine in multiple pools to reduce variance, but for PPS. I describe a system that allows enjoying the benefits of PPS without the downsides. In particular it can dissolve the problem of concentrating mining within a few pools. I believe this is what pooled mining will look like in the future; it's kind of a big deal.


There is a variety of mining pool reward methods. Among other things, they differ in the trade-off they choose between several performance metrics, or in other words, their position on the reward method triangle. In particular there is a spectrum of the amount of risk taken by the pool operator, from PPLNS where there is no risk to PPS where the risk is completely assumed by the operator. Higher-risk methods allow better variance and maturity time, but the operator will demand more fees to compensate for his risk.

Low-risk methods are popular now, but I don't believe they will stay with us forever. They are more complicated and it's difficult for miners to figure out exactly how much they should get and verify that they get it, which has given rise to a vigilant neighbourhood pool watch. That is fine if the complication is necessary, but as I intend to show, it is not; we can have a well-performing system with the pure simplicity of PPS. Furthermore, low-risk methods were designed with a constant block reward in mind. Going forward, the coinbase reward will be negligible, and the reward will consist completely of transaction fees, which are variable as more transactions are added or placed in published blocks. The methods can be adapted to remain hopping-proof even in this scenario, but they then no longer pose zero risk for the operator. These methods will look so much like PPS that we may as well just go with PPS.


For understanding the problem that I'd like to solve for PPS, it is illustrative to consider the no-risk methods (such as PPLNS) a bit more. With a choice of parameter, we can determine the trade-off between variance, the difference between what miners get in practice and what they should expect on average, and maturity time, the time it takes until miners get their payments. You can improve one at the cost of the other, but the only way to improve both is to have a bigger pool. A big pool can offer better performance to its miners, causing a "the rich get richer, the poor get poorer" effect - miners will flock towards the biggest pools, making them even bigger and resulting in most of the hashrate concentrated in a few large pools. This is very bad for the Bitcoin network health, as it makes it easier to maliciously obtain majority hashrate to attack the network with double spends, transaction denial of service and so on.

I have offered a solution to this in Mine in multiple pools to reduce variance - mining with several pools simultaneously, splitting your hashrate in proportion to the size of each pool. This allows enjoying performance equivalent to a pool of the combined size of all pools, which is better than any single pool, however large; and the macroscopic effect of pursuing the best performance is maintaining the current size distribution, so pools can compete on their fundamental merits and small pools are still attractive.

But as mentioned, I don't believe PPLNS is long for this world, and a similar problem exists for PPS which this doesn't solve. In Analysis of Bitcoin Pooled Mining Reward Systems (appendix "Safety nets for PPS pools"), I analyzed the requirements for a PPS pool to minimize its chance of bankruptcy. For every share submitted to a pool, there is a chance of p to find a block, in which case the pool gets a block reward of B; this means the expectation of the pool's reward per share is pB, and the variance is pB^2. We will denote the ratio between variance and expectation by t; in this case t=B. I have shown that the probability of bankruptcy is exp (-2fR/t), where f is the pool's fee and R is the pool's reserve. This means that to function normally (and without exhorbitant fees) the pool must have a fairly large reserve - agents without sufficient capital are out of this game.

Another way to look at this, different from probabilities of bankruptcy, is considering the expectation of a utility function logarithmic in net worth. If the pool's current net worth is R, then its gain from a reward of expectation E and variance V is roughly E-V/R. The variance creates an additional cost which the pool must compensate with a fee. The minimal fee must satisfy fE=V/R, or f = (V/E)/R = t/R. Bigger pools, owned by an agent with a higher net worth, are less sensitive to risk and can afford lower fees, again pushing out smaller agents.

Having miners split their hashrate among several PPS pools is completely useless for combating this. For every share the pool does get, the expected reward is still pB and the variance is still pB^2, meaning f = B/R, which is still high unless R is large. Changing the share difficulty also has no effect.


To explain my proposed solution, it is necessary to understand the concept of smart miners, also known as split pools. In traditional pools, the pool serves two roles, a network node that builds blocks and assigns work, and an insurance agent that reduces the variance of miners.

However, these two agents needn't be the same. A smart miner contacts separately a node that assigns work, and an insurance agent to smooth out payments. (I will refer to such insurance agents as "pools" as they are the more important component of traditional pools.) The pool gives the miner a Bitcoin address to which it wishes to collect block rewards. The node builds a block with all transactions but the generation transaction, and gives the miner a block header (without Merkle root and nonce) and a "complement branch", a set of hashes (the number of which is the depth of the tree, logarithmic in number of transactions) which, combined with the generation transaction, leads to a Merkle branch going all the way to the root. The miner builds a generation transaction (with output going to the pool's address) and calculates the root; he then hashes with different nonces. If he finds a hash matching the share difficulty, he submits the Merkle branch and the header to the pool; if he finds a hash matching the block difficulty, he also submits it to the node to build a complete block and broadcast it.

For every share the miner submits to the pool, he is rewarded just like in traditional pools. The Merkle branch proves that he has done work which has probability p to result in a block giving the pool B, just like with any other pool. The node doesn't need to be big, just enough to be able to run a network node, so there can be many such nodes offering their services.

It can be asked, how does the pool know that the complete block which credits it will be broadcast if found, or that "the rest of the block" even exists and it is not just a random set of hashes. It doesn't; but this is no different than the current situation with block withholding attacks. The miner can't fake work or reuse work, so he has incentive to lie only in some edge cases; the node will typically be involved in finding several such blocks over its career (unlike a miner which might never find a block in his lifetime), so it can demonstrate its trustworthiness in actually building blocks and broadcasting them. There will always be some small percentage of withholding, but it can be assessed over time and be accounted for in fees.


So we've separated pools from building blocks, and in the case of PPS, the pool will pay out (1-f)pB for every share it gets, as it gives it a probability of p to get a reward of B. The problem still remains, how to reduce the risk of the pool. And the solution is simply to let the miner credit several different pools in his generation transaction. He collects addresses from several pools, and in the generation transaction he builds, he pays out b1 to pool1 1, b2 to pool 2 and so on, for a total of B. When he finds a share, he submits it to all pools; a pool that sees that it was credited with b, will pay him pb.

And here's the crux: A share has a probability of p to reward the pool with b, so the expected reward is pb and the variance is pb^2. The ratio is t=b, and since b<B, the ratio is better than before. If we have n pools, each with a net worth of R, with the naive method each would demand a fee of t/R = B/R. but if the miner splits the transaction between the pools, each has a ratio of b = B/n, meaning it is satisfied with a fee of t/R = B/(nR), an improvement by a factor of n.

More generally, PPS pools have traditionally taken a fee as a fraction of the expected gain, because there was no way to decouple it from the variance. But now we can, so the fee policy should be different. The value of a share to the pool is pb-pb^2/R, so that's exactly what it will pay for it - the fee will be pb^2/R. (I'm disregarding fees for the service itself, which should be quite low and are separate). This is the recommendation based on the pool's net worth, but of course the pool can choose a value of R how it sees fit regardless of what it considers its "net worth". Each pool will publish its fee policy; if there are pools of size R1, R2, ..., the miner can split the reward b1, b2, ... for a total fee of pb1^2/R1 + pb2^2/R2 + ... . It can be shown that the minimal fee is obtained when each bi is proportional to Ri, and then the total fee will be pB^2/(R1+R2+...), just like mining with a single huge pool with reserve equal to the total of all reserves.

And again, this allows every pool, however small, to participate; it will simply obtain a smaller portion of each block reward, so it doesn't get more risk than it can handle. There can come a point where a pool is so small that considering it isn't worth the resource cost of broadcasting messages; however, technology advancements will help push that limit. The total fee for a pool will likely have 3 components - risk fee, service fee and resource fee (proportional to b^2, b and 1 respectively).

And of course, all these negotiations between miner, pools and node are done in software, which can also track the number of found shares and easily compare the reward it should get with the reward in practice. The miner just plugs and plays, and can easily verify the results.

I used to call this arrangement by a variety of names, but I will now simply refer to it as "Multi-PPS".


Trivia: I do my best thinking while traveling, apparently. I invented DGM while sitting in a train. I invented multi-PPS while sitting in an airplane, thinking about the vision I wanted to present for the future of pooled mining in my talk, and realizing it was very different from what I originally thought. And the inspiration to write this down now, after 3 months of procrastination, also came while sitting in a train.

Casascius sells 0.5 BTC physical bitcoins which are about the right cost. You could also print out a paper wallet with some graphics at https://www.bitaddress.org/.

That's good advice, which is why I spend time writing lengthy OPs and engaging in discussion with commenters. As has been explained already,

We wait until they no longer refuse.

We continue waiting. Of course, this makes this unattractive to someone who believes it's likely it will take many years.

There needs to be an official, public indication that they're accepting Bitcoin donations (or a private statement that they'd like to use funds to research this possibility). This needn't necessarily be in the form of publishing a Bitcoin address, e.g. if they want to use a payment processor.

Think of situations and I'll clarify what will be done.

I'm very well known on here, and very trustworthy.

All due respect to John K but

1. Why do you think it is a good policy to trust a single person with everything? There are many people here with solid reputations, if you always go to the same person and he's sitting on 1000's of BTC, how sure are you his reputation is worth more than that?

2. Why would he even agree? In his usual escrow deals, he holds funds for a limited amount of time and takes a fee for it. Here he would hold funds for an indefinite period of time and get nothing for it - and it would be another liability in addition to all his others. I'm enthusiastic about starting the dialogue with Wikimedia and believe in the role of a pledge in this, so I'm willing to do it, despite all the risks and stress. Would he?

Anyway, after discussion with some people here I understand that the importance of the pledge is not as big as I originally thought, which is why I didn't push this further. But seeing that people are still hung up on this, I've contacted John to see if he's interested.

Why not? That's the most effective approach, so that's my plan.

If either
1. Wikipedia doesn't accept donations and I move the coins (to anything other than an agreed-upon new collection address)
2. Wikipedia accepts donations and I don't donate them.
For #1, it wouldn't be a very good scam if I'm holding coins and can never do anything with them. And I'm hoping it won't take long until they accept it.

יפה מאד!

אבל בשורה הראשונה ב"אם מנגנון תשלום עצמאי" צריך להיות "עם".

Probably not on Press (is it even on-topic here?), but several times elsewhere on the forum.

It's over 2 weeks old...

I think that "fair coin toss" undersells what this is. You can easily do a fair coin toss, the problem this solves is having the loser pay a predetermined amount to the winner without possibility of reneging.