Topic: Introducing PevPot.com The Bitcoin Lottery (Read 12236 times)

As you can see on the top of pevpot.com or in https://bitcointalksearch.org/topic/m.13552611, draw #11 is the last draw. Ryan also told us in https://bitcointalksearch.org/topic/m.13601232 that the site has been bought and would be transfered to the new owners, but there is not much update on that.

PevPot Break for ATM 
I looking for #12 And #13 Without result 

Gimme a couple of years, I'll think of something. I'm kinda busy right now, I just got my CompTIA A+ certification. woot!


Eh... yah, that's something new. "Trustably" fair. I'm going to use that on my new game. You can trust there will always be a winner, just usually not you. hahahahahhaah!

You're not wrong, but you are kind of missing the point. It is slow *on purpose* so that the miner can't tell whether the block he just mined makes him win or lose, and so he can't cheat by withholding a block that makes him lose. By the time he figures out that his block makes him win it has already been orphaned, so he may as well just publish the block immediately and not try cheating the lottery.

It would be better if it was slow to figure out who won but very quick to verify the result, but nobody was able to come up with a way to do that, and so pevpot uses a calculation that is just as slow to verify as it is to run the first time.

The ideal algorithm would be:

a) slow to determine who won given a list of tickets and the mined block hash
b) quick to verify the winner given a list of tickets, the mined block hash, and the winner
c) deterministic, so that step a) always gives the same winner for the same inputs

It's not hard to find systems which give us any two of these three:

A+C: The current system has (a) and (c), but there's no quick verification step.

B+C: Just using the block hash gives us (b) and (c) - it's instant to verify, and deterministic, but step (a) is also instant and so the miner can cheat.

A+B: We can get (a) and (b) using some kind of proof-of-work algorithm. We search for a nonce such that sha256(blockhash+nonce) starts with 10 zeroes (or whatever difficulty is suitable), then use that new hash to determine the winner. It's slow to find such a nonce, and quick to verify that the nonce works, but it isn't deterministic. Lots of different nonces would work, and give different winners. We could insist that the nonce search starts at zero and works upwards, such that only the lowest such nonce is accepted, but then verification is no longer instant, since we have to replicate the whole proof of work to check that the given nonce is the lowest one that works.

Can you find a method that gives all three of (a), (b), and (c)? It shouldn't rely on any "server secret", since we have no way of knowing for sure that the server owner isn't also playing the game.


Re-read what you just said: that's provably fair unless it isn't... Using powerball numbers isn't provably fair - it is relying on the trust that whatever process they use to select balls isn't rigged. There's no proof that it isn't, and so the game is "trustably" fair, not provably fair.

That is funny. I read your previous post, and was just about to reply to clarify *why* using N and N+1 is equivalent to only using N+1 but I thought I should read to the end of the thread in case anyone else had already done so. Then I saw this, and it made me laugh out loud.

Now I'll read to the end of the thread...

Ok. Makes more sense. I was trying to get around the computation part for more than 30 minutes. That's "hard". Not a problem for a once a week game, or even a daily game, but it does mean you have to set aside processing this. This is slow to compute AND slow to verify (please correct me if I'm wrong.)

My 64 blocks was just a theme thing; I don't even have to do it more than once, but I guess people can just look back a couple of days ago to verify. It's understandably more complicated, but I'm not sure that has any impact on the game itself. (People regularly play on non-provably fair casinos.)

The hash chain as a service is an idea, but it relies on the service being available. I had a lotto 3 years ago (which didn't even have its own website, not really anyway), it used secrets from other sites, and at least the little-bit-at-a-time has a secret revealed every hour, and random.org is a completely unrelated site with no connection to crypto. A poor man's version is a secret from another popular site that can be revealed on demand.

I'd like to avoid that. The problem was I was using SatoshiDice secrets, and they were always delayed by an hour or two. The others were published on time a minute after midnight UTC.

The only other way is a server secret, such as the hash chain, combined with a block hash. But that leaves the remote possibility of the owner colluding with a miner, or the owner is a large miner. I argue if the issue is trust, people would not deposit coins, but as has been pointed out, this remote possibility is, well, possible.

I'd also like to avoid external secrets, meaning "real life" secrets. These include actual lottery results from maybe Mega Millions or Powerball. (Although that certainly makes it provably fair, as no way would anyone know the Powerball results before the draw, unless all the balls were rigged.)

I am pretty bad at explaining things, but I'll try before Dooglus replies and makes me look like a babbling toddler.


What is the attack if you just use a single bitcoin block hash?

A miner can construct a function, f  which tells it whether or not it should broadcast the block that it just mined. It might look something like this:


So now, lets say we use 2 hashes, instead of just one. Well, now a miner just needs to make a miner-code adjustment (this generalizes to any amount of previous hashes)

and it has absolutely zero impact on their ability to pull off the same attack.


Ok, so now let's use the block-stretching scheme, that pevpot uses. Well a miner can construct the same function:

but the difference is the function takes an hour to run! This means they can't broadcast the just mined block for an hour. And when you have the new unbroadcasted blockchain tip, time is money. Because loosing the block-race (which you probably will) will cost you a fair bit (and during the time the block is stretching, you'll have to mine on the probably-orphaned chain, adding to the cost of failure)


Make sense?

(Also the winner of draw #11 has been paid out, I just never updated the webpage)


If you use block N and N+1 to generate the result, that has the exact security equivalence of just using block N+1. iirc I think I brought this up with you before about your site, which combines 64 bitcoin block hashes; it's functionally equivalent to using a single bitcoin block hash, except now you're just dragging around a lot of complexity for nothing.


One of the key goals of provably fair, is to make it as simple as possible to verify.

Question: What if you use 2 or 3 consecutive blocks as the basis for the winning hash?

Advantage: No need to do 1 million bcrypt or pbkdf calculations quick to verify; unlikely for a single miner to mine 2 blocks in a row. You only wait an average of 20 minutes to find out if your block could have lost, but then it's too late for the miner.
Disadvantage: Waiting time. You pick 2 blocks AFTER the end of the round, and you also probably wait 6 blocks after that, for a total of 8 blocks. (The 6 confirms is needed so the 2 blocks are probably not orphaned and part of the blockchain.)

You could also keep a server seed secret, and it could be generated like moneypot's canonical hash chain or that 64 hash thing in another thread.

I believe we have the recipe for another raffle or lottery style game (and it's all here in this post), I just don't have the budget to do it (not unless someone buys my site.)

Someone purchased the site from ryan and will continue the site as if nothing changes but ryan doesnt know who the new owner is either. Well if you are comfortable with it just keep on playing on the site though every risk is on your own. Kinda weird the new owner doesnt even make a new pevpot thread

It reads "Draw #11 will be the last draw. Please do not deposit money after the draw ends, or sponsor further draws. =) See: bitcointalk for more details."

and Draw #12 is running

This can always happen. This is almost exactly the same as CSGOjackpot, sweetstakes.tf, and all the other variants. I'm a regular player on these sites, and ive seen firsthand people winning thousand dollar items with their twelve cent item

Cowbay's won before though, so lucky, lucky him. I've played in pots before, but not necessarially bitcoin pots, but CSGO and TF2 pots. I always seem to lose those.

Hehe I guess you must be feeling very disappointed now. I mean, losing a lottery is one thing, losing a lottery when you thought you have won is another thing.

*whew* apparently I was disgusted for nothing

Guess I did something wrong in my calculations

Yeh, I calculated the same winner yesterday.

Also this is the winner I got:

https://www.pevpot.com/draws/11

(which doens't seem to be cowbay)

Anyone want to verify?

Sorry, was out all day and forgot about the lotto. I'm running the verification now.


To be honest, I don't know the guy. I had already released the code, and someone approached me for what basically amounts to the domain. I was originally going to keep the domain, just to avoid confusion. But it's hard to say no to free hundreds of dollars, so sold it is (I've already been paid).



No, it's not. But he (and everyone else) has access to the code, so who knows what will happen


lol thanks =) But what can I say, I've got a short attention span. I think pevpot was my 5th bitcoin project, but my last bitcoin project for a while. I have some ideas for bitcoin projects I'd like to do, but feeling a bit burnout and disillusioned with  the general bitcoin community at the moment Right now I'm taking a break with running bustabit and working on something totally unrelated to bitcoin or gambling 

TBH I am pretty sure I calculated a different result yesterday, but I didn't have much time and it was late, so I might have made some silly mistake.

Will see what Ryan comes up with :X