Topic: A guide to how Provably Fair works. (Read 12402 times)

wow very nice, this info is good for gambler's

We are right now focussed on Ethereum blockchain for our platform. But our technology (covered by the pending patent) would apply to any blockchain including bitcoin which has a smart contract concept. Idea is to have entropy collection and subsequent random number generation be part of the smart contract code itself. The concept will apply to all turing complete blockchain.

I am reading your whitepaper and it actually seems interesting.

But it says that these are only offered on the Ethereum blockchain, is there anyway to get them to work on the Bitcoin blockchain or it won't be possible without smart contracts?

In the future when RSK is launched will it run on the bitcoin blockchain then?

We would not recommend block hash for scenarios where lottery payouts are huge. In scenarios like that its possible for miners to collude. Some companies are positing solutions such as random.org. Lottoken's position is that if miners can collude then external random number web services can collude or get compromised too if payout if high. That is Lottoken has patented a new unique approach to random number generation for such scenarios. We do not rely on any external web based random number generation services.

Yes I guess it is possible but this would only work for a specific block, what are the chances that the pool manages to find that block.

Also there is so much money involved in mining that I don't think they would get involved in this scenario to manipulate the end result.

You can also say that it will use the block hash but don't specificy which part of the block hash.

Block hash is prone to compromise by miners who can know the winner ahead of time. They will know the block and hence the hash before the result is announced.  That's why we invented our technology that no miner  can ever compromise.  When ran correctly, lotteries can have very fair odds.

Lotteries in my option, especially bitcoin type of lotteries should just be based on the block hash when the lottery expires.

Lets say there is a lottery that expires in 24 hours, they should just use the block hash of the block that is solved after 24 hours and use it to determine the winning number.

With lotteries there isn't much interest because most people just play dice which has a lower edge in the gamblers favour.

PS: Only issue with provably fair scheme is that it requires multiple phases of operation. It may work for games like blackjack which are in real time but it will not work for lotteries or raffles where people just buy a ticket and just wait for the draw. Requiring them to take part in something like a two phase commit may give you provable random but it just would turn off people.

At Lottoken.org that is why we purposely avoided this scheme. See our white paper. We believe we are the first ones to solve this problem. We would love to hear your feedback. We would greatly appreciate it.

All, great thread and discussion. We ran into the same problems and invented a patent-pending algorithm to solve it. Please visit us http://lottoken.org to learn more. Our white paper is at http://bit.ly/lottoken_wp.  We have even live contracts deployed for our platform.

It's fair in the sense that both the operator or website and the player have no direct control of the outcome. The chance of winning or losing applies on the games.

If you play a lottery type game with 1% chance of winning, and you lose almost all the time (or 99%) that's fair. The house edge is different from the fairness of the game, as that is one aspect where the casino makes money, but at least you know that from the beginning.

What is being talked about here is the unpredictability of random number generation but at the same time verifiable after the fact.

You may be right. I think there is nothing fair in the world of gambling. If anyone is saying this thing that he is playing a fair game, he is definitely telling alien then. Being fair and dealing, gambling are entirely opposite and are just like having inversely proportional relation in between them.

You have to understand how the proof works. When you do understand it and the variables, and how much control or influence you have over the results, then you know that is is fair. Provably fair. Your feelings at that point don't matter, because it's all math and numbers don't lie.

In the case of live dealers or live lotteries, ... it's like the analog equivalent of provably fair. What you feel here depends on how good the video is, or if there are camera tricks, or something. Trying to get a hash collision or rigging a provably fair game is much more difficult.

I don't know . Even if I read that it's probably fair and stuff and even if someone shows me all the proofs required even then I will feel that everything in rigged and it's not fair. I don't know , it's just a personal feeling

Excellent summary, thanks for the sharing!

What are you trying to do here? Why would you sum the digits of groups of characters from a hash?

And why use a=1, b=2 when a represents 10 and b represents 11?

I think you may as well just play randomly than think that your algorithm is helping you at all.

Why in the world did you bump this 4 year old thread. I actually remember reading this thread about 4 years back.

Someone really should start locking and archiving certain threads because they are irrelevent in some topics.

Assuming that the server seed has been taken from Blockchain entropy which is completely verifiable, is this PF with PR? The player can be presented the shuffled hash after each spin and can set his client seed before each spin.

Where would I get a provably fair system coded like this? For a dice game that rolls the sum of two six-sided dice?

That's a great guide TF.  Thanks.

Indeed. Setting up a service that is provably fair for both players and investors is rather tricky.

In the end though, you can't get around trusting the operator of the site if you're investing (and also if you're playing), because the operator might just as well run off with the coins.

The problem is that this solution, will significantly slow down the site, and now relies on two services or more. So it can work, but it will turn out to be very expensive later on.

If that is what is needed to make something provably fair, even for investors, it might work. But then people will have to trust that the two separate servers do not collude.

This might work for a slower game, for example, a card game where people take up to half a minute to think their next move. But again, it introduces a new variable that may deter either players (because they get impatient) or investors (because they have to trust two different people now.)

This problem is almost inevitable.

A potential solution involves using multiple servers controlled by different people to generate the result. Suppose I run a casino/dice-site and you are an investor. Both of us generate a server seed, publish its hash as usual, ask the client to input a client seed (and add a nonce for the number of bets made with this seed). I hash the result and instead of computing the outcome of the bet from this, I transmit the hash, the client seed and the nonce to your server where you hash it with your own server seed. This hash is then used to compute the final outcome.

In this scenario, I don't know your server seed, so I can't predict the outcome of my own rolls and vice versa. Both of us, as well as the client, can recreate the rolls after the server seeds have been published (and verify that they weren't tampered with using the hash that was published before).

I'm not entirely sure if this system is 100% watertight in this form as I didn't think it through very thoroughly, but it gives an indication of the added complications when there is an investor that doesn't necessarily trust the operator not the cheat (and vice-versa). This system is still workable with 1 or several large investors, but with a site like J-D, where anyone can invest, it's not applicable.

Alright, thank you very much.

If I am right there is one problem left: the house could always cheat himself because he knows the server seed. This is particularly an problem if you work with others people's investments.

Sounds good

I just responded 8 seconds before you, mind checking that post out? :-)

You need to use hashing and server / client seeds to determine the result.

Basically: both the server and player must be able to modify the result in an unpredictable way.

Let's see if I understand this completely:

So.. I should make an function that can repeat the results based on the input?

I first show the user our server seed hash, then I let the user generate an user seed (or set it for them).

For the roll I use the server seed (not the hash) and the user seed and the number of the bet since using this server seed. After the rolls I show the server seed and give them a functionality to input that server seed and user seed and roll number to verify the result again.
The user can verify the server seed by hashing it himself, since the chance of duplicate hashes is basicly zero

To make it uncheatable I generate a new server seed whenever the user wants to see the original seed (or change it once a day like said in the first post).

Yes, I agree there must be user part of entropy provided and function of interacting with server entropy disclosed to make sure it leads to unpredictable results.

I know.  And I pointed out a flaw in your answer.

Here's a game.  I'm going to pick numbers between 0 and 100.  You have to guess whether they are below 49.5 or above 50.5.  It has a 1% house edge.

To prove it's fair, using your system, I'm going to provide the hash of the set of numbers I preselected.

It's bcb708ddadd008c0d48a204f2c923c010ac0bbef22aa531b3e8d39bd20ae1fe1

Now play 5 times.

Oh, you lost every bet?  That was unlucky.

Here's the list I hashed, to prove I wasn't cheating:

$ echo -n '49.6 49.7 49.8 50.2 50.4' | sha256sum
bcb708ddadd008c0d48a204f2c923c010ac0bbef22aa531b3e8d39bd20ae1fe1  -

My point is that publishing a hash of numbers you have chosen unfairly doesn't prove fairness.  It just means you have to cheat before the user plays instead of during.

He is asking how to prove a fairless game lol - I answered

All you are proving there is that you picked the results early, and not during play.  It doesn't prove that you picked the fairly.  You could, for instance, have deliberately included long runs of high and low numbers in the result set in order to bust players who always pick the same result (hi or lo, say) and double their bet on loss.

To make it provably fair, allow the user to provide input that affects their results in a repeatable way but which they can't predict.

Create a way to:

1. Create a set of data your numbers picked from
2. Provide a cryptographic seal on that set - show its sha2 hash to customer before game to prove you will not change it
3. Run game
4. Show your original set to player along with its hash and provide open source script to replay all picked numbers on client PC

Well let's change scenario:

If you click play you have an 49.5% of doubling your money.

How can I prove it now?

Choose another game behavior. Heads and tails has 50% probability and zero house edge.

The main benefit of proven fair feature is to prove that house doesn't craft random items during game, but picks really random ones.

So in your case it would be "Provably cheat" game

Hi guys,

Let's say I want to make an heads or tails game, but only with a 49.5% chance to choose the right one (thus making it not a real heads or tails game, but for house edge).
Is it possible to proof I am doing this fair? I am still trying to get an grasp on this whole "provably fair" thing.

For chances I'd like to use the Chance.js (http://chancejs.com) library. I've run simulations and it's pretty accurate.

gives result:

Hi. Great post!

I can explain here caesarbit.eu provably fair implementation variant.

Each game starts from generating server and client seed numbers.

Server generating 50 random numbers and stores them in session providing SHA256 hash of this sequence to client before each game. Player may write down a hash to verify game fairness later. From now server can not change its random seed numbers, as hash will be broken.

Client browser doing the same using Javascript browser capabilities. Player also may write down a browser generated sequence to verify game fairness later.

When this two side random handshake complete, game starts. When server needs to pick a random number, it uses both server and client random number in sequence by doing bitwise XOR operation with two server/client numbers in sequence. Resulting number is used as seed for random engine and random number is picked using this seed.

After game player may visit seed logs for Blackjack or Roulettte and discover server seed sequence verifying its hash.

We provide open source php scripts which may replay all random items in game used particular seed: BlackJack PHP command line tool and Roulette PHP command line tool.

On this page player can find input data for particular game for these scripts. Script will show:
- Server seed
- Server seed hash (verify to written down before game)
- Client seed (verify to written down before game)

And then replays all random game items in sequence they appear in a game.

Thanks for the support. . . . .


Seriously though, I'm just using the words that should be used. It turns out that we still can't prove it, unfortunate as that may be. However it has to be better explained to people or they will call us marketing scams or something.

However, on this topic of using the same seed on multiple rolls, does this logic apply to the same seed (or the same group of seeds linked to each other) on cards games? For example, a 52 card deck that uses 52 different "card seeds" or "card secrets". If you reveal only the cards the player has, how "provable" or "probable" is it that all the other cards are rigged even if you can't see them?

If that question can be satisfied, then we have a partial solution to the poker issue (how to prove that mucked / discarded / folded cards are what they are, because only the original player knows them)... or I ask the other question "if the other player folded, does it matter that you don't know and can't prove what his cards are?"

psst, @dooglus, I made a thread specifically for poker, it's in the games sub-forum. Go there, I could use your input. Thanks.

Back to topic, what is a good level or high enough probability for us to consider as something provable? Certainly 2^16 is not enough, or 2^32 is still only 4 billion. Is 2^64 good enough? 2^80? 2^96? 2^112? Or do we "require" 2^128 at least?

My guess, is that we match what is considered "unbreakable" for the time being, which is 128 bit encryption as the minimum. Implementing something in Triple-DES at 112 bit, while not recommended is also "provably" unbreakable. DES was never cracked. It was simply brute-forced due to such a small key space.

Fortress you are not breaking laws you are helping peoples for good

Well... There are those people who were using Android Wallets that trusted Google's PRNG...

Also, some sites (like Just-Dice and CoinRoll) use the same seed on multiple rolls.  So you need to raise your probability of cheating to the N'th power, where N is the number of rolls with the seed.  The chance of breaking sha512 once is currently so close to zero as to be effectively zero.  Raise that to the 200,000th power (or however many rolls you made with your current JD seed pair) and it just gets silly how tiny the difference between "provably" and "probably" gets.

To put it in perspective, Just-Dice is "probably" fair in the same way as a person sending Bitcoins "probably" owns the private key and didn't just guess it.  Maybe he just got lucky and brute-forced the private key, but "probably" he didn't.

And this all reminds me, that there is no such thing as Provably Fair. This is actually Probably Fair. But the probability of being fair is very high or extremely high. Or the other way around, the probability of being unfair is very low, to the point it is almost negligible, for all practical intents and purposes.

Now, I'm maybe just nit picking on language and terminology used, but what odds do you consider Provably as opposed to just Probably? Is a 1:100,000,000,000,000 probability good enough? Because we can even use MD5 or SHA1 and no one will probably cheat. We can even use a 64 bit hash and the odds are still 1.8 * 10^19.

So, anyone using 256 bit hashes or higher (384 and 512) are overkill.

And I'm bumping this thread because I'm working on a provably fair poker game. Good luck to me.

1. Generate 10 billion 256-bit numbers. These are your transaction id hashes.
2. Generate 1 secret key of any length. This is your secret.
3. Hash those together using SHA-256 to get 10 billion 256-bit numbers.
4. Study the distribution of those 10 billion numbers.
5. For specific applications, use only the digits used, like for many dice games, the first 4 hex digits or 0 to 65536.

Alternatively

For number = 1 to 100,000,000,000  (one hundred billion numbers)
  print sha256(i)
Next number

The output should be uniformly distributed. Each pattern of output bits should be equally likely. The distribution from this study will essentially be your industry standard.

While this test does not illustrate it, it can be surmised from the purpose of SHA and from its proven history as a cryptographic primitive that the test would show uniform distribution for any classes of keys and any subset of its output bits. If it did not, this weakness would provide a way to identify collisions with less than brute-force effort.

SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA-512) designed by the U.S. National Security Agency (NSA) and published in 2001 by the U.S. National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard.

In the United States the National Institute of Standards and Technology (NIST) plays the dual role of maintaining and furthering both commercial and scientific metrology.

Of course, 10 billion numbers or even 100 billion numbers does not prove anything. We need it to infinity for it to be a true mathematical proof.

However, even a normal person will say that if it talks like a duck, and quacks like a duck, 10 billion times in a row, perhaps we can consider that provably fair.

Bump

sorry, but your bold text has nothing to do with RNGs, if you want me to prove if 1+1 is equal 2 I can gave you the apples proof. but there's no mathematical formula that proves the entropy of a system, and that's what RNG is all about.

this reminds me of a dilbert strip:
http://www.random.org/analysis/dilbert.jpg


I understand that, for the regular user, any stamp from a renowned institute that proves the way that the random numbers are generated are fair maybe is a relief they aren't being cheated. But, while this doesn't happen, doing a little research you can use the common sense to see that they are using a fair way to determine the bet results.

I'm not taking this discussion further as in any discussion there are 3 viewpoints: your viewpoint, my viewpoint and the right viewpoint. Just keep in mind that we gave you a paper and statistics, and you only your opinion.

best regards

But >90% of the bets are not like that. SatoshiDice does not publish an ordered bet log as we do but as members like dooglus have shown it is easy to extract.

We are not statisticians ourselves but we did notice when running our own simulations that sha512_hmac(txid, secret) frequently produced large groupings of similar results, though despite this the number distribution evened out over a large enough sample size. 
We have noticed that our new improved RNG using sha512_hmac(txid, secret) and mersine twister produces this less often but it still does occur and the number distribution is still the same after a big enough sample size.

Its no secret that when we first started running simulations on our reimplementation of satoshidice's RNG we sampled our own wallets txids and kept trying secrets to see if any trended towards low or high, they do. Before your alarm bells start ringing you need to appreciate that as new data was added (new bet txids from players) the trends would often start correcting. Our own simulations using real data showed at best you could hope to gain another 1% edge.

It sounds like you are using a martingale system which is when you really notice these long losing streaks, if you suspect SatoshiDice is picking secrets that have trends of long losing streaks then apply the reverse martingale, thus turning any cheating into an advantage.

If specifically you feel that our casino may be cheating by doing this you could then play reverse dice where low numbers win, if we are attempted to trend to high, play Jackpot Dice where the high numbers win.

It really is in the best interest of a casino to set a reasonable house edge and use the best RNG they can, this is the safest way to a steady income.

Please refer to the following posts where I have already addressed the issue so you may better "compreend" everything:


As I have already expressed this in the most childish way possible so even an infant may understand: I am not the one that needs to prove they are NOT fair, they are the one needing to prove that they ARE fair, it hasn't been done once.




I think it is related to the dark side of anarchism whereas people begin to disregard technological advances and standards that have been established as a result of perfecting the systems and simply claim that these standards are a series of monopolized marketing schemes aiming at increasing profitability.

Basically the logic of fuck METAS, licensing, technological institutions that specialize in metrology, they are all greed seeking pigs, so we'll use a lava lamp as an RNG instead since we can do it better (and increase our own profits in the grand scheme of things).

This is the new dawn of cryptocurrency demagogism that, from their perspective, will ideally misguide fools, give themselves a piggyback ride on the economy and leave fools scratching their heads and blaming Bitcoins when they have hit rock bottom.

The sole fact that they haven't shown one bit of evidence just makes it painfully obvious to anyone who doesn't have urine in their circulation system. Stop showing us your right hand while giving us the ol' switch and grab, the true members of the community will still look at your other hand.

The problem occurs though when >90% of bets are like that for example. The house edge seems normal more or less but you were already predetermined to loose to a greater degree before even placing the bet,  this coupled with stealing from investors = success.

Very fair. It is the nature of random, try flipping a coin 10'000 times and see if you dont get 20 heads on a row.

thank you, I love when someone say I'm younger.


You say this a lot. so, can you explain me what exactly you mean by your "industries standards"?


http://en.wikipedia.org/wiki/Gambler%27s_fallacy


hmmmm, maybe my 15 years in the field wasn't enough to compreend the text. so, can you point me what I miss about that NIST (National Institute of Standards and Technology) paper?


and please, try to prove what you're saying because until now you just chitchatting

Way to take this argument to the level of name calling, what exactly makes you come to the conclusion it is 100% random if no statistical analysis has been done? What makes you think that it isn't weighed in one way or another? Just because it's hashes 2 times this possibility is somehow automatically eliminated?

Yes provably fair means that you are exposed to 100% pure random. It seems you prefer casinos that manipulate you into thinking that you are not losing while you actually lose.
Anyway, It is worthless arguing with you, because either you are 10 years old, completely stupid or be paid to lure innocent players to your cheating casino. I hope for you it's the first, because then there is still a chance you could grow yourself a brain to understand that 100% pure random is better than manipulation.

You two kids are hopeless but let me educate you a little, yes it is possible to prove that the bet result was generated using the transaction id, the secret key and whatnot but who guarantees even distribution across all numbers as it needs to be by the industries standards?

You could theoretically even have a proper house edge, just that you would have abnormally long "cold" periods and "hot" periods, if you bet 20 times in a row and loose every time and some else evens the house edge by winning 20 times it isn't very fair is it? Potentially house edge heightening, but at least you admit that you are a gullible sheep and posses no ability to read and comprehend text, so very brave of you  .

"big guy" LMAO. Actually provably fair proofs it on every single game. And even a below than average educated teenager could easily grasp it. So please don't count yourself as a "big guy".
Anyway, most people would not admit publicly that they do not understand how provably fair works. So, respect for admitting it. Still, now everyone knows that you are not very bright light, so to speak.

http://satoshiroulette.com/log.php?mode=BTC

For interest look at our log, you will see some winning and losing streaks there you are welcome to verify a snapshot of our results at any time.
We even offer on player request forcing out of band secret changes so they can verify a recent set of bets instead of waiting up to 24 hours.

It is also possible to modify our simulation so it reads in every txid in a bitcoin wallet and uses each one as its input to produce even more real world results.
If you are interested please let us know, as we said its in our best interest to reassure you of our legitimacy and put away your concerns.

You're wrong.

http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf

case closed

Thing yes provable fair has not been proven even once until today. Please educate yourself before replying to "big guys" talking okay buds?

You two are a joke, living proof of how gullible the masses are on a big scale, don't play at SRoulettes casino for all I care.

Also its far more effort that its worth, we want players to claim the jackpots. A big progressive jackpot won by a known member of the community vs a random anon is the best kind of advertising we get  

You could claim progressive bets, but the damage is minimal, because other players will that the progressive jackpot has gone down.

To make sure we are on the same page, you mean that the casino's earnings are not provable to investors due to easy manipulation and knowing secrets ahead of time.  
You would do this by creating a rawtx and checking its result, rinse and repeat until you have the required winning tx and then broadcast it.

This is completely true and something many SDICE. investors do not appreciate, comments were made before that they could simply run bots to attract investors prior to making their IPO.

We also could abuse this by using it to claim progressive jackpots or flooding our log with win statements to make it look more attractive to players. This would require much more work as our jackpots require you to hit a single number on a max bet thus increasing difficulty of 'mining' the correct sized txid.

This madmadmax guy wants to be cheated, so he is either a "simple mind" or more probably a paid shill. Actually he should use fiat money instead of Bitcoins because the fed has those wonderful statistics requires blind trust instead of being provably. But the fact that he seems to prefer Bitcoins tells us he actually knows the difference between provably and just telling fancy tales like the fed and his casino. Now if you combine those informations you end up knowing that he is a paid shill from one of those cheating casinos.

WTF?

SatoshiDICE is provably fair for your own games. Provably fair is not a magic bullet - it doesn't suddenly allow you to prove the house isn't making any bets, or that the house isn't cheating their shareholders, but that doesn't mean something is not fair.

And, wow, it's ridiculously easy to prove s.dice is provably fair.. get past secrets, generate random hashes ("txids"), repeat many times.

Here is a situation though, Satoshidice knows their own secret word ahead of time, thus they can submit bets to themselves as if they are the player, since they can potentially "be" the player and know the secret word ahead of time (since they are really Satoshidice) they can thus submit selective bets and raise the house edge to such a degree that no one of the investors would be getting a cent.

In the "real world" there is so much surveillance and protocols that casinos have to follow that claiming a person won a million dollars without it happening would be virtually impossible. Funny that so many people are defending their precious stock yet they fail to see and to point out this simple flaw while claiming some algorithms/blockchain protects them on the low level.

We can now establish who is right in the first argument: Me


Satoshidice claims it is "provably fair" but decides they will not prove that they are fair and so far it hasn't been proven once. Now I do understand your claim that they must not prove that they are fair to really be fair but then it's the argument of religion basically, if I hold my hand behind my back and claim I have a couple of pounds of diamonds in my hand I would be the one making the statement thus I would be the one needing proof (e.g. showing you the diamonds) and not you needing proof of me not having the diamonds in my hand behind my back in order to establish that they really are not there, since I have no initial proof of my statement it is disregarded.

Makes sense? Gox has everything to do with it since both of the companies are ran by teenagers that fail to employ the proper people to do a job they are unqualified to do out of pure greed.

We can now establish who is right in the second argument: Me



Interesting that the mainstream will roll with the established website despite the utter stupidity in doing so while such alternatives exist.

Always happy to help
Anything we can to do reassure players is in ours and the communities best interest.

Thanks for doing the simulation SRoulette

Hopefully a sample of 125'000'000 is sufficient

Our casino http://satoshiroulette.com/ certianly has, see the original thread here: https://bitcointalksearch.org/topic/satoshi-roulette-new-rng-147935
We did that recently in a thread when we upgraded our RNG to show the fairness and distribution over uneven numbers (ie 7).

huge simulation to check the distributions created by our provably fair algorithm:

Results:

As you can see it is very fair distribution.
We are happy to run any simulation a player requests or assist with getting the simulation script to work.

edit: the above is just from a ~3 minute run, I will let it run for the next ~24 hour and give an update on its results.

The quality numbers they are generated are not unknown. So that is a lie...

"Fair" means they don't cheat the player.  "Provable" means they can prove it.  There's no lying.


SatoshiDice has all their activity publicly available on the blockchain.  They have less opportunities to cheat their shareholders than any traditional online casino.  It would be trivial for a traditional casino to say "we had a high roller come and win a million dollars from us.  Sorry, no dividends this month".  How would the shareholders argue with that?

Gox and their DDoS has nothing to do with this, not even a little bit.

As of the moment no one has done that yet thus claiming "provable fair" isn't the most noble thing to do, some would even call it lying.

S Dice would have a unique opportunity to cheat their shareholders due to the nature of the Bitcoin network, it all comes down to the greed of the individual I think, Gox could have easily hired professional security guys, rent a CDN, buy a DDOS protecting router for that 3% is it that they pull? Instead they chose to lie to their users like a bunch of teenagers and deny a DDOS ever happened (according to what I've got they have admitted to it in the end), same thing with S Dice and most successful bitcoin casinos, gluttony.

The difference appears to be that traditional casinos can pay to get the stamp of approval from some body that says the random number generator they demonstrated to that body is good.  There's no way they can prove that they actually use that good random number generator when the public plays against them however.

With provably fair games the players can be sure that the algorithm that is used is the one that the casinos claim is used, because they can check the maths for themselves.

It's possible to run huge simulations to check the distributions created by the provably fair algorithms to see if there's any bias.  I don't know if anyone has done that.

And claiming that provably fair doesn't work because SatoshiDice can cheat to defraud their shareholders is disingenuous because any business can cheat its shareholders no matter what business they're in.  It's not like that is unique to provably fair casinos.

All provable fairness gives you is the assurance that the house isn't cheating the players.  And that's a lot.

Oh so you want standards of the industry where your win and loses are capped, come on dude, if you don't like it don't play. But this is fair, and can be prove. I will make a casino just for you where you only get 25% edge and the house gets 75% cause that is what slots are set too.

Have you read the rest of my post and comprehended my point though?


You just lost me there,

They are misrepresenting themselves to the gullible bitcointalk masses, the quality of the numbers generated is unknown, I rest my case.

The chance of it being fixed by say bitzino is 0% because of math. And you claim that it is lower in established casinos? LOL. If your point would be true it would also be possible to counterfeit bitcoins, spend coins from wallets without having the private key, and so on. Sorry, but it only shows that you have no clue about math and hashes.

It might work, it might even generate the house edge they claim, but it is unfair to the players that the numbers are not generated according to the standards of the industry, e.g. players could have "cold"/"hot" periods with S dice whereas players would loose 15 times in a row or win 15 times in a row. Same thing with other bitcoin casinos, nobody can guarantee how chaostic they are exactly. People need to start pulling their head out of their asses.

You clearly never been to a licensed casino, slots are the worst odds and how is 95% in a bitcoin casino less than a licensed casino?

S.Dice has certainly had losing months, and they can't do that and if you check up on that, so if they do it you can show the forum, but I doubt that. They have made millions and don't need to fix the bets, that would make them lose everyone that was using the site.

You can't do random numbers in computers hence why you need hash something can be random, like a chat, and it clearly works as you can see it working.

So you rather know that your gambling could have been fixed by the casino so for sure lose. Or would you rather have something that is as random as it gets, the software can't fix it to make sure you lose. I don't know what planet your from. Also why you have to name call? LMAO Does it in-power you in some way?

The chance of it being fixed by an established and licensed casino is much lower than ANY bitcoin casino.

S. Dice for example claim they have fair play, yet it is possible for them to submit selective bets since they know the secret word in advance and potentially steal from their investors. Okay not bad right? Wrong, nobody can vouch for the quality of the numbers that satoshidice generates and how random they are exactly, have they been certified by the Swiss Federal Office of Metrology (also known as METAS) and confirmed for quality number output that could compare to commercial RNGs such as Quantis? No? Didn't think so, it was certified by a bunch of smartasses on bitcointalk.

Using the (salted) hash of the chat as a seed is also a bad idea for various reasons, please leave it to the pros to generate quality random numbers, especially when it comes to gambling on virtual property, fund your project properly and hire a qualified person to do that work.

Seems to me that provable fairness gives the spotlight to crypto-charlatans, I would much rather trust my funds to large licensed casinos than a bunch of dorks hashing each other hashes in someones basement.

Bumpy

Qft! Provably fair should become the standard, not the exception. Bitcoin is an excellent gateway to achieve this.

Excellent summary of provably fair.
Keep on spreading the word so that eventually players avoid sites that prefer to manipulate/cheat.

Nice work Fortress.

BitVegas is a truly impressive project.

to ensure even number distribution we recommend using something similar to our provably fair RNG which is a a combination of hmac_sha512 + Mersine Twister:

BitVegas has an interesting take on this.  The multiplayer blackjack game takes the last thing each player said in the chat as the player seed, appending them all together.  So every player gets to influence the shuffle if they like.

That'd work too - site can still cheat if the bets are large enough and they mined the block themselves (or have a shady deal with a mining pool), but that attack is pretty implausible / unlikely (miners might observe the shares and see one that should have being a block but isn't)

Service generates secret, publishes it's hash. When all bets were made, service waits for next Bitcoin block and uses hash(secret_PLAINTEXT + block_hash) to determine the winner. Then makes available secret's plaintext to all players.

Add everyone's secret together?

This is only one method which can be used in multiplayer games (raffles and lotteries).
To prevent cheating from miners you should generate secret string and use combination of hash(secret + block_hash) to determine the winner.

I know some sites that use the block time as the seed to be hashed.

Not the best way to do provably fairness. When the block reward halves to 12.5 BTC, you better make sure there are no bets > 12.5 BTC otherwise mining pools can cheat by discarding blocks.

Another approach is to use hash of the next Bitcoin block, coming right after all bets were made.

You're playing a simple dice game, where the site generates a lucky number for each bet. The problem is, how do you know the site is generating random numbers fairly? How do you know they're not cheating or rigging the game? They could be secretly making you lose more often.

The solution: Provably Fair games.

Hashing

A hash is a message digest. It summarizes a message one way - you can't find out what the original message was from a hash, unless you brute force everything. Take "hello", the sha256 (an hashing algorithm) hash of that is "2cf24dba5fb0a30e[..]". Add a space to the end, "hello " and you get "5e3235a8346e5a4585f8c5[..]". So you can see changing a tiny part makes it completely different - random mapping.

The important part is hashes are one way, and are unpredictable. If I give you a hash of a very long string of numbers (say, 30 digits), you can't tell me what the original numbers are from the hash. (You actually theoretically can, by trying out all the numbers from 0000..00 to 9999..99, but it's implausible with a large search space).

Hashes are also tamper resistant. I can't find another number that gives the same hash. So you know I can't change my responses. (You actually can, it's called hash collisions, but the chances of that happening are 8.64e-78 which means it won't happen in real life for all intents and purposes.)

Provably Fairness

Let's say I run a blackjack game. [Ad: play blackjack on bitzino] I could provide a hash of the deck. But that only tells the player I haven't changed the deck after showing the hash, I could swapped cards in the deck beforehand. To solve this, the player needs to be able to influence the results of the deck. Here's where provably fairness comes in.

Outcome = hash(dealerSecret + playerSecret)

Outcome can be determined in any way, as long as it's public. Maybe first four pairs of numbers in the outcome are winning lotto numbers. Maybe first bit == 0 means heads, first bit == 1 means tails. Doesn't matter, because SHA256 is effectively a random mapping function.

The site hashes their randomly generated secret (they can generate it any way they wish, but if it is not random then the player will be able to beat the house and the site goes bankrupt) and shows it to the player. This way, the player knows the site isn't changing their secret after the player sends their secret to the site.

The dealer secret sometimes is hashed and presented before each play (eg bitZino, BitVegas), or it is generated well in advance - one secret for each day. The hashes of each day's secrets are published, and the actual secret is revealed after the day is over (so players can't cheat). This is used on sites like satoshiDICE.

For the player's secret, it could be generated in the browser via javascript, with an option for the player to specify it for themselves, or for blockchain games it uses the transaction ID. The transaction ID is just a hash of the transaction sent. The player needs to be able to change their secret (which you can do with transactions, by not sending a TX with a secret you don't like for some odd reason).

No player secrets

Some types of games don't need player secrets. They just need to hash their outcome and show you that before you play. Take coin flipping - IF you can bet on heads or tails. Sure, the site might have heads come up 55% of the time, but players will be able to perform statistical analysis and start betting on heads all the time and the house goes bankrupt. (Nitpick: Site can actually rig it, by giving heads more often if you bet more often on tails for example and vice versa, but that can be exploited with different bet amounts by the player -> site goes bankrupt)

Another example is minesweeper/minefield. Mines are predetermined. You choose which squares to dig. In either of those examples, you don't need to influence the result with a secret - you already are influencing the result by deciding which square to click or heads/tails to bet upon. So those sites are provably fair without requiring secrets exchange.